Perhaps the biggest problem facing users of IDSes/IPSes is the onslaught of false positive alerts they can generate when not properly configured, tuned and maintained. Let's face it, if you take an IDS off the shelf and plug it into a network of any significant size, you'll be quickly overwhelmed by hundreds (if not thousands) of alerts -- many of which may be meaningless in your environment. It's important that IDS/IPS administrators take time to tune their system well. Here are some things you should do:
- Administer systems properly. When using an IDS/IPS that depends upon anomaly detection, ensure that the system has a reasonable definition of what's "normal" in order to help it effectively detect what's "abnormal." Therefore, also make sure the system runs in training mode during periods of routine network/system utilization. If the computing environment has different patterns of activity (say, a peak sales season and year-end accounting activity), ensure the training period covers each of those and use multiple training periods if necessary.
- Tune out irrelevant alerts. Many security products provide fantastic detail on the alerts they generate. Unfortunately, much of that detail is irrelevant for a large number of networks. Be sure to tune the alerts so they reflect the "ground truth" of your network. For example, if it's not running any instances of Microsoft SQL Server, the IDS/IPS shouldn't be monitoring for SQL Server exploits -- that's just asking for false positives!
- Learn from past mistakes. Every system is going to generate false positive alerts. That's just a fact of life with today's security tools. There is, however, a silver lining if you take the time to analyze the false positives generated by your system and use the results of that analysis to retune the system. For example, if a system constantly generates IDS alerts based upon legitimate file sharing activity between two known hosts, consider excluding those communications from the rule that triggers the false positive alerts. Simple changes like these will make life as an administrator much more pleasant in the long run!
There's another problem inherent in accumulating these massive quantities of data – someone needs to analyze it! If reviewing log files is part your job, a log analysis tool can easily save time and increase the effectiveness of your analyses. Look for a tool that churns through almost any kind of log file and produces easy-to-read reports that help identify and investigate anomalies quickly. It should parse the audit trails of firewalls, network devices, operating systems, Web servers, intrusion detection/prevention systems and much more.
Security monitoring isn't easy work -- that's for sure! However, careful tuning of your systems combined with strong policy and analysis tools can save a great deal of headaches down the road!
About the author
Mike Chapple, CISSP is an IT Security Professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles including the CISSP Prep Guide and Information Security Illuminated.
This article originally appeared on SearchSecurity.com.
This was first published in August 2005