It’s all very well installing Intrusion Detection and Prevention systems on your network to tell you who’s trying to do what on your network and to your servers, but when they generate so many alerts you can’t keep up, what do you do?
Many IDSs take action to block the offending traffic. But they’ll then log that, so you know what’s going on. They’ll also log all suspicious traffic, whether they actually do anything or not, and some will just log it.
The result is you end up with massive logs of information that are so off-putting you probably won’t bother looking at them, and so will miss out on vital warnings. Or you’ll try to investigate them all, and spend valuable time chasing up a problem that turns out not to be an issue at all.
Say, for example, a hacker has managed to breach your defences and is attempting to compromise the devices on a particular subnet with a Windows-specific attack. Do you really care about the attacks on your Unix servers? Or how about the Windows ones that have already been patched against just that sort of attack? But you do want to be warned — and quickly — about the attacks on the servers that are vulnerable. Tracking down a generic ‘server attack’ alert, just to find out that the device in question wasn’t in danger in the first place, is frustrating and wastes time you need to deal with real dangers.
Similarly, if you have multiple security devices, all reporting the same issue, you don’t want to trawl through multiple alarms to find a common link. What you need is a security management system that correlates security information and uses a bit of intelligence about your environment to minimise the false positives - the alarms that aren’t really alarming at all.
Various companies have come up with answers to this issue. Cisco recently announced its ‘Threat Response’ software in conjunction with its CiscoWorks VLAN & Security Management Solution, which is used with its Network IDS probes to minimise false positives. It investigates end devices under threat, relates that information to the type of threat, and downgrades alarms that don’t apply to your environment. It’s not a correlation engine; for that you need something beefier such as a security information management solution (SIMS), actually a product from netForensics.
ISS RealSecure SiteProtector or Network Associates McAfee Intrushield, amongst others, also offer event prioritisation and event correlation to highlight what’s most important, to you, downgrading the irrelevant threats.
The concept behind all of these is good enough. Nowadays, hacking requires less skill. But this means that the number of attacks on networks is growing, while the risk of any one these succeeding is decreasing as the more opportune hackers simply throw generic attacks against a network at random. Consequently, there is more dross to filter out of your event viewers.
Unfortunately, none of these packages are straightforward to use. Buying them is going to be the least of your expense. All need to be tuned, configured and generally tweaked with to make sure they work in a particular environment. Most will involve a baselining period, where they are run with minimal correlation turned on, gradually tying them down more tightly over time. Do that too soon or too aggressively and you may find you’re hiding the important alarms as well as the irrelevancies.
It’s no longer enough to ask your security provider if they provide logging of alarms. You need to find out what levels of tuning they support — and how much extra hardware you need to run these packages on — to make them in any way useful. And be sure to budget for extensive installation and configuration costs.