Painpi!! #34 Intrusion Detection hidden business cost ......

What is ?The Pain Pill? ?

Every Tuesday I talk about a security topic in simple terms to reduce our security load, increase our efficiency, and make our security work better. There is a free class on the topic so you can have a deep dive. If you need continuing education credits, this counts. A related reading is posted to expandingsecurity.com

Commercial- We have online classes for CISSP and CEH. Come to one free to see if we have what it takes to make you happy.

This post and the video is located?here.

Intrusion Detection Systems

Intrusion detection systems (IDS) are focused on identifying possible incidents, logging information about them, and reporting intrusion attempts. Before you can make these tools work for your organization, you have homework to do.?You need to define your security policy, detailing what is acceptable and unacceptable behavior. Then you need to tune the technical tool to listen for these unacceptable behaviors.

I ask you; ?Does your security policy ever change?

IDS comes in all forms: user activity monitoring, host activity, and network activity. All those systems get rolled up in a security dashboard.

Let?s focus on what most people think of as IDS. ?IDS conjures up thoughts of a box that listens or sniffs the packets on your network. The problem with the packet tool is this: you get all the preprogrammed definitions or rules of ?BAD / UNACCEPTABLE, but until you compare this with your business activities, you don?t know if it fits your security policy. A classic example is the ?naked lady rules.? (I can?t say the other word or your email monitor will catch it.) We cannot use these rules in crime units that investigate these activities. If you are not in the ?normal? business, you cannot use the ?normal? rules.

False positive cost

What many people do is slap these new definitions in the IDS and BOOM! False positives overwhelm the help-desk, network and security teams. That has a cost to the business. Over time, this wears on everyone involved. People become desensitized. ?Or we get fed up and rely on what are defined as a ?really bad? packet rule and skip all the analyses. ?All the analyses?that could really do our environment some good.

Normal cost and analysis

If you program the IDS correctly, it logs and alerts on?evil traffic. You end up with a list that must be reviewed by a human. Most evil traffic can then be clearly classified as something that you should be blocking with a firewall or another preventive device. Then there is the traffic that requires detective work. This work is not sexy or fun. This work takes a long time to research, track down, and validate. Most of the time other priorities push this to the Friday, Saturday or the Someday list. The best we can hope for is building a definition for that activity, looking for it to happen again in our next log.

More cost?

Another business problem is expectation of response time. In this day of CSI, NCIS, and Leverage type television shows, the expectation is a packet pops up on a screen and the guru knows exactly the attack and pushes the bad guy out of the system with a keystroke. The organization is expecting those 30 minute closures.?Sorry, some events may take weeks or months to trace back to the root cause. ?Typically the job of analysis is only part of someone?s normal duties. That event that was logged at 5 PM on Friday might not get any attention until Monday 8 AM.?More immediate results require more staff, more money. Real-time results cost more than you can afford.

What can we do to make it better for us, for you?

I think you should continually reset expectations and capabilities of your people, processes, and technologies with respect to IDS. With every new upgrade comes a learning curve and a feature set. With every new type of attack your research time is extended.

Policy:

• Define the frequency of realignment between security policy and the IDS
• Define monitoring hours and response time expectations

Action items:

• Track and estimate processing time for alerts ? know how long it takes to do the job over many events.
• How often do your vendors update the definition files for your IDS?
• How often do you review the details of the definition files?

Don?t know how to do these activities? Come to our free class! Friday 2011-09-30
12:30:00 Central?CISSP: Operations Security IDS & IPS

Click?here

Or bit.ly/painpill34

Source: http://www.expandingsecurity.com/2011/09/painpi-34-intrusion-detection-hidden-business-cost/

how monterrey monterrey seroquel you tube video ent generator