IDS: Re: Tuning false positives - SIM is not the answer

[Stefano Zanero <zanero () elet polimi it>]

Gary Halleen (ghalleen) wrote:

> Consider the case of a firewall generating many millions of events per
> day, as well as an IDS sitting outside the firewall, which is also
> probably generating hundreds of thousands, or millions of events.  
Then a zero-cost, security-effective, positive-reducing move is place
the IDS inside the network, which is arguably the place where you want it :)

> A topology-aware
> SIM uses those IDS events to classify the traffic that both passes and
> is blocked by the firewall.
Standard IDS placement rules do the same thing, in a much more
cost-effective manner.

> You can use the same capabilities to see that web-based attacks are not
> actually causing damage to the target host by monitoring things like the
> web server's logs, antivirus, host IDS, or system/security logs. 
This is exactly what any SIM is supposed to do, right ?

> often it makes more sense to tune all security devices centrally, at the
> SIM, rather than at each security device.
Unluckily, this rather supposes a single-vendor approach, which is not
the situation most organizations are in :)

> Integration with vulnerability assessment systems increases the
> intelligence a good SIM has. 
With caveats (look in the list archives)

Best,
Stefano

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------