Re: Real Traffic (was Re: BlackICE IDS)

[rgula () network-defense com (Ron Gula)]

> It seems like a pretty obvious thing, but I don't recall seeing anything
> on this list recently about it (which is not to say that it hasn't floated
> by... ;), but has anybody used multiple NIDSs to provide higher
> sensitivity with fewer false positives?

At Security Wizards, we tend to get one or two calls a month from other
vendors that want to aggregate multiple IDS sensors and/or the entire
suite of security products from virus detectors to network IDS products.

There is a lot of power in correlating a CGI-BIN web attack from a NIDS
with a host based IDS on the attacked system. Same goes for aggregating
multiple different IDS products. Deciding what to do if one IDS alarms
and the others don't could limit false positives, but it could also limit
your sensitivity. 

Our experience has mostly been with customers who already have ISS Real
Secure (no one gets fired for buying ISS) and have deployed some Dragon
sensors on the high speed links or directly on the Real Secure sensor.
I can point to many examples where the customer was very happy with the
best features of both products. In many cases ISS was used for one 
facet of IDS such as real-time alerting while Dragon was used for something
else like forensics analysis of hacker data. 

The real power in any central event aggregation system is to also have
some logic that can look at a stream of events from a sensor or multiple
sensors and call it something like "Light Cybercop Scan", "BO2K Traffic",
"Small NMAP scan", etc. End users loose a little in detail, but should
be able to ask such a system which original events led the naming of
the higher level (second order) event. 

Ron Gula
Network Security Wizards