False Alarm?

Intrusion detection systems are getting smarter, but sorting real attacks from false alarms takes planning.

When Ecampus.com first installed an intrusion-detection system (IDS), the alerts were unnerving. "For the first few attacks, we came unglued. We said, 'We'd better sit in front of those monitors all day,' " says Brent Tuttle, chief technology officer at the Lexington, Ky.-based college supplies retailer and online community. That's not an uncommon reaction, users say, because the sheer number of alerts can be overwhelming.

Although an IDS should be part of any enterprise's security toolbox, users and analysts stress that the technology is no panacea. Because such systems are reactive by nature, they're always one step behind attackers. False positives can cause unnecessary scrambling, while the signature updates that make an IDS effective against new attacks aren't frequent enough, users say. And as Ecampus.com discovered, implementing an IDS suddenly increases the awareness of access attempts - although many may be harmless.

Managers should create notification and escalation policies that answer the question: Now that we've got all this information, what are we going to do with it? In an effort to ease this burden, vendors are developing smarter, more active systems that ignore harmless threats and have decision-support mechanisms that let users respond to the serious ones.

It's critical to define an instant-response policy before firing up the IDS, users say. These policies lay out how to respond to different types of attacks, including the people to notify and in what order.

Tuttle says Ecampus.com had two top priorities in mind when it shopped for an IDS. It needed to be effective against students, who have plenty of free time, and it needed to be automated so the IT staff could focus on other tasks. The firm settled on Intruder Alert from Symantec Corp. in Cupertino, Calif.

After a few months of overreacting to false positives, Tuttle called in Symantec consultants, who educated the staff on which attacks were significant and those that weren't, until he had "a comfort level that we were locked down as tight as we can be," Tuttle says.

Ecampus.com also "developed an escalation policy so that if there's a [denial-of-service attack] or a server down, the first calls go to the responsible engineers, then I'm notified," Tuttle says.

An IDS can free up staff time and eliminate some drudgery, but sometimes there's no substitute for the human eye. That lesson was recently brought home to John Steensen, vice president and chief technical officer at Intira Corp., a Pleasanton, Calif.-based infrastructure outsourcer that counts among its customers the online community Military.com.

In April, when pro-Chinese attacks beset U.S. businesses, "Military.com's load went from 4% to 74% [of capacity]," Steensen says. The traffic increase didn't trigger any IDS alarms, but an Intira network engineer "saw it just didn't look right" and notified Military.com, he says. For businesses where security is critical, hiring and retaining skilled staff makes sense. "We know attacks are going to happen no matter what the technology," Steensen says. "You still need a good human being behind [the IDS]."

Enterprise IT departments are increasingly using hybrid systems - a combination of network- and host-based tools. A network-based IDS detects attacks upfront, according to Michael Rasmussen, a senior analyst at Giga Information Group Inc. in Cambridge, Mass. "It's especially good at scans around the perimeter," he says. A host-based system detects changes to an individual server's hard drive and thus serves as a backup to a network-based IDS. They also catch internal abuse, which is statistically more likely than an external attack.

Intira uses Symantec's Intruder Alert as its host-based IDS on each server, with the network-based Cisco Secure IDS from Cisco Systems Inc. "We deploy inside and outside the firewall so we can see all port scans and attacks," Steensen says.

Because Intira's staff interprets attacks, Steensen says, the company makes little use of automatic shunning, a popular IDS feature that can block addresses associated with malicious activity. On the other hand, "if you're running an unattended operation, you'd want to configure [your IDS] to be more automatic," and shunning makes more sense, he says. But while organizations that shun traffic require fewer staffers to monitor the IDS, they may inadvertently turn away legitimate users.

In both staffing and technology, using an IDS is a balancing act. On the technology side, new IDS users often "turn the volume way up, then catch too many false [positives] - then turn the squelch down to zero" - and attacks slip through, says Peter Lindstrom, an analyst at Framingham, Mass.-based Hurwitz Group Inc.

Analysts and vendors say future systems will include better user interfaces and features to help IT managers sort the false alarms from the true threats. Vendors are already beginning to address another issue: more automated and timely signature updates. Cisco recently started pushing signature updates out to users of its Secure IDS product.

Atlanta-based Internet Security Systems Inc.'s new release of RealSecure bundles traditional network- and host-based IDS tools with the blocking of active content (such as executable e-mail attachments) and malicious-code-scanning software with a single information-user interface.

Analysts say that vendors must also improve their IDS performance. Such systems are an enterprise's first line of defense and make tempting targets for would-be intruders. Rasmussen says IDS-specific attacks have gained in popularity during the past year. One method attackers use is to swarm the system with false positives in the hope that exasperated security personnel will shut off the IDS.

Rasmussen adds that in denial-of-service attacks, most detection systems "fail-open" - that is, they stop functioning but don't shut down the rest of the network, leaving the network vulnerable.

Ultimately, IT managers should view an IDS as another security tool whose value correlates to the wisdom and resources with which it is used. As Jeff Uslan, director of information protection at Los Angeles-based Sony Pictures Entertainment says, the key to IDS is "not what it'll detect, but how you'll use it."

For Web resources on this topic, head to our Intrusion Detection Research Links page.

For information on intrusion detection vendors, head to our Security Vendors page.

Ulfelder is a freelance writer in Southboro, Mass. Contact him at sulfelder@charter.net.

Special Report

Security Risk and Reward

Stories in this report:

Related:

Copyright © 2001 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon