|
Lately there's a lot of buzz about pushing gigabit speeds and integrating IDSes (intrusion-detection systems) with custom hardware, but we believe that two of the most important issues have yet to be addressed in a mature manner: data aggregation and correlation, and event management.
As organizations begin to realize the importance of monitoring logs and performing queries on historical data, products that can tie firewall data, IDS data and system logs together will become more valuable. An IDS that picks up an attacker knocking on one firewall is one thing. That same attacker knocking on 20 firewalls around the world is quite another. As IDSes continue to mature, they should be able to use their distributed nature to craft more intelligent alerts and help classify attacks accordingly.
Another feature that is lacking in today's IDSes is the ability to manage events. For example, in our testing we used a simple forum package called phpnuke to keep communication paths open between us and DePaul's network admin team. Modern IDSes aren't designed to tie into operations-centric systems, so security staffers are left to play the cut-and-paste game. Eventually, IDSes will have to go the route that networking devices have gone: interoperability with larger frameworks. We hope the day will come when you can snap in a HIDS agent from one vendor and a NIDS sensor from another vendor and plug them both into a framework manager from a third vendor. For now, however, we're stuck doing much of the management ourselves.
|