|
|
|
|
Tactical Security 101
|
 |
|
January 23, 2003
By Greg Shipley
|
>> continued from previous page
Event Correlation
Intrusion detection remains one of today's hottest areas, but while IDS technology is sexy and evolving rapidly, we believe it offers only a limited ROI, and only if it's deployed in a sane manner. Many IDS efforts fail because the overhead required to operate and monitor large-scale deployments is underestimated. Compounding the problem is that many organizations go right from testing to deployment, bypassing the pilot phase. The result is incomplete deployments and unmonitored event logs or sensors that fall horribly behind on signature updates. In addition, most NIDS products are reactive, making them less effective protection mechanisms.
While technology designed to complement IDS, such as Lancope's StealthWatch, is taking steps away from traditional signature-based solutions, most NIDS products are still plagued by false alerts and can overwhelm administrators. Put simply, large IDS deployments can present a significant and costly burden to their operators, serving as glorified burglar alarms. Unless the NIDS industry takes some gigantic steps forward in the near term, we caution against embarking on a large-scale NIDS deployment without a strategy for handling the associated overhead.
|
|
Many organizations are turning to event correlation to lessen some of the analysis load. We think this is a smart move: Not only do aggregation and correlation solutions solve the "Where should I send and store my logs?" problem, they can reduce the time it takes to analyze and act on security events. For example, if you were a security analyst, would you rather be presented with thousands of IDS alerts from an array of sensors, or a limited number of events based on IDS alerts cross-referenced with firewall entries, referenced against host/asset databases, followed by the confirmation that the attack types match existing vulnerabilities?
If you're like most, you'd rather be told about the 20 items that you should pay attention to, not the 10,000 items that may or may not be of concern. While the correlation market is even younger than the IDS one, it promises to bring relevancy to a sea of otherwise misleading data points. Unfortunately, these correlation solutions are hefty investments and often require resource-intensive deployment efforts.
|
|
|
|
|
|
|
|
RSS
