Upcoming Events

Cloud Connect
Santa Clara
Feb 13-16, 2012

Cloud Connect brings together the entire cloud eco-system to better understand the transformation we're experiencing and promises to be the defining event of the cloud computing industry. Learn about the latest cloud technologies and platforms from thought leaders in Cloud Connect’s comprehensive conference.

Register Now!

F E A T U R E

Tactical Security 101

January 23, 2003
By Greg Shipley

>> continued from previous page

Event Correlation

	Issue TOC
	Print full article
	Print this page
	Download as PDF
	E-Mail this URL
	Discuss this article
	Flame the author

	In this article
	Introduction
	Vulnerability Management
	Firewalls Get Hotter
	Control Issues
	Event Correlation
	HIP Hosts
	Technology Areas
	How We Got Here

Intrusion detection remains one of today's hottest areas, but while IDS technology is sexy and evolving rapidly, we believe it offers only a limited ROI, and only if it's deployed in a sane manner. Many IDS efforts fail because the overhead required to operate and monitor large-scale deployments is underestimated. Compounding the problem is that many organizations go right from testing to deployment, bypassing the pilot phase. The result is incomplete deployments and unmonitored event logs or sensors that fall horribly behind on signature updates. In addition, most NIDS products are reactive, making them less effective protection mechanisms.

While technology designed to complement IDS, such as Lancope's StealthWatch, is taking steps away from traditional signature-based solutions, most NIDS products are still plagued by false alerts and can overwhelm administrators. Put simply, large IDS deployments can present a significant and costly burden to their operators, serving as glorified burglar alarms. Unless the NIDS industry takes some gigantic steps forward in the near term, we caution against embarking on a large-scale NIDS deployment without a strategy for handling the associated overhead.

Many organizations are turning to event correlation to lessen some of the analysis load. We think this is a smart move: Not only do aggregation and correlation solutions solve the "Where should I send and store my logs?" problem, they can reduce the time it takes to analyze and act on security events. For example, if you were a security analyst, would you rather be presented with thousands of IDS alerts from an array of sensors, or a limited number of events based on IDS alerts cross-referenced with firewall entries, referenced against host/asset databases, followed by the confirmation that the attack types match existing vulnerabilities?

If you're like most, you'd rather be told about the 20 items that you should pay attention to, not the 10,000 items that may or may not be of concern. While the correlation market is even younger than the IDS one, it promises to bring relevancy to a sea of otherwise misleading data points. Unfortunately, these correlation solutions are hefty investments and often require resource-intensive deployment efforts.