TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
I would say that you need to apply some filters to reduce number of alerts
BUT still log almost everything for regular analysis - this way you will
keep the number of alerts in a reasonable range and still have ability to
catch new ones.
Regards,
Sasha.
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 11, 2001 11:54 AM
To: Semerjian, Ohanes
Cc: 'Klaus, Chris (ISSAtlanta)'; '[EMAIL PROTECTED]';
'[EMAIL PROTECTED]'
Subject: RE: Truth about False Positives
Totally incorrect. You are increasing your threat that way. An attacker
has more chances to find something vulnerable in your network before you
are notified. The only way to do it is through network analysis and
exlusionary rules.
Kevin
On Tue, 11 Sep 2001, Semerjian, Ohanes wrote:
> When using any kind of IDS wether it is host or network based first thing
to
> do before deploying it is to go through the signatures and disable the
ones
> that are not required. How do u that is depend on your environment and
your
> network infrastructure and also application used.
>
> Best Regards
>
> Ohanes Semerjian
> Security Administrator, AsiaPac
> International Security Group (Central Services)
> WorldCom International
>
> Ph:(02) 9434 5636
> Mob: 0410 657 249
>
> PGP kEY
> 6604 2A46 E64F BEBF A4B7 9D01 9E08 399C 9D45 3254
>
> Best Regards
>
> Ohanes Semerjian
> Security Administrator, AsiaPac
> International Security Group (Central Services)
> WorldCom International
>
> Ph:(02) 9434 5636
> Mob: 0410 657 249
>
> PGP kEY
> 6604 2A46 E64F BEBF A4B7 9D01 9E08 399C 9D45 3254
>
>
> -----Original Message-----
> From: Klaus, Chris (ISSAtlanta) [mailto:[EMAIL PROTECTED]]
> Sent: Friday, 7 September 2001 3:46
> To: '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]'
> Subject: Truth about False Positives
>
>
>
> One of the biggest problems facing IDS is the number of false positives
and
> false alarms. Each alert from IDS that gets researched costs in time and
> money, and keeps the security operator from being able to focus on the
> really important alarms, because they get swamped with unimportant alarms
as
> well and its not always easy to tell the difference.
>
> This message includes the following: info on upcoming RealSecure 7.0,
> defining false positives & false alarms, and what steps we are taking to
> reduce and remove them.
>
> Quicknote: Making a lot of progress integrating BlackIce technology and
> RealSecure technology together. We just released an updated RealSecure
> Server Sensor 6.0.1, which combined both the blackice engine code and our
> log analysis and management console system together. The result is a very
> stable and robust host IDS with log analysis and the most comprehensive
> protocol analysis and signatures combined together.
>
> RealSecure 7.0 is coming along very nicely. We are integrating the
BlackIce
> engine with the RealSecure network engine together. A big part of this
> process is going through and combining all signatures and protocol
analysis
> algorithms into having the most comprehensive set of IDS attack
algorithms.
> Any redundant checks where we had the same signature or protocol analysis
in
> both engines, we are evaluating those checks for which ones had the best
> performance and reduced false positives. By going through this process,
we
> will have a big reduction in false positives and be left with the best
> algorithms.
>
> One of our major goals in RS 7.0 is to remove any and all false positives.
> We've been collecting all reported false positives from our techsupport,
> consultants, product managers, directly from customers. We've put
together
> a list of false positives that we are stomping out for RS 7.0. If you
know
> of any false positives, feel free to email me with what is the false
> positives, what was triggering it, and any additional information you can
> supply, and we'll work to improve the algorithm to remove the false
> positive.
>
> Truth about False Positives
>
> "BEEP! BEEP! RED Alert - Intruder scanning Firewall." This message pops up
> on the administrator's computer monitor. With new computer security
burglar
> alarm technology called IDS (Intrusion Detection System), it is now easier
> to identify when intruders are attacking and take action. Once the
> administrator sees the alert, they can investigate and determine if the
> attack was real or not. In many cases, the alert turns out to be nothing
> serious and may get classified as a false positive.
>
> In the security industry, IDS is often said to be plagued with too many
> false positives. While many people blame the IDS technology itself, there
> are two separate distinct issues that are confusing the problem. Being
> lumped under the false positive issue, there is a separate issue called
> false alarms.
>
> Both false positives and false alarms are serious issues, but they require
> different methods to resolve each. In this paper, false positives and
false
> alarms are defined. The current strategies and future plans are outlined
> for reducing both false positives and false alarms.
>
> Defining False Positives and False Alarms.
> A false positive is where an attack detection algorithm misidentifies
normal
> traffic as an attack. This is usually where network traffic that may
> contain similar patterns to an attack, and the IDS algorithm recognizes
> these patterns and triggers on it. To reduce these false positives, the
> algorithm needs to be further modified or tweaked to be more accurate and
> not trigger on normal traffic. The IDS vendor is responsible for
improving
> these algorithms.
>
> A false alarm is where an attack detection algorithm properly identifies
the
> pattern as what it is, but it does not signify a real problem for the
> security administrator. The IDS technology may be configured for alerting
> on any Web traffic and any HTTP gets. This will get triggered on anyone
web
> surfing. These alerts are useful to detect someone violating the web
> surfing policy against viewing gambling, pornographic, and hacking
content.
> With this configuration, even normal web surfing traffic would cause
alerts
> within the IDS as well. Most of the web alerts are not serious attacks
nor
> critical, therefore most of them end up in the false alarm category.
Today,
> the user is responsible for improving the configuration for reducing false
> alarms.
>
> For a false alarm example, we put a motion sensor inside a busy mall, and
> was alerted every time someone walked by. The security person would be
> flooded with alerts and the end result after awhile would be to ignore
these
> false alarms. The motion sensor algorithm needs to be further enhanced
and
> configured with a magnetic strip identifier to alert only when someone
walks
> out of the mall with products not purchased.
>
> While many people complain about false positives in IDS, the majority of
> these issues are false alarms. RealSecure network sensor has fewer than
5%
> false positives within all the attack detection algorithms. Our goal is
to
> eliminate all false positives and help end-users properly configure IDS to
> significantly reduce false alarms.
>
> Reducing False Positives and False Alarms.
> At Internet Security Systems, false positives are taken very seriously.
Any
> false positives reported to [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> are
> sent to the ISS X-Force team to analyze and refine the attack detection
> algorithm to improve on accuracy and not trigger on normal traffic.
>
> The security quality assurance process has added something unique in the
> security industry. Before releasing the ISS X-Press Updates with the
latest
> security intelligence and algorithms to the customer base, these updates
now
> go through a beta process with our 24 x 7 IDS monitoring service within
> Managed Security Services (ISS MSS). By putting these new attack
detection
> algorithms into real world environments with vastly varied traffic, many
> false positives get immediately identified and with further refinement,
> these false positives are eliminated.
>
> For false alarms, Internet Security Systems offers a full solution to
> resolve this issue in several ways:
>
> * ISS SecureU offers educational classes on how to configure
> and tweak the IDS. By going through a class on IDS, users can take
> advantage of all the features and avoid the pitfalls of false alarms.
> * ISS Consulting has an offering for doing a security
> assessment and configuring IDS deployments for optimal settings. With
ISS
> consultants performing a security assessment and understanding the network
> layout, the IDS can be properly configured to only alert on what the
> organization considers serious and minimize false alarms.
> * ISS Managed Security Services offers a 24 x 7 monitoring
> capability around IDS. Very few customers can afford to set up a
> round-the-clock 24 x 7 security operation center (SOC). Our SOC operators
> can monitor and analyze continuously. With their security expertise, they
> separate false alarms with real attacks and inform the customer of any
> serious issues.
> * ISS Global Threat Operation Center (GTOC) has global fusion
> and correlation capabilities for reducing false alarms and escalating
> serious attack patterns.
>
> In the IDS technology, there are some new innovative methods to further
> reduce false alarms and false positives.
> Attack and Response Fusion. Instead of just detecting an attack
> pattern, the detection algorithm is enhanced beyond only looking for
> attacks, but analyzing returning network traffic for the vulnerability
> response patterns. If an operating system or service is attacked and is
> vulnerable, the response packets can have a pattern that indicates whether
> the attack was successful or not.
> Vulnerability and Threat Fusion. By combining attack events and
> vulnerability events together, this determines that the system was
> vulnerable and was attacked. This helps raise the priority and
criticality
> of the alert.
> Network and Host Based Fusion. Combining events from both a network
> and host-based IDS can produced a fused event that has enhanced accuracy
to
> whether the attack was successful from multiple viewpoints.
>
> Manually, the end-user can reduce false positives by going through several
> methods.
>
> Iterative tweaking. Many end-users apply this method where they
> turn on all detection algorithms and through an iterative process, turn
off
> each algorithm that may be producing false alarms until only serious
issues
> are triggered.
> Identify Known Risks. Through a security assessment, identify known
> weaknesses and configure the IDS to only alert on attacks against those
> weaknesses.
> Identify Known Exceptions. Through a security assessment, identify
> known services that are secure and can be ignored for alerting purposes.
> For example, after a security assessment and penetration test has
identified
> that the firewall is indeed configured properly and is blocking all the
> appropriate dangerous traffic, the IDS may be configured to only log and
> record port scan events, but not alert on them. Port scanning on the
> Internet is very common and the organization may determine that these
> attacks are worthwhile to keep on record for evidence purposes, but with a
> properly installed and configured firewall, alerting and taking action on
> these attacks are not worthwhile.
> Another known exception is where certain vulnerabilities no longer
> apply to the network being monitored. A security operator can check to
see
> if their network is vulnerable to various types of attacks and if not
> vulnerable, the IDS can be configured not alert on those attacks. For
> example, the Sendmail WIZ vulnerability that only exists in very old
> operating system and is not typically vulnerable on most networks can be
> configured off within the IDS policy.
>
> Future Plans for False Positive and False Alarm Reduction.
> Internet Security Systems continues to innovate with new technologies to
> provide the best managed security.
>
> RealSecure Site Protector. In the near future, the vulnerability
assessment
> sensors and the intrusion detection sensors will be managed from one
> security console and management platform. As part of the security alert
> console, rather than showing the same repeated event twice as separate
> events, additional repeated events would just increment the count field in
> the current event. This capability reduces the overall number of events
> displayed to the operator.
>
> Network Protection System. As vulnerability assessment technology
> identifies vulnerabilities within the network, it can automatically
produce
> an IDS policy based on those known security weaknesses. Today, this is
done
> manually by the end-user.
>
> Uber-Fusion Throughout the Security Management Platform. Vulnerability
and
> threat fusion is happening at the host-based level today. The fusion can
be
> extended with having one security management platform, and it will
simplify
> correlating vulnerabilities and attacks together at the network based
level
> and across application, host, and network spectrum from a single
viewpoint.
> This technology will be applicable within the Managed Security Service and
> GTOC for automated analysis for various correlated risk patterns. Based
on
> fusion, these risk patterns could be escalated or placed into a false
alarm
> category depending on the correlated pattern.
>
> Criticality and Confidence Level. Extending the high, medium, and low
risk
> categories into finer various degrees of criticality and risk, this could
> help focus on real serious alarms against the false alarms. There might
be
> two high-risk attacks, but one is against a vulnerable server, and in
> theory, the attacked vulnerable event should get an even higher priority
> than the high-risk attack against the secured server.
>
> As ISS X-Force develops the detection algorithms, some of them are looking
> for very specific patterns that could only exist as attack traffic, while
> some detection algorithms are looking for more generic patterns that could
> signify an attack, but also may be legitimate traffic. A specific pattern
> based algorithm would get high confidence level, while a generic pattern
> algorithm would get a lower confidence level. Generic SNMP scanning
> algorithm would get a low confidence level, since it might be an intruder,
> but it could likely be an HP OpenView manager trying to find devices. By
> providing a confidence level for the security management platform, this
> would help target the more serious security alarms over possible false
> alarms.
>
> Asset Definitions. In RealSecure Site Protector, an organization can
define
> their assets into various groups. One group may be HR and another is
Sales.
> Each group may have its own policy to what it is most sensitive to and
> therefore reduce false alarms depending on what is critical for that
> department.
>
> In Summary For False Positives and False Alarms.
>
> Many IDS technologies started with various methods of detecting attacks
and
> generating alerts and responses. Future IDS begins to evolve into a
> Protection System by piecing together multiple alerts from both an attack
> and vulnerability perspective to reduce the workload and allow security
> operators to focus on the core security issues, and ignore false alarms.
>
> IDS is evolving beyond just intrusion detection, but becoming
comprehensive
> burglar alarm systems that monitor at various levels of applications,
> operating systems, and networks. Part of this evolution is that IDS
> technology is watching not only for intruders, but denial of service
> attacks, viruses, worms, Trojans, and backdoors.
>
> For commercial IDS, false positives and false alarms are quickly being
> reduced with dedicated research staff and can be addressed with many of
the
> Internet Security System's offerings.
>
> With the need for 24 x 7 monitoring for security attacks, many
organizations
> are evaluating having a Managed Security Service provide this service as a
> cost effective method. Companies can focus on their core business, and
let
> a trusted security company deal with the false positives and alarms.
>
>
> ***********************************************************************
> Christopher W. Klaus
> Founder and CTO
> Internet Security Systems (ISS)
> 6303 Barfield Road
> Atlanta, GA 30328
> Phone: 404-236-4051 Fax: 404-236-2637
> web http://www.iss.net
> NASDAQ: ISSX
>
> Internet Security Systems ~ The Power To Protect
>
