Thomas Ptacek wrote:
above) for testing any given IDS. I've applied my evaluation toolkit
against a number of commercial IDSs and have found this evaluation
approach to be extremely simple, efficient and effective.
So, what did you learn?
That commercial IDS vendors don't seem to understand what a
knowledgeable security officer would expect from such a device.
Specifically, they don't seem to understand that most security officers
have very little time to analyze alarms and only care about attacks that
are of importance to them. So flooding the officer with a huge volume
of alarms that they don't care about will only cause them to eventually
turn off the IDS.
Also, today's commercial IDSs come with so many extra features and
gadgets that it requires several days of training just to learn how to
do basic tasks such as analyzing and acting upon a specific event. IMO,
an IDS alarm console should be very simple to use and navigate.
Anything that's too complex to use, no matter how cool it is, will
naturally turn people off. Security officers are busy people so why not
provide them with a product that's simple to use while at the same time
does the job.
Finally, my tests reveal that the today's IDS designs seem to be focused
on specific exploits and not behavioral based attacks. IMO, if your IDS
can't detect obvious malware propagation techniques then there's
something very wrong with the design. Sure your product might be able
to detect the latest known exploit but wouldn't it be embarrassing if
you couldn't detect a new network spreading worm that scanned and
exploited an unknown vulnerability and infected your customer's entire
class A or B network?
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
