TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
When using any kind of IDS wether it is host or network based first thing to
do before deploying it is to go through the signatures and disable the ones
that are not required. How do u that is depend on your environment and your
network infrastructure and also application used.
Best Regards
Ohanes Semerjian
Security Administrator, AsiaPac
International Security Group (Central Services)
WorldCom International
Ph:(02) 9434 5636
Mob: 0410 657 249
PGP kEY
6604 2A46 E64F BEBF A4B7 9D01 9E08 399C 9D45 3254
Best Regards
Ohanes Semerjian
Security Administrator, AsiaPac
International Security Group (Central Services)
WorldCom International
Ph:(02) 9434 5636
Mob: 0410 657 249
PGP kEY
6604 2A46 E64F BEBF A4B7 9D01 9E08 399C 9D45 3254
-----Original Message-----
From: Klaus, Chris (ISSAtlanta) [mailto:[EMAIL PROTECTED]]
Sent: Friday, 7 September 2001 3:46
To: '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]'
Subject: Truth about False Positives
One of the biggest problems facing IDS is the number of false positives and
false alarms. Each alert from IDS that gets researched costs in time and
money, and keeps the security operator from being able to focus on the
really important alarms, because they get swamped with unimportant alarms as
well and its not always easy to tell the difference.
This message includes the following: info on upcoming RealSecure 7.0,
defining false positives & false alarms, and what steps we are taking to
reduce and remove them.
Quicknote: Making a lot of progress integrating BlackIce technology and
RealSecure technology together. We just released an updated RealSecure
Server Sensor 6.0.1, which combined both the blackice engine code and our
log analysis and management console system together. The result is a very
stable and robust host IDS with log analysis and the most comprehensive
protocol analysis and signatures combined together.
RealSecure 7.0 is coming along very nicely. We are integrating the BlackIce
engine with the RealSecure network engine together. A big part of this
process is going through and combining all signatures and protocol analysis
algorithms into having the most comprehensive set of IDS attack algorithms.
Any redundant checks where we had the same signature or protocol analysis in
both engines, we are evaluating those checks for which ones had the best
performance and reduced false positives. By going through this process, we
will have a big reduction in false positives and be left with the best
algorithms.
One of our major goals in RS 7.0 is to remove any and all false positives.
We've been collecting all reported false positives from our techsupport,
consultants, product managers, directly from customers. We've put together
a list of false positives that we are stomping out for RS 7.0. If you know
of any false positives, feel free to email me with what is the false
positives, what was triggering it, and any additional information you can
supply, and we'll work to improve the algorithm to remove the false
positive.
Truth about False Positives
"BEEP! BEEP! RED Alert - Intruder scanning Firewall." This message pops up
on the administrator's computer monitor. With new computer security burglar
alarm technology called IDS (Intrusion Detection System), it is now easier
to identify when intruders are attacking and take action. Once the
administrator sees the alert, they can investigate and determine if the
attack was real or not. In many cases, the alert turns out to be nothing
serious and may get classified as a false positive.
In the security industry, IDS is often said to be plagued with too many
false positives. While many people blame the IDS technology itself, there
are two separate distinct issues that are confusing the problem. Being
lumped under the false positive issue, there is a separate issue called
false alarms.
Both false positives and false alarms are serious issues, but they require
different methods to resolve each. In this paper, false positives and false
alarms are defined. The current strategies and future plans are outlined
for reducing both false positives and false alarms.
Defining False Positives and False Alarms.
A false positive is where an attack detection algorithm misidentifies normal
traffic as an attack. This is usually where network traffic that may
contain similar patterns to an attack, and the IDS algorithm recognizes
these patterns and triggers on it. To reduce these false positives, the
algorithm needs to be further modified or tweaked to be more accurate and
not trigger on normal traffic. The IDS vendor is responsible for improving
these algorithms.
A false alarm is where an attack detection algorithm properly identifies the
pattern as what it is, but it does not signify a real problem for the
security administrator. The IDS technology may be configured for alerting
on any Web traffic and any HTTP gets. This will get triggered on anyone web
surfing. These alerts are useful to detect someone violating the web
surfing policy against viewing gambling, pornographic, and hacking content.
With this configuration, even normal web surfing traffic would cause alerts
within the IDS as well. Most of the web alerts are not serious attacks nor
critical, therefore most of them end up in the false alarm category. Today,
the user is responsible for improving the configuration for reducing false
alarms.
For a false alarm example, we put a motion sensor inside a busy mall, and
was alerted every time someone walked by. The security person would be
flooded with alerts and the end result after awhile would be to ignore these
false alarms. The motion sensor algorithm needs to be further enhanced and
configured with a magnetic strip identifier to alert only when someone walks
out of the mall with products not purchased.
While many people complain about false positives in IDS, the majority of
these issues are false alarms. RealSecure network sensor has fewer than 5%
false positives within all the attack detection algorithms. Our goal is to
eliminate all false positives and help end-users properly configure IDS to
significantly reduce false alarms.
Reducing False Positives and False Alarms.
At Internet Security Systems, false positives are taken very seriously. Any
false positives reported to [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> are
sent to the ISS X-Force team to analyze and refine the attack detection
algorithm to improve on accuracy and not trigger on normal traffic.
The security quality assurance process has added something unique in the
security industry. Before releasing the ISS X-Press Updates with the latest
security intelligence and algorithms to the customer base, these updates now
go through a beta process with our 24 x 7 IDS monitoring service within
Managed Security Services (ISS MSS). By putting these new attack detection
algorithms into real world environments with vastly varied traffic, many
false positives get immediately identified and with further refinement,
these false positives are eliminated.
For false alarms, Internet Security Systems offers a full solution to
resolve this issue in several ways:
* ISS SecureU offers educational classes on how to configure
and tweak the IDS. By going through a class on IDS, users can take
advantage of all the features and avoid the pitfalls of false alarms.
* ISS Consulting has an offering for doing a security
assessment and configuring IDS deployments for optimal settings. With ISS
consultants performing a security assessment and understanding the network
layout, the IDS can be properly configured to only alert on what the
organization considers serious and minimize false alarms.
* ISS Managed Security Services offers a 24 x 7 monitoring
capability around IDS. Very few customers can afford to set up a
round-the-clock 24 x 7 security operation center (SOC). Our SOC operators
can monitor and analyze continuously. With their security expertise, they
separate false alarms with real attacks and inform the customer of any
serious issues.
* ISS Global Threat Operation Center (GTOC) has global fusion
and correlation capabilities for reducing false alarms and escalating
serious attack patterns.
In the IDS technology, there are some new innovative methods to further
reduce false alarms and false positives.
Attack and Response Fusion. Instead of just detecting an attack
pattern, the detection algorithm is enhanced beyond only looking for
attacks, but analyzing returning network traffic for the vulnerability
response patterns. If an operating system or service is attacked and is
vulnerable, the response packets can have a pattern that indicates whether
the attack was successful or not.
Vulnerability and Threat Fusion. By combining attack events and
vulnerability events together, this determines that the system was
vulnerable and was attacked. This helps raise the priority and criticality
of the alert.
Network and Host Based Fusion. Combining events from both a network
and host-based IDS can produced a fused event that has enhanced accuracy to
whether the attack was successful from multiple viewpoints.
Manually, the end-user can reduce false positives by going through several
methods.
Iterative tweaking. Many end-users apply this method where they
turn on all detection algorithms and through an iterative process, turn off
each algorithm that may be producing false alarms until only serious issues
are triggered.
Identify Known Risks. Through a security assessment, identify known
weaknesses and configure the IDS to only alert on attacks against those
weaknesses.
Identify Known Exceptions. Through a security assessment, identify
known services that are secure and can be ignored for alerting purposes.
For example, after a security assessment and penetration test has identified
that the firewall is indeed configured properly and is blocking all the
appropriate dangerous traffic, the IDS may be configured to only log and
record port scan events, but not alert on them. Port scanning on the
Internet is very common and the organization may determine that these
attacks are worthwhile to keep on record for evidence purposes, but with a
properly installed and configured firewall, alerting and taking action on
these attacks are not worthwhile.
Another known exception is where certain vulnerabilities no longer
apply to the network being monitored. A security operator can check to see
if their network is vulnerable to various types of attacks and if not
vulnerable, the IDS can be configured not alert on those attacks. For
example, the Sendmail WIZ vulnerability that only exists in very old
operating system and is not typically vulnerable on most networks can be
configured off within the IDS policy.
Future Plans for False Positive and False Alarm Reduction.
Internet Security Systems continues to innovate with new technologies to
provide the best managed security.
RealSecure Site Protector. In the near future, the vulnerability assessment
sensors and the intrusion detection sensors will be managed from one
security console and management platform. As part of the security alert
console, rather than showing the same repeated event twice as separate
events, additional repeated events would just increment the count field in
the current event. This capability reduces the overall number of events
displayed to the operator.
Network Protection System. As vulnerability assessment technology
identifies vulnerabilities within the network, it can automatically produce
an IDS policy based on those known security weaknesses. Today, this is done
manually by the end-user.
Uber-Fusion Throughout the Security Management Platform. Vulnerability and
threat fusion is happening at the host-based level today. The fusion can be
extended with having one security management platform, and it will simplify
correlating vulnerabilities and attacks together at the network based level
and across application, host, and network spectrum from a single viewpoint.
This technology will be applicable within the Managed Security Service and
GTOC for automated analysis for various correlated risk patterns. Based on
fusion, these risk patterns could be escalated or placed into a false alarm
category depending on the correlated pattern.
Criticality and Confidence Level. Extending the high, medium, and low risk
categories into finer various degrees of criticality and risk, this could
help focus on real serious alarms against the false alarms. There might be
two high-risk attacks, but one is against a vulnerable server, and in
theory, the attacked vulnerable event should get an even higher priority
than the high-risk attack against the secured server.
As ISS X-Force develops the detection algorithms, some of them are looking
for very specific patterns that could only exist as attack traffic, while
some detection algorithms are looking for more generic patterns that could
signify an attack, but also may be legitimate traffic. A specific pattern
based algorithm would get high confidence level, while a generic pattern
algorithm would get a lower confidence level. Generic SNMP scanning
algorithm would get a low confidence level, since it might be an intruder,
but it could likely be an HP OpenView manager trying to find devices. By
providing a confidence level for the security management platform, this
would help target the more serious security alarms over possible false
alarms.
Asset Definitions. In RealSecure Site Protector, an organization can define
their assets into various groups. One group may be HR and another is Sales.
Each group may have its own policy to what it is most sensitive to and
therefore reduce false alarms depending on what is critical for that
department.
In Summary For False Positives and False Alarms.
Many IDS technologies started with various methods of detecting attacks and
generating alerts and responses. Future IDS begins to evolve into a
Protection System by piecing together multiple alerts from both an attack
and vulnerability perspective to reduce the workload and allow security
operators to focus on the core security issues, and ignore false alarms.
IDS is evolving beyond just intrusion detection, but becoming comprehensive
burglar alarm systems that monitor at various levels of applications,
operating systems, and networks. Part of this evolution is that IDS
technology is watching not only for intruders, but denial of service
attacks, viruses, worms, Trojans, and backdoors.
For commercial IDS, false positives and false alarms are quickly being
reduced with dedicated research staff and can be addressed with many of the
Internet Security System's offerings.
With the need for 24 x 7 monitoring for security attacks, many organizations
are evaluating having a Managed Security Service provide this service as a
cost effective method. Companies can focus on their core business, and let
a trusted security company deal with the false positives and alarms.
***********************************************************************
Christopher W. Klaus
Founder and CTO
Internet Security Systems (ISS)
6303 Barfield Road
Atlanta, GA 30328
Phone: 404-236-4051 Fax: 404-236-2637
web http://www.iss.net
NASDAQ: ISSX
Internet Security Systems ~ The Power To Protect
