Mr. Chris Klaus wrote this on Friday, 7 September 2001 3:46. I hope this will helps you regarding the issue of false positives. (http://archives.neohapsis.com/archives/iss/2001-q3/0440.html) ******************* RE: Truth about False Positives One of the biggest problems facing IDS is the number of false positives and > false alarms. Each alert from IDS that gets researched costs in time and > money, and keeps the security operator from being able to focus on the > really important alarms, because they get swamped with unimportant alarms as > well and its not always easy to tell the difference.
> > This message includes the following: info on upcoming RealSecure 7.0, > defining false positives & false alarms, and what steps we are taking to > reduce and remove them. > > Quicknote: Making a lot of progress integrating BlackIce technology and > RealSecure technology together. We just released an updated RealSecure > Server Sensor 6.0.1, which combined both the blackice engine code and our > log analysis and management console system together. The result is a very > stable and robust host IDS with log analysis and the most comprehensive > protocol analysis and signatures combined together. > > RealSecure 7.0 is coming along very nicely. We are integrating the BlackIce > engine with the RealSecure network engine together. A big part of this > process is going through and combining all signatures and protocol analysis > algorithms into having the most comprehensive set of IDS attack algorithms. > Any redundant checks where we had the same signature or protocol analysis in > both engines, we are evaluating those checks for which ones had the best > performance and reduced false positives. By going through this process, we > will have a big reduction in false positives and be left with the best > algorithms. > > One of our major goals in RS 7.0 is to remove any and all false positives. > We've been collecting all reported false positives from our techsupport, > consultants, product managers, directly from customers. We've put together > a list of false positives that we are stomping out for RS 7.0. If you know > of any false positives, feel free to email me with what is the false > positives, what was triggering it, and any additional information you can > supply, and we'll work to improve the algorithm to remove the false > positive. > > Truth about False Positives > > "BEEP! BEEP! RED Alert - Intruder scanning Firewall." This message pops up > on the administrator's computer monitor. With new computer security burglar > alarm technology called IDS (Intrusion Detection System), it is now easier > to identify when intruders are attacking and take action. Once the > administrator sees the alert, they can investigate and determine if the > attack was real or not. In many cases, the alert turns out to be nothing > serious and may get classified as a false positive. > > In the security industry, IDS is often said to be plagued with too many > false positives. While many people blame the IDS technology itself, there > are two separate distinct issues that are confusing the problem. Being > lumped under the false positive issue, there is a separate issue called > false alarms. > > Both false positives and false alarms are serious issues, but they require > different methods to resolve each. In this paper, false positives and false > alarms are defined. The current strategies and future plans are outlined > for reducing both false positives and false alarms. > > Defining False Positives and False Alarms. > A false positive is where an attack detection algorithm misidentifies normal > traffic as an attack. This is usually where network traffic that may > contain similar patterns to an attack, and the IDS algorithm recognizes > these patterns and triggers on it. To reduce these false positives, the > algorithm needs to be further modified or tweaked to be more accurate and > not trigger on normal traffic. The IDS vendor is responsible for improving > these algorithms. > > A false alarm is where an attack detection algorithm properly identifies the > pattern as what it is, but it does not signify a real problem for the > security administrator. The IDS technology may be configured for alerting > on any Web traffic and any HTTP gets. This will get triggered on anyone web > surfing. These alerts are useful to detect someone violating the web > surfing policy against viewing gambling, pornographic, and hacking content. > With this configuration, even normal web surfing traffic would cause alerts > within the IDS as well. Most of the web alerts are not serious attacks nor > critical, therefore most of them end up in the false alarm category. Today, > the user is responsible for improving the configuration for reducing false > alarms. > > For a false alarm example, we put a motion sensor inside a busy mall, and > was alerted every time someone walked by. The security person would be > flooded with alerts and the end result after awhile would be to ignore these > false alarms. The motion sensor algorithm needs to be further enhanced and > configured with a magnetic strip identifier to alert only when someone walks > out of the mall with products not purchased. > > While many people complain about false positives in IDS, the majority of > these issues are false alarms. RealSecure network sensor has fewer than 5% > false positives within all the attack detection algorithms. Our goal is to > eliminate all false positives and help end-users properly configure IDS to > significantly reduce false alarms. > > Reducing False Positives and False Alarms. > At Internet Security Systems, false positives are taken very seriously. Any > false positives reported to [EMAIL PROTECTED] <mailto:support@;iss.net> are > sent to the ISS X-Force team to analyze and refine the attack detection > algorithm to improve on accuracy and not trigger on normal traffic. > > The security quality assurance process has added something unique in the > security industry. Before releasing the ISS X-Press Updates with the latest > security intelligence and algorithms to the customer base, these updates now > go through a beta process with our 24 x 7 IDS monitoring service within > Managed Security Services (ISS MSS). By putting these new attack detection > algorithms into real world environments with vastly varied traffic, many > false positives get immediately identified and with further refinement, > these false positives are eliminated. > > For false alarms, Internet Security Systems offers a full solution to > resolve this issue in several ways: > > * ISS SecureU offers educational classes on how to configure > and tweak the IDS. By going through a class on IDS, users can take > advantage of all the features and avoid the pitfalls of false alarms. > * ISS Consulting has an offering for doing a security > assessment and configuring IDS deployments for optimal settings. With ISS > consultants performing a security assessment and understanding the network > layout, the IDS can be properly configured to only alert on what the > organization considers serious and minimize false alarms. > * ISS Managed Security Services offers a 24 x 7 monitoring > capability around IDS. Very few customers can afford to set up a > round-the-clock 24 x 7 security operation center (SOC). Our SOC operators > can monitor and analyze continuously. With their security expertise, they > separate false alarms with real attacks and inform the customer of any > serious issues. > * ISS Global Threat Operation Center (GTOC) has global fusion > and correlation capabilities for reducing false alarms and escalating > serious attack patterns. > > In the IDS technology, there are some new innovative methods to further > reduce false alarms and false positives. > Attack and Response Fusion. Instead of just detecting an attack > pattern, the detection algorithm is enhanced beyond only looking for > attacks, but analyzing returning network traffic for the vulnerability > response patterns. If an operating system or service is attacked and is > vulnerable, the response packets can have a pattern that indicates whether > the attack was successful or not. > Vulnerability and Threat Fusion. By combining attack events and > vulnerability events together, this determines that the system was > vulnerable and was attacked. This helps raise the priority and criticality > of the alert. > Network and Host Based Fusion. Combining events from both a network > and host-based IDS can produced a fused event that has enhanced accuracy to > whether the attack was successful from multiple viewpoints. > > Manually, the end-user can reduce false positives by going through several > methods. > > Iterative tweaking. Many end-users apply this method where they > turn on all detection algorithms and through an iterative process, turn off > each algorithm that may be producing false alarms until only serious issues > are triggered. > Identify Known Risks. Through a security assessment, identify known > weaknesses and configure the IDS to only alert on attacks against those > weaknesses. > Identify Known Exceptions. Through a security assessment, identify > known services that are secure and can be ignored for alerting purposes. > For example, after a security assessment and penetration test has identified > that the firewall is indeed configured properly and is blocking all the > appropriate dangerous traffic, the IDS may be configured to only log and > record port scan events, but not alert on them. Port scanning on the > Internet is very common and the organization may determine that these > attacks are worthwhile to keep on record for evidence purposes, but with a > properly installed and configured firewall, alerting and taking action on > these attacks are not worthwhile. > Another known exception is where certain vulnerabilities no longer > apply to the network being monitored. A security operator can check to see > if their network is vulnerable to various types of attacks and if not > vulnerable, the IDS can be configured not alert on those attacks. For > example, the Sendmail WIZ vulnerability that only exists in very old > operating system and is not typically vulnerable on most networks can be > configured off within the IDS policy. > > Future Plans for False Positive and False Alarm Reduction. > Internet Security Systems continues to innovate with new technologies to > provide the best managed security. > > RealSecure Site Protector. In the near future, the vulnerability assessment > sensors and the intrusion detection sensors will be managed from one > security console and management platform. As part of the security alert > console, rather than showing the same repeated event twice as separate > events, additional repeated events would just increment the count field in > the current event. This capability reduces the overall number of events > displayed to the operator. > > Network Protection System. As vulnerability assessment technology > identifies vulnerabilities within the network, it can automatically produce > an IDS policy based on those known security weaknesses. Today, this is done > manually by the end-user. > > Uber-Fusion Throughout the Security Management Platform. Vulnerability and > threat fusion is happening at the host-based level today. The fusion can be > extended with having one security management platform, and it will simplify > correlating vulnerabilities and attacks together at the network based level > and across application, host, and network spectrum from a single viewpoint. > This technology will be applicable within the Managed Security Service and > GTOC for automated analysis for various correlated risk patterns. Based on > fusion, these risk patterns could be escalated or placed into a false alarm > category depending on the correlated pattern. > > Criticality and Confidence Level. Extending the high, medium, and low risk > categories into finer various degrees of criticality and risk, this could > help focus on real serious alarms against the false alarms. There might be > two high-risk attacks, but one is against a vulnerable server, and in > theory, the attacked vulnerable event should get an even higher priority > than the high-risk attack against the secured server. > > As ISS X-Force develops the detection algorithms, some of them are looking > for very specific patterns that could only exist as attack traffic, while > some detection algorithms are looking for more generic patterns that could > signify an attack, but also may be legitimate traffic. A specific pattern > based algorithm would get high confidence level, while a generic pattern > algorithm would get a lower confidence level. Generic SNMP scanning > algorithm would get a low confidence level, since it might be an intruder, > but it could likely be an HP OpenView manager trying to find devices. By > providing a confidence level for the security management platform, this > would help target the more serious security alarms over possible false > alarms. > > Asset Definitions. In RealSecure Site Protector, an organization can define > their assets into various groups. One group may be HR and another is Sales. > Each group may have its own policy to what it is most sensitive to and > therefore reduce false alarms depending on what is critical for that > department. > > In Summary For False Positives and False Alarms. > > Many IDS technologies started with various methods of detecting attacks and > generating alerts and responses. Future IDS begins to evolve into a > Protection System by piecing together multiple alerts from both an attack > and vulnerability perspective to reduce the workload and allow security > operators to focus on the core security issues, and ignore false alarms. > > IDS is evolving beyond just intrusion detection, but becoming comprehensive > burglar alarm systems that monitor at various levels of applications, > operating systems, and networks. Part of this evolution is that IDS > technology is watching not only for intruders, but denial of service > attacks, viruses, worms, Trojans, and backdoors. > > For commercial IDS, false positives and false alarms are quickly being > reduced with dedicated research staff and can be addressed with many of the > Internet Security System's offerings. > > With the need for 24 x 7 monitoring for security attacks, many organizations > are evaluating having a Managed Security Service provide this service as a > cost effective method. Companies can focus on their core business, and let > a trusted security company deal with the false positives and alarms. > > > *********************************************************************** > Christopher W. Klaus > Founder and CTO > Internet Security Systems (ISS) > 6303 Barfield Road > Atlanta, GA 30328 > Phone: 404-236-4051 Fax: 404-236-2637 > web http://www.iss.net > NASDAQ: ISSX > > Internet Security Systems ~ The Power To Protect --- Karl Heinz Reindl <[EMAIL PROTECTED]> wrote: > Hi Team, > > involved into a discussion about this defintion I > would like ask you > does anyone know a binding definition? > thanks and > -- > Best regards > > Karl-Heinz Reindl > Senior Security Engineer > > > _______________________________________________ > ISSForum mailing list > [EMAIL PROTECTED] > > TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo ===== Glenn I. Marquez If any man desire to be first, the same shall be last of all, and servant of all- Mark 9:35 __________________________________________________ Do you Yahoo!? Yahoo! Web Hosting - Let the expert host your site http://webhosting.yahoo.com _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo
