Logging, Monitoring, and Defending (IDS/IPS)

Yesterday one of the email lists I monitor was debating the best IDS/IPS for large-scale implementation and the Einstein project managed to surface. I followed the topic for awhile but there wasn't much debate however it did bring up some of the more interesting points I have noticed over the past decade in infosec. Some places still don't want IPS, they are content with IDS and just want to reduce their response time and have forensic evidence available when attacks occur. The biggest debate I see is how to choose a product to defend with. This used to be a private vs. open-source argument, and sometimes still is. Lots of people decide to implement SNORT so they only have to buy some hardware, other buy SNORT via SouceFire and get some support. Other folks like to get a pure commercial solution which can be capable of much higher detection speed depending on how fast you need to go. The current rulers in IPS for the commercial world are Juniper and Tipping Point. McAfee is coming on strong after purchasing a competitor, re-branding and getting up to speed. What I found most interesting was that someone brought up using a government-made system. Historically, the government doesn't have a great track record for keeping things secure. Not all government entities are created equally since different personnel work at different sites and agencies so we will have to wait and see how this group does. Personally, I like COTS solutions when you are defending large-scale implementations for the speed and support. That isn't to say your people aren't capable of deploying something different and being secure.

Whatever way you choose to go, don't end up like the diver in the picture. They have on all the necessary gear yet are unaware of the clear and present danger(picture is fake). You will NOT implement an IDS/IPS and be secure simply because of its existence. You absolutely must log what happens and figure out a way to monitor your traffic. There are aggregation and correlation products out there that can take your vulnerability scans and/or customized input so that you don't have to be alerted when a Linux exploit is headed towards a Windows platform and vice versa. The goal for your implementation is to help your security posture. The ability to log is critical but logging doesn't mean monitoring, and monitoring isn't always effective if it isn't actually human readable. Without a, in my experience, significant amount of customization and tweaking an IDS will be spewing way too many alerts for an analyst to track. You may be doing your parsing with custom scripts, vendor filters, or a combination of the two.

I am anxiously waiting to see which way the smart grid will choose to go. It seems like the current feeling is that nothing would be able to monitor the massive amount of traffic and nodes (millions) that might be generated on some of these networks. Hey IPS vendors, we are looking at you.

No comments:

Post a Comment