Intrusion detection: Too much information
In fact, as useful as they are, intrusion detection systems (IDSs) are very limited in what they can do, and much harder to incorporate than many would suggest.
First, it helps to realize exactly what an IDS actually is. In short, it's a software package, sometimes paired with specialized hardware, that monitors the traffic on your enterprise. Normally, the IDS is installed on a server equipped with a network card that's able to read all of the passing traffic, not just the traffic addressed to it. In addition, the card is attached to a core switch that copies all traffic to the server running the IDS.
Just getting the intrusion detection software up and running can be a pain. Companies usually hire consultants for this part. However, there is an open-source intrusion detection system called Snort and even an appliance that runs Snort from SourceFire.You can use these solutions to get intrusion detection up and running faster.
But then what? The problem with intrusion detection systems is that they have to be told what to look for, and this isn't a trivial task. For example, during a recent IDS test, we found that the intrusion detection software was flagging a series of PINGs as a potential attack. In fact, it was simply our collection of APC uninterruptible power supplies checking for network connectivity. Not a big issue, but in a large enterprise, someone on your staff would have to know that the IP addresses being flagged were assigned to equipment that was supposed to be there, and that the corresponding traffic was normal. At that point, the IDS could be told to ignore it.
Now, expand that need to all segments and all items and users attached to, or authorized to be attached to, your enterprise network. Even in a moderately sized network, this can be a lot of IP addresses, and someone has to know about each of them. Now, consider that there are other threats besides the basic traffic chatter on most networks. For example, you might have users making contact with Web sites that use scripting, which can be, but isn't necessarily, a security issue.
Or you might find instant messaging traffic on your network. Many companies have policies that define who can use instant messaging, what sort of IM they can use, and what sort of discussions they can have. One reason is that IM is the means that a significant number of worms and viruses are introduced. Another is that IM has become synonymous with "information leak."
But if your IDS is checking for IM traffic, someone has to know who is authorized to use it, and what they're allowed to talk about. Likewise, if you're looking for unauthorized users on your network, someone has to know who the authorized users are.
If it sounds like there's a lot of expertise required to run intrusion detection, you're right. And it's not the sort of expertise you can always define into the software so it can run unattended. While you can, of course, define a lot of normal activity (those UPS alerts, for example), there is the frequent need to have it evaluated by someone who knows your network, your company, and your security requirements. Worse, you can't realistically outsource any of this.
The good news is that an IDS really can be a critical security asset in your enterprise. But the staff requirements are such that it won't be quick, it won't be easy, and it won't be cheap.
Is your company using IDS? If not, why? TalkBack below or e-mail us with your thoughts.