Many of today's corporate IT philosophies are descended from an old attitude that when there's a problem, just throw more hardware or software at it. That philosophy doesn't take into account that if the IT managers stood back and viewed their current hardware and software landscape, they could ascertain that a more robust, proactive answer exists with what they already have. Intrusion detection systems are a perfect example.
"SMEs [small and medium enterprises] don't need IDS. They need firewall policies that are typically much more restrictive than they are probably running. If you're not extremely vulnerable to attack, you don't need an IDS. The problem is that these guys want to ignore security and the IDS won't let them continue to be ignorant," said Marcus J. Ranum, CSO at Tenable Security in Columbia, Md.
The "ignorance factor" has long been an issue in the system performance and management arena. Sadly, this outlook now appears to be moving toward security. This is never more evident than in today's "security crazed" mindset, where huge sums of money are being designated for the latest and greatest compliance and security tools.
One craze is intrusion detection and prevention systems. After installing one, some network
"Virtually every customer I ever saw complain that their IDS was too noisy was in denial," Ranum said. "When we went through the logs we'd usually find that the real problem was that their networks were a mess, their security policies were largely ignored and hackers were having a field day with their internal servers."
It takes skill to understand the significance of IDS reports; however, the problem is that many organizations want to keep running their networks without having to understand what some of these attacks mean. "But you know what? You can't run a significant network without understanding this stuff," Ranum added.
Log analysis is another area where ignorance seems bliss. Log data, which is generated by a plethora of security devices, can sometimes paint a gloomy picture for network or security administrators. So some ignore or discard it. Log data contains nuggets of information that can benefit all areas of network security.
When it comes to reviewing logs, keep in mind that there's no hard and fast rule that states "what to look for" because that's what an IDS does. It's also the reason many intrusion detection systems don't work very well. Ranum believes that log analysts should work by exclusion. Instead of looking for problems, discard log data known to be OK. Also, keep statistics on questionable items when they arise and track them if they move around suddenly. One type of important log data is firewall permits. Logging "permits" as well as "denies" can merge destinations against a black list of spyware sites, such as the ones from http://www.squidguard.org.
"We advocate that customers collect and protect all the log data created by disparate security and network devices, and that they build a platform that can be expanded on to include the data created by applications and hosts as well," said Jim Melvin, executive vice president for business development for Network Intelligence Corp. in Westwood, Mass. "That information [should be shared] up and down the line, from the network administrator to the board of directors."
The time will come when those in IT finally realize that they have a huge problem to overcome in managing the millions of logs being generated. More importantly, they'll start to see what can happen when they do nothing. Said Ranum: "Most organizations that think they are 'locked down too tight' aren't close to 'locked down enough.'"