Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Next-generation IDS brings less false positives, more intelligence

An effective next-generation IDS can detect malicious attacks by integrating protection, analysis and response technologies, givubg users better security intelligence.

The shine is definitely off intrusion detection systems, and IDS vendors know it. Funny how IDSes used to be the coolest thing going -- until people actually started using them.

The biggest complaint, always, is false positives. I constantly hear horror stories about IDSes spitting out reams of alert data that nobody has time to sift through. One East Coast Fortune 500 financial institution gets more than 500,000 alerts per month. Tuning the system to your network's peculiarities helps, but when Chicken Little keeps telling you the sky is falling, it isn't long before you stop looking up.

To be more effective, IDSes -- particularly network-based solutions -- will need to be more intelligent. Intelligence from a technical standpoint means less reliance on signature-based scanning and more reliance on protocol analysis and anomaly detection. It also means better mapping to the network's servers and applications, and the ability to know whether Server A is vulnerable to Attack B.

The latest buzzword used by IDS vendors is "intrusion life-cycle management." Traditionally, intrusion detection has been only a one point solution within a risk mitigation continuum that also includes protection and response. While traditional IDSes detect attacks (with varying levels of success), they do little to guide users on how to protect their systems or respond in the event of a breach.

New products from Symantec, Internet Security Systems and NFR Security, among others, integrate protection, analysis and response technologies to provide users with more security intelligence. These tools come bundled with a vulnerability assessment component that identifies system/application holes and policy weaknesses. They monitor the network for attacks on servers and workstations and, when a potential attack is flagged, determine if the target system is vulnerable. This effectively weeds out "might-be" attacks -- attacks that might be serious in someone else's network, but aren't in yours.

Newer IDSes also enhance the ways you can respond to alerts -- everything from modifying firewall rules to resetting TCP sessions to disabling accounts to any number of user-defined responses.

The alert correlation and management functions also have improved. Some products can be configured to normalize alerts in HP OpenView or IBM Tivoli NetView, while others integrate with security management products from companies such as NetForensics, Intellitactics and e-Security.

Everything comes at a price, and all this additional data analysis takes a toll on throughput speeds. With most IDSes, you have to make a difficult choice: either you sample network traffic for attacks, which maximizes throughput but raises the possibility that you'll miss something; or, you attempt to scan all traffic, which degrades throughput and could result in dropped packets should the engine become saturated.

New IDS appliances from vendors such as Intrusion, TippingPoint and NFR come with lots of on-board processing muscle, allowing you to do full packet analysis at up to gigabit speeds. Of course, there's no end to this cycle. As network speeds continue to grow, IDSes will have to follow suit.

Technology aside, users have to be more intelligent, too. Marcus Ranum of NFR told me a story about a customer who was complaining about an abundance of false positives. Ranum did a site visit and discovered that the "false positives" weren't false at all, but high-priority alerts about repeated attacks on a vulnerable server. The customer only thought he was receiving false alarms because the attacker kept coming back for more.

The trend in the IDS market is toward full-blown intrusion management tools that bundle host protection and network-based scanning, vulnerability assessment and centralized data collection and analysis. On a market side, you can expect to see some consolidation among the point-solution providers that offer one (but not all) of these components. Symantec, ISS, Cisco and Computer Associates are in the best position to grab market share, though smaller companies like NFR and Tripwire (and wild cards like Enterasys Networks) will compete, too.

While the direction of IDS development looks promising, it's important to realize that these tools are brand spanking new and haven't stood the test of time. As with any new technology, early adopters should expect some kinks and kludginess. But within a few release cycles, enterprise security managers will have a lot more options for robust intrusion management.

In the June issue of Information Security, we'll examine all of these issues and more with a special roundtable titled "IDS at the Crossroads." Stay tuned.

About the Author: Andy Briney is editor-in-chief of Information Security magazine. 

This was last published in May 2002

Dig Deeper on Network intrusion detection and prevention (IDS-IPS)