As intrusion prevention systems (IPSes) are increasingly deployed in corporate data centers and network edges around the world, the issue of false positives grows. A false positive is any alert that indicates nefarious activity on a system that, upon further inspection, turns out to represent legitimate network traffic or behavior. Too many false positives can reduce the intrinsic value of the data received from the system and can become a problem as network attacks increase over time (think of The boy who cried wolf). Let's take a look at five ways to reduce false positives in IPSes.
- Define profiles. Before deploying an IPS into production, pay special consideration to defining, vetting and revising statistics on the normal usage pattern to be expected on the network. The single largest contributing factor to excessive false positive reports is the inefficiency or unsuitability of a baseline network usage profile, which the IPS uses to detect abnormal activity.
- Carefully establish threshold alarms. During the initial testing and rollout phases, give equal attention to condition matching, thresholds and triggers so that alerts aren't unnecessarily sent for minor spikes or abnormal activity. Think about what you really need to know, what is significant to your network as opposed to others, and then create these threshold alarms to only alert you when something you perceive as serious (and not the IPS itself) occurs.
Security Seven Awards
TechTarget's Information Security magazine, SearchSecurity.com and Information Security Decisions have created the Security Seven Awards to recognize the achievements of leading information security practitioners in seven vertical industries. Winners will be chosen from the financial services, telecommunications, manufacturing, energy, government, education and health care industries. To nominate an individual for the Security Seven Awards, please complete the form and return it to firstname.lastname@example.org by Aug. 1, 2005.
- Consider running only in mixed or bridge mode. Many businesses are choosing to run in mixed or bridge mode as opposed to blocking mode, to prevent excessive false positives from blocking important legitimate transmissions. Running outside of blocking mode still allows you to block the simplest types of malicious traffic, like worms, but otherwise transitions the device to function more like an intrusion-detection system (IDS) during normal periods. You can always turn the blocking mode back on, thereby enabling the full IPS-specific capabilities of your product when you need it most.
- Change your IPS. This might be a worst-case scenario. IPSes that defend a network based on simple signature analysis are particularly prone to sending out false alarms. Look for an IPS that includes continuous stateful operation, time window-based rate limiting (useful for detecting attacks during off hours that might be construed as legitimate traffic during normal business hours) and special, application-aware protocol modules that detect abnormal activity heuristically.
- Remember that context matters. Work to establish a human context around activity reports. For example, streaming audio and video with Windows Media Player is an arguably legitimate process for your users to undertake, but to an IPS, the port scanning and delivery mechanisms inherent in WMP can very much resemble a malicious port scan. Establish a human element to any incident reports you receive.
About the author
Jonathan Hassell, a systems administrator and IT consultant in the Charlotte, N.C. area, is the author of several books, including Hardening Windows and Managing Windows Server 2003. He regularly speaks at conferences and contributes articles on Windows administration and network security.