Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 437
  • Last Modified:

IDS Operational Support Functions and Processes

Hi all,

I am looking for a detailed list of the kind of support functions that an IDS operations group would be responsible for.  By that I mean functions across the entire breadth of managing, supporting and monitoring an IDS platform.

eg, release signature updates, manage incidents, patch IDS software, patch IDS OS, handle security incidents

Ideally I would love some kind of framework from which I can pick and choose these which are specific to my deployment.

Thanks
0
rowansmith
Asked:
rowansmith
1 Solution
 
Rich RumbleSecurity SamuraiCommented:
It's not much different than many others, patching the os it runs on, patching the software itself, keeping up with the latest sigs (typically automated) and the most important part is reviewing handling the positives, false positives and false negatives. The handling of the incidents are subject to your companies incident response, likely similar to how a AV incident is handled, or if it's a bigger issue how a breach is handled.
IDS's need to be tuned and configured for your network and ultimately it's placement in the network.For instance an IDS on the outside of your network looking in, you will likely see an over abundance of false positives from all the nasties that are likely scanning and sending errant traffic that hit your IP space. IDS's placed on the inside tend to see less false positives as the firewalls and routers will drop traffic that isn't going to make it into your network because you don't allow port's x,y and z into the network. Traffic that does make it in still may be false positives. Traffic exiting your network tends to yield "more fruit" because there should be less "bad" things happening going from in to out, as opposed to the reverse. Once tuned, you'll have to address policy violations like p2p software being used/detected or a SMTP server being detected that isn't an official company SMTP server, all the way to a SQL injection that makes it into your network and compromises a host(s).
I'm not sure if a framework exists, but it also doesn't mean you won't have the means already at your disposal. There are frontends for Snort/Suricata/Bro-IDS that can help document and log incidents, and companies that can do that for you as well (sourcefire/trend-micro/imperva..). IDS can be a beast to manage, but the better defined it is, the easier it becomes. I'm sure I haven't addressed the question as directly as you may need, but it's not an easily answered question :)
-rich
0

Featured Post

Learn Veeam advantages over legacy backup

Every day, more and more legacy backup customers switch to Veeam. Technologies designed for the client-server era cannot restore any IT service running in the hybrid cloud within seconds. Learn top Veeam advantages over legacy backup and get Veeam for the price of your renewal

Tackle projects and never again get stuck behind a technical roadblock.
Join Now