Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

IDS Operational Support Functions and Processes

Posted on 2011-03-07
1
Medium Priority
?
436 Views
Last Modified: 2013-11-29
Hi all,

I am looking for a detailed list of the kind of support functions that an IDS operations group would be responsible for.  By that I mean functions across the entire breadth of managing, supporting and monitoring an IDS platform.

eg, release signature updates, manage incidents, patch IDS software, patch IDS OS, handle security incidents

Ideally I would love some kind of framework from which I can pick and choose these which are specific to my deployment.

Thanks
0
Comment
Question by:rowansmith
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 2000 total points
ID: 35070866
It's not much different than many others, patching the os it runs on, patching the software itself, keeping up with the latest sigs (typically automated) and the most important part is reviewing handling the positives, false positives and false negatives. The handling of the incidents are subject to your companies incident response, likely similar to how a AV incident is handled, or if it's a bigger issue how a breach is handled.
IDS's need to be tuned and configured for your network and ultimately it's placement in the network.For instance an IDS on the outside of your network looking in, you will likely see an over abundance of false positives from all the nasties that are likely scanning and sending errant traffic that hit your IP space. IDS's placed on the inside tend to see less false positives as the firewalls and routers will drop traffic that isn't going to make it into your network because you don't allow port's x,y and z into the network. Traffic that does make it in still may be false positives. Traffic exiting your network tends to yield "more fruit" because there should be less "bad" things happening going from in to out, as opposed to the reverse. Once tuned, you'll have to address policy violations like p2p software being used/detected or a SMTP server being detected that isn't an official company SMTP server, all the way to a SQL injection that makes it into your network and compromises a host(s).
I'm not sure if a framework exists, but it also doesn't mean you won't have the means already at your disposal. There are frontends for Snort/Suricata/Bro-IDS that can help document and log incidents, and companies that can do that for you as well (sourcefire/trend-micro/imperva..). IDS can be a beast to manage, but the better defined it is, the easier it becomes. I'm sure I haven't addressed the question as directly as you may need, but it's not an easily answered question :)
-rich
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
How does someone stay on the right and legal side of the hacking world?
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question