Improve company productivity with a Business Account.Sign Up

x
?
Solved

IDS Operational Support Functions and Processes

Posted on 2011-03-07
1
Medium Priority
?
440 Views
Last Modified: 2013-11-29
Hi all,

I am looking for a detailed list of the kind of support functions that an IDS operations group would be responsible for.  By that I mean functions across the entire breadth of managing, supporting and monitoring an IDS platform.

eg, release signature updates, manage incidents, patch IDS software, patch IDS OS, handle security incidents

Ideally I would love some kind of framework from which I can pick and choose these which are specific to my deployment.

Thanks
0
Comment
Question by:rowansmith
1 Comment
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 2000 total points
ID: 35070866
It's not much different than many others, patching the os it runs on, patching the software itself, keeping up with the latest sigs (typically automated) and the most important part is reviewing handling the positives, false positives and false negatives. The handling of the incidents are subject to your companies incident response, likely similar to how a AV incident is handled, or if it's a bigger issue how a breach is handled.
IDS's need to be tuned and configured for your network and ultimately it's placement in the network.For instance an IDS on the outside of your network looking in, you will likely see an over abundance of false positives from all the nasties that are likely scanning and sending errant traffic that hit your IP space. IDS's placed on the inside tend to see less false positives as the firewalls and routers will drop traffic that isn't going to make it into your network because you don't allow port's x,y and z into the network. Traffic that does make it in still may be false positives. Traffic exiting your network tends to yield "more fruit" because there should be less "bad" things happening going from in to out, as opposed to the reverse. Once tuned, you'll have to address policy violations like p2p software being used/detected or a SMTP server being detected that isn't an official company SMTP server, all the way to a SQL injection that makes it into your network and compromises a host(s).
I'm not sure if a framework exists, but it also doesn't mean you won't have the means already at your disposal. There are frontends for Snort/Suricata/Bro-IDS that can help document and log incidents, and companies that can do that for you as well (sourcefire/trend-micro/imperva..). IDS can be a beast to manage, but the better defined it is, the easier it becomes. I'm sure I haven't addressed the question as directly as you may need, but it's not an easily answered question :)
-rich
0

Featured Post

Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

A discussion about Penetration Testing and the Tools used to help achieve this important task.
Software-defined infrastructure is the buzz these days gaining a lot of importance. With software-defined infrastructure companies can be more agile and proficient. Nonetheless, a complete re-engineering of IT procedures is required to gain agility…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

584 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question