Solved

IDS Operational Support Functions and Processes

Posted on 2011-03-07
1
428 Views
Last Modified: 2013-11-29
Hi all,

I am looking for a detailed list of the kind of support functions that an IDS operations group would be responsible for.  By that I mean functions across the entire breadth of managing, supporting and monitoring an IDS platform.

eg, release signature updates, manage incidents, patch IDS software, patch IDS OS, handle security incidents

Ideally I would love some kind of framework from which I can pick and choose these which are specific to my deployment.

Thanks
0
Comment
Question by:rowansmith
1 Comment
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 500 total points
Comment Utility
It's not much different than many others, patching the os it runs on, patching the software itself, keeping up with the latest sigs (typically automated) and the most important part is reviewing handling the positives, false positives and false negatives. The handling of the incidents are subject to your companies incident response, likely similar to how a AV incident is handled, or if it's a bigger issue how a breach is handled.
IDS's need to be tuned and configured for your network and ultimately it's placement in the network.For instance an IDS on the outside of your network looking in, you will likely see an over abundance of false positives from all the nasties that are likely scanning and sending errant traffic that hit your IP space. IDS's placed on the inside tend to see less false positives as the firewalls and routers will drop traffic that isn't going to make it into your network because you don't allow port's x,y and z into the network. Traffic that does make it in still may be false positives. Traffic exiting your network tends to yield "more fruit" because there should be less "bad" things happening going from in to out, as opposed to the reverse. Once tuned, you'll have to address policy violations like p2p software being used/detected or a SMTP server being detected that isn't an official company SMTP server, all the way to a SQL injection that makes it into your network and compromises a host(s).
I'm not sure if a framework exists, but it also doesn't mean you won't have the means already at your disposal. There are frontends for Snort/Suricata/Bro-IDS that can help document and log incidents, and companies that can do that for you as well (sourcefire/trend-micro/imperva..). IDS can be a beast to manage, but the better defined it is, the easier it becomes. I'm sure I haven't addressed the question as directly as you may need, but it's not an easily answered question :)
-rich
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now