Solved

IDS Operational Support Functions and Processes

Posted on 2011-03-07
1
430 Views
Last Modified: 2013-11-29
Hi all,

I am looking for a detailed list of the kind of support functions that an IDS operations group would be responsible for.  By that I mean functions across the entire breadth of managing, supporting and monitoring an IDS platform.

eg, release signature updates, manage incidents, patch IDS software, patch IDS OS, handle security incidents

Ideally I would love some kind of framework from which I can pick and choose these which are specific to my deployment.

Thanks
0
Comment
Question by:rowansmith
1 Comment
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 500 total points
ID: 35070866
It's not much different than many others, patching the os it runs on, patching the software itself, keeping up with the latest sigs (typically automated) and the most important part is reviewing handling the positives, false positives and false negatives. The handling of the incidents are subject to your companies incident response, likely similar to how a AV incident is handled, or if it's a bigger issue how a breach is handled.
IDS's need to be tuned and configured for your network and ultimately it's placement in the network.For instance an IDS on the outside of your network looking in, you will likely see an over abundance of false positives from all the nasties that are likely scanning and sending errant traffic that hit your IP space. IDS's placed on the inside tend to see less false positives as the firewalls and routers will drop traffic that isn't going to make it into your network because you don't allow port's x,y and z into the network. Traffic that does make it in still may be false positives. Traffic exiting your network tends to yield "more fruit" because there should be less "bad" things happening going from in to out, as opposed to the reverse. Once tuned, you'll have to address policy violations like p2p software being used/detected or a SMTP server being detected that isn't an official company SMTP server, all the way to a SQL injection that makes it into your network and compromises a host(s).
I'm not sure if a framework exists, but it also doesn't mean you won't have the means already at your disposal. There are frontends for Snort/Suricata/Bro-IDS that can help document and log incidents, and companies that can do that for you as well (sourcefire/trend-micro/imperva..). IDS can be a beast to manage, but the better defined it is, the easier it becomes. I'm sure I haven't addressed the question as directly as you may need, but it's not an easily answered question :)
-rich
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Examines three attack vectors, specifically, the different types of malware used in malicious attacks, web application attacks, and finally, network based attacks.  Concludes by examining the means of securing and protecting critical systems and inf…
Data breaches are on the rise, and companies are preparing by boosting their cybersecurity budgets. According to the Cybersecurity Market Report (http://www.cybersecurityventures.com/cybersecurity-market-report), worldwide spending on cybersecurity …
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question