There is one mistake I see IPS analysts routinely make, one which considerably harms their organization’s ability to use the system and accurately respond to threats. And that is the failure to honestly consider how much time they actually have to devote to their IPS events.
How Much Time Do You Have For IPS?
If you want to get the maximum (or, really, any) value from your IPS (or IDS, if you prefer) then you have to stop and consider how much time you really have to spend with it. And be honest with yourself. How much time per day or week can you set aside? And get used to thinking about it, because you’re going to have to revisit this question regularly. After all, your schedule changes, and the value of your IPS alerts will always depend on the time you can give them.
The Value of Security Alerts
The value you gain from your IPS is not a database full of alert data, but the enhanced ability to respond to intruders. The data is useless without somebody to use it. So the value of your data will always be a function of how it is utilized. That is, how it helps you detect and respond to threats to your environment.
Raw data are often discussed as a commodity. And in many ways it is. I fear, however, that thinking about data this way encourages people to focus on collection and storage. Simply possessing data does not mean you are benefiting from it. A better analogy is that data are grown like, for example, corn. You can try to grow as much as you wish, but if you don’t have the manpower to harvest it, it will rot there.
Consuming Your Data
The value in farming corn is not simply having grown it, but that it can be transformed into something people want to consume. To continue to belabor this contrived analogy, we don’t just want to grow corn, we want to harvest it and turn it into a nice sour mash whiskey. Drinking whiskey is a lot like analyzing IPS alerts. The first sip you ever have is strange and burns. But once you develop a taste for it, it’s delicious. Then the first couple drinks are good, and sometimes the next couple are even better. But eventually having more makes you sick, and in obscene amounts it can even kill you.
It is the same with your IPS alerts (essentially, but I haven’t heard of any IPS related fatalities... yet). First time you plug your IPS in you may not get much value out of it. But once it’s tuned then the alerting you receive is beneficial. And more data may even give you a better picture of your network and who’s attacking it. But eventually there’s just too much data to handle. And not only are you receiving no value from this pile of data, but maintaining it and attempting to sort through it are costs to you. If you’ve reached this point then you either need to reduce the amount of data you have or hire more people to analyze it. Otherwise why even have the IPS? Collecting information nobody ever looks at is pointless.
While your new IPS system is being deployed and configured it is usually done by somebody focusing a lot of time on an IPS project. What you need to realize is that after this project is another project. And when your time is no longer focused primarily on IPS that data will still be rolling in. When focused on their IPS system people have a tendency to start collecting more data than they will be able to handle. The most common ways this happen are 1) turning on too many rules and 2) sensor placement.
First, turning on too many rules is a temptation some just can not refuse. But not only do all those extra rules place a performance burden on Snort, but they create alerts you need to analyze. So are those alerts really something useful? If not, then get rid of them. They’re creating useless data. And while those data continue to pour in, clogging the system with alerts, this only works to obscure the data you actually need to respond to.
Second, do you really need a sensor outside of the firewall? A lot of security analysts are by their very nature very curious. And the opportunity to see what kind of malware is floating around outside on the Internet is intriguing. But a month from now, when you’ve moved on to another project, are you going to have the time to wade through the flood of alerts that detected attacks that were subsequently stopped by your firewall? How useful is that? How will you be using and responding to these? Once you consider this, there’s a good chance you can find a better location for that sensor
Your time and attention is limited and valuable. You need to understand this in order to get the full value from your IPS. You need to tune the system until you are no longer burdened with useless data (Or at least set that as the goal, it is typically a moving target.). And that means considering what traffic you need to monitor, and what rules will you actually respond to.
Think about it. Be honest. And when you can use your IPS without getting drunk on data you’ll be in good shape.