Network Security
NetDetector: Identifying Real Threats and Securing Your Network
A NIKSUN White Paper
www.niksun.com
Abstract
Network based intrusion detection systems (NIDS), once considered non-critical niche solutions, have entered the mainstream security market as necessary components of the core network infrastructure [11]. Years of practical experience with NIDS have shown that they are not the network security panacea they were originally thought to be, but rather are prone to suffering from a host of shortcomings. Chief among these shortcomings is the proliferation of false positives, which greatly reduce the effectiveness, usability, and manageability of such systems. Indeed, industry estimates generally place the average occurrence of false positives above 90%, which is an unacceptably low signal-to-noise ratio. The increasing need to monitor faster and faster networks threatens to make matters worse.
Even still, in a paradoxical attempt to leapfrog over the problem, the most recent trend is towards intrusion prevention systems (IPS), a subclass of which includes network devices that purport to actively block or thwart intrusions [3,4,11,12]. However, detection is a necessary prerequisite to prevention, and it becomes even more imperative to address the false positive issue, or risk creating a denial of service with the very system that is supposed to block such attacks! We agree with Andrew Briney, the editor-in-chief of Information Security magazine, when he sums up the situation as follows: “Change your mindset from ‘intrusion prevention’ to ‘intrusion management’… You can accept, mitigate, transfer and even ignore risk, but you can’t prevent it. Similarly, you’ll never prevent intrusions at all layers of your infrastructure. Breaches happen. What’s important is how you respond.” [2].
Intrusion management involves the complete process of handling security events. The detection provided by NIDS, although crucial, is only one part of the process. Policies, procedures, personnel, and products must be in place for managing incidents beyond the detection phase. Ideally, a quick decision needs to be made on the legitimacy, severity, and on-going risk posed by an event. From here, an appropriate response can be enacted. How quickly such a decision and response can be made ultimately depends on the skill of the team and the power of their tools.
Download Complete White Paper!
|
