Intrusion detection systems (IDSes) are a waste of electricity unless you are willing to do the hard work to tune and optimise them, according to Mark Ames, chair of the Information Security Interest Group (ISIG).
"[I have] been to companies where they have the IDS logs scrolling on a screen. When you point to something coming up in red, and ask ‘what are you going to do?' The response is: "Ahhh . . . nothing, only if we see something really funny going on," Ames said, speaking in Sydney at IBM users conference and expo, Interaction 2003, last week.
"I think that’s a waste of electricity," he added. “Have some incident response plan, [there's] not much point otherwise.”
Another possible use of “all the guff that comes out" in copious logs, which Ames has seen in financial services companies, is, he says, printing it out and showing it to the board along with comments about thousands of attacks - in the hope of raising more IT security funding.
Tuning IDSes is not quite a black-and-white process, but one that takes a lot of work, Ames said.
"The more you pare down [the attack signatures] database and target what you’re after, the better it’s going to work for you," Ames said. “Why do you want all the Unix, Linux, and Windows, attack signatures in an IDS in front of an accounting system running on an iSeries," he asked. “Ok, you say there are no iSeries attack signatures, but I’m sure there are.”
Ames' other recommendations were network segmentation according to risk as part of a ‘zoned defence’ with IDSes positioned at segment boundaries.
“If the only thing on a network segment is MQ, set alarms for anything that doesn’t look like MQ," he said.
“Focus on the vulnerable systems; if you have a firewall nailed down, don’t put an IDS against that," he said.
IT managers should also harden their hosts using hardware vendors' security downloads. These would possibly do away with the need for IDSes for these hosts, Ames said.