In-Depth

Getting the Most From Intrusion Detection Systems

Proponents of Security Information Management tools say that their products can help to tame the wild profusion of IDS data

• By Stephen Swoyer
• 01/29/2003

A recent study published by market research firm Meta Group indicates that even as interest in IDS has risen among Global 2000 organizations, companies often view their completed IDS deployments as failures. That’s because, says Meta Group analyst Christian Byrnes, many companies often adopt IDSes as technical solutions, without giving much thought to the operational issues associated with managing them.

What IDS operational issues most frustrate IT organizations? According to Scott Markle, IDS program manager for ICSA Labs, the security testing and evaluation practice of Tru-Secure Corp., most of the IT managers he talks with tell him they’re simply overwhelmed by the information collected by their IDS products. “This is a huge problem. People have been told to go buy IDS, and [having done so] it’s basically where do they go from that point? Vendors aren’t necessarily doing much about it, and they’re pretty much saying, this is what our product does—collects data.”

For the record, “intrusion detection” is a practice that encompasses a wide variety of tools that are designed to recognize common attack signatures, identify and flag system or network anomalies, or detect unauthorized and possibly malicious behavior on a host or network.

IDS solutions—which include Secure IDS from Cisco Systems Inc., NetProwler from Symantec Corp., eTrust Intrusion Detection from Computer Associates International Inc., and the Real Secure product suite from Internet Security Systems—are typically outfitted with administrative consoles, integrated analytic tools, and some reporting functionality. Because IDS products can be either host- or network-based, it’s not uncommon for an organization to have multiple IDS solutions that support a variety of different platforms, applications, and network topologies, scattered across its environment.

And that's the rub, says Bruce Murphy, CEO of security consulting and managed services provider Vigilinx. It’s difficult enough to make effective use of a single IDS solution, he points out, but when multiple products with multiple administrative facilities are involved, management becomes even more complicated. That’s not to mention the fact, he suggests, that the reporting or analytic capabilities of some IDS solutions simply aren’t up to snuff. “On a standalone basis, these products don’t do as good of a job as they could. Things don’t improve when you have several of them, which is actually quite common.”

Security Information Management

The wild profusion of IDS devices has created a market opportunity for so-called “Security Information Management” (SIM) tools, which collect information from disparate IDS products and purport to render it in an intelligible fashion. E-Security Inc.'s Net Sentinel, OpenService Inc.'s Security Threat Manager, NetForensics' NetForensics 3.0, and SolSoft Inc's SolSoft NP all market SIM solutions that aggregate data from multiple IDSes.

SIM vendors don’t pretend that their products are will solve all of an organization’s security woes. Instead, they say, their offerings give customers the ability, in theory, to reach into any IDS product and extract meaningful data. Says Bill Oliphant, director of technology partnerships for NetForensics: “It takes in all of that data and normalizes it and aggregates it down, and then pushes it off to a correlation engine, and then…[renders it] in a format that’s more recognizable to IT, such as is it a reconnaissance attack or is it a denial of service attack?”

It’s not as easy as it sounds. For just as dozens of vendors market IDS products, so, too, dozens of vendors support wildly heterogeneous analytic facilities, such that there are no interoperable standards for describing IDS security events (such as reconnaissance attacks or denial of service attacks) and no industry-wide mechanism for generating reports. To that end, many SIM vendors provide agents to reach into host and network IDSes, firewalls, and anti-virus solutions. ““What we’ve tried to do is target the top five in each of the functional areas, so we’ve got the top five firewalls, intrusion detection systems, and anti-viruses.”

Some SIM vendors also provide toolkits customers can use to integrate their products with unsupported IDSes, firewalls, or anti-virus products. NetForensics’ Oliphant says, “We have a toolkit, called our universal agent, that’s based on XML and Java, and what it allows you to do is basically map events from any product and bring them into the product.”

Despite the emerging popularity of SIM tools, analysts such as ICSA’s Markle say that more needs to be done. “This is a trend, and I hate to harp on something familiar, but it goes back to the standardized alert formatting—there isn’t any. There are a handful of products that [SIM tools] can roll data up from, but it’s almost impossible for them to do it across the board for all of the IDS vendors.”

Analysts speculate that the development of the Intrusion Detection Message Exchange Format (IDMEF) could eventually define a standard for the formatting and exchanging of IDS events. In this model, IDSes can exploit the Intrusion Detection eXchange Protocol (IDXP) to exchange IDMEF messages with one another. Both specifications have been submitted to the Internet Engineering Steering Group and are currently pending approval as RFCs. However, it could be quite some time before both standards are finalized, and even longer before vendors start shipping IDMEF- and IDXP-enabled products.

Some large vendors, such as Symantec Corp., ISS, and CA, market IDS products that boast integration with other solutions in their respective product lines. Symantec, for example, supports a product for network-based IDS—NetProwler—along with another product, IntruderAlert, that performs host-based IDS. Symantec also markets another IDS—Host Intrusion Detection System—that integrates with its Security Management System, enabling customers to correlate data from IDS with information generated by other Symantec tools.

Washington, D.C.-based SilentRunner Inc. markets an IDS solution quite without peer. SilentRunner’s flagship product, SilentRunner 2.0, is an IDS solution that captures data at the network level, builds up a knowledgebase—or profile—of enterprise activity, and then sifts through data in real-time looking for positives (anomalies) in the midst of noise.

According to Dan Woolley, VP of business development and operations, SilentRunner can “take the information that you’ve analyzed … and can figure out a way to show relationships between information that often appears to not have a relationship at all.” He describes a situation in which SilentRunner can parse the logs of two IDS systems, one outside of a firewall and the other inside, cross-correlate the data, overlay it on screen, and provide a visual representation of anomalies between the two IDSes.

In the end, suggests Vigilinx’ Murphy, there’s no silver bullet for IDS management. Instead, good old IT common sense is prescribed: “[For large organizations] one of their best paths is to collaborate with some of their other counterparts in their industry to find out what they’re doing, a kind of birds-of-a-feather approach.”

Tru-Secure provides an IDS buying guide here: http://www.icsalabs.com/html/communities/ids/buyers_guide/guide/index.shtml Some of it is dated—e.g., Symantec acquired the former Axent Technologies quite some time ago—but it’s nonetheless an excellent guide to IDS terms, practices and technologies.

Information about the proposed IDMEF and IDXP standards can be found here http://www.silicondefense.com/idwg/