Tool Aims to Reduce IDS False Alarms

 
 
By Dennis Fisher  |  Posted 2003-05-02 Print this article Print
 
 
 
 
 
 
 

As administrators and IT managers continue to look for ways to improve the signal-to-noise ratio in their IDS systems, a small company is unveiling a new product designed to reduce false positives and get fixes to vulnerable machines quickly.

As administrators and IT managers continue to look for ways to improve the signal-to-noise ratio in their IDS systems, a small Indiana company is unveiling a new product designed to reduce false positives and get fixes to vulnerable machines quickly. Intelligent IDS combines the functionality of a typical network IDS with real-time vulnerability assessment and remediation capabilities. Taken individually, none of these features is exactly groundbreaking. But Intelligent IDS is one of the first products to throw them all in the same mix. The new software is essentially a plug-in for the Snort open-source IDS and also uses the Nessus open-source scanner.
The most oft-voiced complaint about IDS technology is its propensity for false alarms. A security specialist managing an IDS at any medium or large enterprise is likely to spend a great deal of time sorting through page after page of logs filled with seemingly important attacks, only to find that the vast majority of these events are the electronic equivalent of those expensive and annoying car alarms that everyone ignores. SecurityProfiling Inc. officials say their technology will help reduce the number of false positives by comparing incoming attacks against the configuration of the besieged machine to see whether it is vulnerable to that particular exploit.
This is accomplished by taking the signature of the attack and its destination IP address and running them through the softwares logic engine. Intrusion attempts against vulnerable machines are logged as incidents and the administrator is notified and given the option of installing the patch for the vulnerability in question. Attacks against secured machines are simply logged as events. Administrators can install patches remotely and will also get detailed reports on what changes were made to the machine. Company officials say they see Intelligent IDS as separate from the mass of security event management products on the market. "That may be successful for some organizations, but our philosophy is fundamentally different," said Brett Oliphant, CTO and founder of SecurityProfiling, based in Lafayette, Ind. "We dont use vulnerability assessments because if that worked, youd already know your machine was vulnerable and have it fixed." Instead, the software looks at each machines configuration to see whether the current attack will succeed against it. Other companies, most notably Citadel Security Software Inc., are pursuing similar paths. However, Citadels Hercules software is meant more for automated vulnerability assessment and remediation and does not include integration with an IDS. SecurityProfiling plans to add several other components to the system, starting with a firewall and a scanner. Version 2.0 of Intelligent IDS is due in late June, Oliphant said. Version 1.0 is available now for a $4,995 license fee. Latest Security News:
Search for more stories by Dennis Fisher.
Find white papers on security.
 
 
 
 
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Rocket Fuel