Telecom and Logistics Associates 

new6.gif (1031 bytes) TLAalert    Security Service 
Translate this page from:  publication: Christian ALT 
  Save Time and Money

TLAnews: Security NEWs Service 

 26.7.2000 Security: Intrusion Detection, too many false alarm
Administrators are realizing the technology's limits and frustrations. Network attacks, including distributed denial-of-service and buffer overflow incursions, have put intrusion detection software on the front line in the battle against hackers. 

Français: La Détection d'Intrusion, trop de fausses alarmes
Les administrateurs réalisentles limites et les frustrations de la technologie. Les attaques réseaux, comprenant les dénis de Service et le "buffer overflow", ont mis en première ligne les logiciels de détection d'attaque dans la bataille contre les pirates.

Home
Consulting
Tech Doc
FW-1 FAQ
Training
Products
TLAnews
Archive
Advertising
 

TLAnews.com
Information for security concerned people

 
Register to TLAnews letter
 

 

 

 

 

 

 

 
English version
The reason: Too often, the software puts out false-positive alerts, which warn administrators about traffic that turns out to be innocuous but still send IT managers scurrying to plug security holes.

Some security administrator reached an absurd point where every other day they are literally just blowing away log files.

Intrusion detection generated so many false-positive warnings that Security staff started ignoring them, turning off pager notifications that were coming day and night. This is not a good attitude, but more and more common with intrusion detection.

Technically, false-positive intrusions are a hard problem for software companies to solve.he rarer the event, the more accurate the test must be to be useful. Right now, intrusion detection is not accurate enough and returns more false positives than true positives.

The algorithm signatures that intrusion detection software uses to check against incoming traffic flag any suspicious-looking traffic. As a result, IT managers subject to late-night pages or a steady stream of e-mail alerts are naturally being conditioned to the boy-crying-wolf concept and ignoring the alerts.
Résumé en français

La raison: trop souvent le logiciel génère des fausses alertes, qui avertissent l'administrateur et qui pour finir ne sont que du trafic normal.

La frustration es ttelle que certains administrateurs fiissent par ne plus consulter leurs fichiers de logs, ce qui est une pratique dangereuse. Certains vont même jusqu'à desactiver les mécanismes d'alertes.

L'analyse de ces alertes est difficile et requiert une expertise importante. Les logiciels de détection d'intrusion ne sont pas encore assez précis et alarment trop souvent inutilement.

Pour réduire ce nombre de fausse alarme les administrateurs doivent admettre une augmentation de la partie de leur budget pour le consulting afin d'afiner le "tuning" de ces systèmes.

Nous constatons un accroissement de société qui nous soustraitent la surveillance de leurs sites, car dans le fond une fois que l'intéret technique de la mise en service d'un système de détection d'intrusion est passé, vient la phase d'exploitation qui n'est pas le métier de nos clients. Ce service est très apprécié.

 

To minimize false positives, experts say, security administrators should expect to spend more of their budgets on consultants and services to tune today's software, or get much more training on Attack and detection  methods.

One trend tha is currently emerging is company outsourcing the complete security monitoring to specialized companies like TLA in Geneva Switzerland. They have got other stuff to worry about. We with false positives fo them.


more security information with TLAnews ...

Author information.
Copyright © [Telecom and Logistics Associates Sàrl]. All rights reserved.
Revised: juillet 26, 2000 .

All information provided is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the facts of the particular situation.