You have got a new IDS device installed...
Your IDS has started to see the traffic moving across your network...
Oh Yeh, your IDS has started generating Events...
What is next?
Of course, this post is about that!
Let me share the few steps you, as a security analyst, can take immediately after the IDS system has been provisioned, regardless of whether it is hardware device or a virtual device.
Step-1: Baselining
Basicially this step tells you to do 'nothing'. Yes, the first thing you should do, is to do nothing. Take observational mode. No doubt, the events are being generated from your IDS, which are a record of the currently normal behavior of your network. Let the IDS run for a reasonable period of time without deleting any event. This will allow you to collect enough data, before you start seeing the patterns of your network.
Step-2: Evaluation
Now is the time to question everything and to start making some decisions. Your decisions will revolve around the following questions:
-
Which of these events are both valuable and applicable to my environment?
-
Which events are network policy and not potential threats?
-
Is the risk of the event properly evaluated?
-
Which of these events are valuable for reporting?
-
Who should be notified when this event occurs?
My advice is that when you set out to do it first time, don't do it alone. Rather do it in a group setting with the relevant stakeholders. Later you can do it alone, as the security analyst. However, never ever forget to ask the above questions for each events. In fact, asking these questions must be your recurring theme in your analysis & reporting.
Step-3: Cutting The Noise
It is about fine-tuning our system. We want to reduce the false positives and noise as much as possible. Because your goal is to only have actionable alerts and useful reports. You don't want huge number of things to review.
How do you do that?
You do that by adjusting the current posture of your IDS, based on what you learned from the Baselining/Soak-in period and the decisions you made from the evaluation process (step-2) to reduce the number of events. In the terms of IDS, it is called the POLICY.
A policy when it is defined by you, informs your IDS--What is important and what is not. You apply the same concept of Policy to SIEM too. Never forget to archive these policies to maintain a snapshot of your security posture. Remember, these policies can also be applied to your future devices.
However, you can reduce some amount of false positives right away, e.g., reply traffic from a busy server being flagged as a scan or multicast announcements showing up as P2P or VoIP alerts, etc.
Start with the most frequent alerts and work your way down, investigating them and figuring out if you have a recurring FP. When you do, tune granularly-- don’t pick up the big hammer and smash the signature (unless it’s really bad), instead create exceptions in your policy that prevent that specific alert from firing on those IPs and ports. The idea is to reduce noise, not to blind yourself.
Step-4: Documentation
As exciting as it may be, remember not every investigation is unique. The same event or series of events is likely to occur again. Often this can be tuned and never seen again, however repeating an investigation can be a very costly effort and should be avoided. Documenting the results of your investigation is a key step to avoiding this repetition. It also has several ancillary benefits, such as:
-
If ever audited you have proof of your diligence
-
New analysts can get up to speed quicker by reading previous results
-
Metrics can be derived from this data for future automation
For some products, the Policy itself can be used as part of your documentation. If Policy changes, rules, filters or exceptions allow you to enter comments or descriptions use them to annotate who made the change, when and briefly why.
-
With a disciplined process, IDS can be one of the most valuable tools for detecting threats that find their way past your preventative controls. Following the steps above will get you started down the right path to alerts and data you can actually use and apply your analyst skills to.
Guys, what do you think about this post on handling IDS first time? How it may help you?
Please leave me your thoughts in the comment section.
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
30,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM