Monday, April 15, 2013
I find it fascinating that although IDS has the potential to be used as a sharpened scalpel to pick out abnormal network activity from various places within the packet, it is mostly used as a packet by packet log collector. What do I mean by this? IDS is a technology that can be equipped with a relatively small number of highly potent and actionable signatures designed to look for activity that organizations need to take notice of. Unfortunately though, most organizations go the complete opposite direction, deploying IDS with thousands of weak/mediocre signatures, perhaps out of fear of "missing something". The result? Anything that might have been worth looking at gets buried in 10,000 false positives per day (or more!). Worse yet, sometimes IDS becomes every analyst's favorite data source to ignore. It's a shame really -- so much potential in modern IDS devices, yet so underutilized.