A tool is only as good as it’s crafter.
Business expenditure into network intrusion systems should be equally met with investments to the employed talent that operates them proficiently.
Intrusion systems need a lot of care and attention.
There are various abilities that help with administration, but if you have someone on staff whose skills and roles are as network administrator types, who like to be detectives and also have great attention to detail, then put them on the IPS.
I would like to first define the difference between intrusion prevention and intrusion detection. (IPS/IDS)
An intrusion prevention device is placed on a physically, layer 1, in-line connection between sites, clouds or zones. IPS can be configured to block or modify on fired signatures. They should start with all signatures on.
For IDS, in Cisco at least, SPAN ports for interfaces or VLAN for detection. They can be placed on any segment promiscuously to monitor as well. Turn off all the signatures that would not affect the local network or systems.
I recommend daily log monitoring of events for all IPS in the network and, if there is redundancy, monitor the primary.
Basically, you have to determine threat. Did the identified attack cause any affect on the target it hit? Will that attack have any effect in the future? Does valid traffic sometimes fire the signature?
Starting off there will be on-going effort to eliminate the offending packets that are not applicable or perceivable threat. Eventually everything will boil down on true threat and anomaly.
This is when the detective skills come in. Research every valid attempt for a number of attack paths which can be determined a threat.
My approach is as follows:
- Identify Attack
- Identify target
- Analysis the Effectiveness of the Attack
- If “win” then
- Report incident
- If “fail” then
- Log and possibly baseline
- Investigate source and trigger packet
- Investigate offensive history
- Make corrections
Start with “Due Diligence” on identified intrusions to try to gather all the possible information necessary.
Mostly you have to do little follow ups, but IPS admins know a lot of information on the traffic of their network.