[Dshield] IDS Analysts

[Dave Hull]

On 1/29/08, super nova <blood.sketching at gmail.com> wrote:
> Agreed

Indeed, I was just reading this and nodding because Albert made so
many good points. An IDS Analyst needs all of these skills. Most IT
Sec people can respond to the alerts from a sensor, but in my
experience, someone with more in depth knowledge of the underlying
protocols and technologies can more quickly sort out the false
positives from the real attacks.

I used to work in an IT Sec shop managing more than 60 sensors.
Tweaking the configs to reduce the number of false positives to a
manageable level was time consuming upfront, but once it was done the
system became much more valuable to our shop.

Our deployment put sensors at the main building terminals rather than
at the core. This gave us more granular visibility than simply running
at the core of the network. With so many people carrying around thumb
drives or laptops, having visibility closer to the edge was a big
benefit. We could isolate buildings with infections, disconnecting
them from the rest of the network as needed in order to contain
infections.

IDS can be used for more than just detecting compromised systems. We
frequently put in sigs to detect SMTP and DNS servers. At that time,
our network was just reaching the beginning of the end of the
"academic freedom" and efforts were just beginning to reel these
devices in.

-- 
Dave Hull
CISSP, GCIH, GREM, SSP-MPA, CHFI
Trusted Signal, LLC
http://trustedsignal.com
Tel. 785.424.0832