Detection systems require tuning

Detection systems require tuning


Intrusion detection is the latest tool for network security, but feds who have tried it find it far from simple.

'It's easier said than done,' said Cheryl Ledbetter, information systems security officer for the Transportation Department's Transportation Administrative Services Center. 'You've got to know what you're looking for. Then you've got to look for it.'

Ledbetter and other government security officials spoke last week at a Washington conference on intrusion detection systems.

'IDS is the buzzword of the day,' said Dara Murray, director of computer security for the National Science Foundation.

'We were hacked,' she said, so installing intrusion detection was the top priority when she started her job several months ago. 'You really have to know your environment,' she said.

TASC, which supplies Transportation's backbone, discovered that installing an intrusion detection box and turning it on didn't help much. It was necessary to know the entire network and its changing traffic, understand what was normal, and decide what constituted evidence of an intrusion or attempted intrusion.

Plus, keeping an eye on the results eats a lot of resources, Ledbetter said, especially for an agency short on experienced security people.

If she were doing it over at TASC, 'I'd consider outsourcing it,' she said. That was what NSF decided to do.

'We just didn't have the expertise in-house to monitor our networks,' Murray said. NSF contracted with NetSec Technologies Inc. of Herndon, Va., for round-the-clock intrusion detection. But that did not eliminate the agency's responsibilities.

To write a statement of work, 'you have to understand what you really want,' Murray said. The network has to be documented and its vulnerabilities assessed. The agency must decide what needs to be protected and what doesn't.

'We're not really sure what our environment is because we're just getting our IDS off the ground,' Murray said.

What can happen next is that intrusion detection systems overwhelm security officials with reports.

Deluge of data

'You don't want to get too much, because the more you have, the less people are going to look at it,' said Steven Shields, network security officer for the Coast Guard's Telecommunications and Information Systems Command.

Probes by potential intruders occur almost constantly. When the Coast Guard recently brought up a new network, 'within 15 minutes we had a probe,' Shields said.

The IDS could also bog down the network, said Barton Abbott, Raytheon Co.'s director of information assurance for the Navy-Marine Corps Intranet project.

'You have to tune your systems, or you're going to get flooded,' he said. 'You can create a service denial attack on your own system by setting the intrusion threshold too low.'


  • business meeting (Monkey Business Images/

    Civic tech volunteers help states with legacy systems

    As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help. Its successes offer insight into existing barriers and the future of the civic tech movement.

  • data analytics (

    More visible data helps drive DOD decision-making

    CDOs in the Defense Department are opening up their data to take advantage of artificial intelligence and machine learning tools that help surface insights and improve decision-making.

Stay Connected