Detection systems require tuning

Detection systems require tuning

BY WILLIAM JACKSON | GCN STAFF

Intrusion detection is the latest tool for network security, but feds who have tried it find it far from simple.

'It's easier said than done,' said Cheryl Ledbetter, information systems security officer for the Transportation Department's Transportation Administrative Services Center. 'You've got to know what you're looking for. Then you've got to look for it.'

Ledbetter and other government security officials spoke last week at a Washington conference on intrusion detection systems.

'IDS is the buzzword of the day,' said Dara Murray, director of computer security for the National Science Foundation.

'We were hacked,' she said, so installing intrusion detection was the top priority when she started her job several months ago. 'You really have to know your environment,' she said.

TASC, which supplies Transportation's backbone, discovered that installing an intrusion detection box and turning it on didn't help much. It was necessary to know the entire network and its changing traffic, understand what was normal, and decide what constituted evidence of an intrusion or attempted intrusion.

Plus, keeping an eye on the results eats a lot of resources, Ledbetter said, especially for an agency short on experienced security people.

If she were doing it over at TASC, 'I'd consider outsourcing it,' she said. That was what NSF decided to do.

'We just didn't have the expertise in-house to monitor our networks,' Murray said. NSF contracted with NetSec Technologies Inc. of Herndon, Va., for round-the-clock intrusion detection. But that did not eliminate the agency's responsibilities.

To write a statement of work, 'you have to understand what you really want,' Murray said. The network has to be documented and its vulnerabilities assessed. The agency must decide what needs to be protected and what doesn't.

'We're not really sure what our environment is because we're just getting our IDS off the ground,' Murray said.

What can happen next is that intrusion detection systems overwhelm security officials with reports.

Deluge of data

'You don't want to get too much, because the more you have, the less people are going to look at it,' said Steven Shields, network security officer for the Coast Guard's Telecommunications and Information Systems Command.

Probes by potential intruders occur almost constantly. When the Coast Guard recently brought up a new network, 'within 15 minutes we had a probe,' Shields said.

The IDS could also bog down the network, said Barton Abbott, Raytheon Co.'s director of information assurance for the Navy-Marine Corps Intranet project.

'You have to tune your systems, or you're going to get flooded,' he said. 'You can create a service denial attack on your own system by setting the intrusion threshold too low.'

inside gcn

  • secure cloud choices

    Public cloud security doesn't end with the cloud provider

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group