Re: RE: Tuning false positives - SIM is not the answer

SIM systems are nice. They give great graphical views and good methods of 
drilling in to the info. However they are not able to do anything about cutting 
down the amount of false positives, tuning the IPS is still a must.
SIM systems have nothing to do with the fact your IDS/IPS gets 300,000 alerts 
per day. Itll just sum it up nicely for you so you dont read them one at a 
time, however if some of them are for real attacks and others from 
misconfigured network devices youre bound to miss the real attacks.
SIM will help you see trends, not find targeted attacks and if you want your 
IPS to work, you have to make a choice: lots of alarms catching lots of false 
positive (sometimes 80%-90% of alerts) or fewer alarms accepting you may be 
missing some of the more interesting attacks (either targeted or just stuff 
that gets to many false alarms in your specific environment).
You should use a SIM, but dont expect it to solve the problem of configuring 
and analyzing your alarms, this problem is as old as detection systems.

Just my $0.02
Rassel

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------