The Challenges of Using an Intrusion Detection System: Is It Worth the Effort?
July 25, 2008 by Richard Conlanhttp://cups.cs.cmu.edu/soups/2008/proceedings/p107Werlinger.pdf
This paper sought to examine, as it’s title suggests, whether IDSs help or hinder incident detection and response. It was motivated by a discussion group a CHI 2007.
Current IDSs still need human intervention to account for false positives and make use of the results. The study included 34 interviews with those related to security and intrusion, 9 of whom were confirmed to have experience with IDSs. They also conducted ~15 hours of participatory observation.
Those who supported IDSs suggested:
- IDSs help identify problems
- reduce uncertainty about the effectiveness of security measures
- allows monitoring of the network without overly compromising user privacy
Those who were against IDSs suggested:
- they were expensive
- much work and time required to tune the system
- they were unreliable, buggy, and caused dropped packets
- lack of clear utility; hard to see a concrete improvement
- often sit idle because of the cost overhead of using it
During the participatory observation there were a number of issues encountered deploying the IDS. To connect the IDS 2 ports were needed, but they were unable to find two available points where they wanted them so they ended up choosing two ports in a less interesting network. The “quick tuning” option in the GUI was insufficient to configure anything of any complexity. Because they were trying to configure it in a distributed environment they encountered extra overhead trying to get approval from all of the stakeholders.
Ideally the IDS would have been deployed in a critical network, but they were unable to do so. It is hard to assess the IDS utility without full deployment.