Last week I attended a seminar by Sourcefire. Their CTO, Martin Roesch, was the speaker. The topic was “Your Network Security Isn’t Good Enough Anymore“. This seminar was ultimately a sly sales pitch for Snort, their IDS product. Roesch talked about how there are several equal quality IDS products available now — there is much less market differentiation between them.
1) No one is taking the time to properly configure / tune the IDS for the environment it’s placed in —> meaning thousands of events with many false positives.
2) The IDS events being generated are not monitored —> the average breach to compromise time is down to minutes in some cases meaning you don’t have time to wait.
The next generation Snort intends to solve both of the problems above. Their calling their new version “Adaptive IPS” which features their real time network awareness (RNA) technology. This RNA module constantly surveys your network taking inventory of OSes, services, protocols, and potential vulnerabilities that exist. The RNA module then pushes configuration changes to Snort — auto tuning the IDS for your network! I haven’t tried RNA myself but Roesch claimed several customers seeing a 90+% reduction in the number of IDS generated events. With this dramatic reduction in events to monitor it should mean no excuses to not monitor your network.
Now, if Sourcefire can create a module that will monitor and act on events we won’t need NoCs anymore….