Interview with Judy Novak, co-author of "Network Intrusion Detection 3/e"
by Mirko Zorz - Friday, 20 February 2003.
My closest reference to the controversy is Snort, the open source IDS. Snort is in a unique position because it is a collective open source effort that has probably literally hundreds, if not thousands of eyes scrutinizing the code and improving it. I realize that not all open source garners as much attention or interest as Snort, but because of the group development model and intelligent direction provided by Marty Roesch, you have an excellent source code offering. This makes it hard for the proprietary offerings to compete with Snort because of the ready pool of free talent and resources available.

What advice would you give to people starting to learn about intrusion detection?

First learn TCP/IP well since you'll need it to understand traffic analysis, the foundation of intrusion detection. Learning theory is great, but then you have to put the theory to practice by analyzing traffic. Assuming you have no existing IDS, I would download and install Snort and take a look at the output. There is plenty of documentation available on the Internet that gives you pointers and tips on installing and configuring Snort.

I think you also have to realize that although IDS' have come a long way, they are still in their infancy of evolution. That said; don't expect the best IDS to be even close to perfect. And even if you have the most capable IDS, as far as I'm concerned, it is next to worthless unless you have a savvy analyst. The analyst has to understand the traffic on the network before installing and customizing the IDS so that it will give you pertinent alerts and not just spew overwhelming volumes of garbage your way. I think this is one of the areas where management can be quite naive because they believe that running an IDS provides a totally automated solution. In reality, it is only the trained savvy analyst who knows how to customize the IDS, maintain it, and comprehend the output.

I also think that doing intrusion detection can at once be both exciting and very mundane. At first, everything is new and having insight about network traffic can be an eye-opening experience. But, it can soon become very routine just examining the output from the IDS. And, this is where you have to challenge yourself to be curious and explore or become a screen watcher. Some IDS' have advanced features, rules languages, and optional configurations that will allow you to finely tune the rules, correlate events, and more accurately analyze traffic. So, study the IDS and learn to get the most out of it.


What's the real cost of a security breach?

The majority of business decision makers admit that their organisation will suffer an information security breach and that the cost of recovery could start from around $1 million.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 11th