What advice would you give to people starting to learn about intrusion detection?
First learn TCP/IP well since you'll need it to understand traffic analysis, the foundation of intrusion detection. Learning theory is great, but then you have to put the theory to practice by analyzing traffic. Assuming you have no existing IDS, I would download and install Snort and take a look at the output. There is plenty of documentation available on the Internet that gives you pointers and tips on installing and configuring Snort.
I think you also have to realize that although IDS' have come a long way, they are still in their infancy of evolution. That said; don't expect the best IDS to be even close to perfect. And even if you have the most capable IDS, as far as I'm concerned, it is next to worthless unless you have a savvy analyst. The analyst has to understand the traffic on the network before installing and customizing the IDS so that it will give you pertinent alerts and not just spew overwhelming volumes of garbage your way. I think this is one of the areas where management can be quite naive because they believe that running an IDS provides a totally automated solution. In reality, it is only the trained savvy analyst who knows how to customize the IDS, maintain it, and comprehend the output.
I also think that doing intrusion detection can at once be both exciting and very mundane. At first, everything is new and having insight about network traffic can be an eye-opening experience. But, it can soon become very routine just examining the output from the IDS. And, this is where you have to challenge yourself to be curious and explore or become a screen watcher. Some IDS' have advanced features, rules languages, and optional configurations that will allow you to finely tune the rules, correlate events, and more accurately analyze traffic. So, study the IDS and learn to get the most out of it.
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.