Qualys challenges IDS detractors

Reducing the onslaught of false-positive alerts could breathe new life into IDSes (Intrusion Detection Systems), a technology many security experts believe is set to become obsolete.

Championing that cause, Qualys last week introduced QuIDScor (Qualys IDS Correlation) at the Black Hat USA 2003 security conference in Las Vegas.

Offered as part of the QualysGuard auditing and perimeter-scanning Web service, QuIDScor acts as a correlation engine that integrates QualysGuard vulnerability data with the open source IDS Snort by filtering events for irrelevant operating systems, unused services, and transparent vulnerabilities.

The goal of this unique marriage is to prioritize events that demand immediate investigation, while simplifying the complexity associated with sifting through oceans of IDS alerts, said Gerhard Eschelbeck, CTO and vice president of engineering at Redwood Shores, Calif.-based Qualys.

Eschelbeck said an open source API allows data to be transferred from QualysGuard using XML, meaning end-users can plug the module for integration into their own IDS systems.

“Now is the time for security technology to start talking together and communicating, and the Web services model seems to lead into that very easily,” Eschelbeck said.

Customers who receive numerous Snort events throughout the day, such as Donald Wilkins, director of Network Services at Atlanta-based Navicure, are eager to weed out “noise” from IDS alerts to pinpoint priority threats.

Wilkins said as much as 90 percent of Snort events he reviews based on severity are irrelevant for his evaluation. “We run some Unix Web hosts, so [Snort attacks] are not grouped in [Microsoft] IIS attacks out there,” Wilkins said. “[QuIDScor] has the ability to tell me if I’m being attacked by something I need to worry about.”

Navicure, which runs Sun Solaris Web servers and Microsoft boxes for e-mail, is a healthcare-transaction and EDI company.

Cutting down false positives through automation will “stretch the life” of IDS technology and make it more palatable, said Eric Ogren, senior analyst at Boston-based The Yankee Group.

“Shrinking the output from IDS machines is a beautiful thing. I’m surprised that [security vendors] don’t do more of this,” Ogren said.