Make the most of your IDS by beefing up your incident reports

Intrusion detection systems have come a long way over the past few years. Almost all organizations have some sort of intrusion detection system (IDS) running at the network and/or host-based level, and almost every IDS will automatically report bad or anomalous behavior via a console and e-mail or paging.If configured properly, the IDS will do a good job of catching intrusion events that it knows about. It's typically the job of the security staff to monitor these events and report any problems to the manager and/or network administrator.

Once the IDS alerts you to something going on, the typical response might be to call or e-mail an administrator to impart this information. But before you make the call or send the e-mail, take a minute to consider how best to present the information. You need to find a way to translate this report into detailed information and actionable suggestions that will help defend your company's network from hostile attacks.For example, you could say something like, "We're seeing an SMB service sweep coming from 10.100.64. 10 and BitTorrent activity from 10.100.55. 23." However, while this information might seem useful to you, it has little or no value when it comes to the administrator who has to take action on your report.