Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementTechnologies & SolutionsSecurity Enterprise ServicesSecurity Leadership and ManagementLogical SecuritySecurity & Business ResilienceCybersecurity News

Enjoy the silence - overcoming noisy IDSs

By Antony Farrow
Creating the GSOC: 4 Leading Examples of Successful Security Operations Centers
July 16, 2020

There’s an old Polish proverb that says: “A noisy cow gives little milk.” This saying is aptly applied to Intrusion Detection Systems (IDS) in the realm of cybersecurity.

Everybody has IDSs, as they should, but they have become a major pain point for security teams. As Field CTO, I’m out there every day visiting and talking to CISOs and the issue of noisy IDS’s never fails to come up.

 

What role do IDSs play in your security network, and why are they so noisy?

The role of IDSs is to monitor a network or system for malicious activity or policy violations. The reason IDSs are so noisy is because they are everywhere. As they are Internet facing, it basically means they are open to the world. They monitor traffic from both east/west and north/south coverage, from department to department, from users to services and vice versa.

But more than any other security tool, IDSs are trigger happy. For IDSs, a single indication can lead them to determine an anomaly, even without relevant context, leading to mountains of false positives. Many signature-based IDSs are old or not well defined and are not effectively maintained – hence even more false alerts.

For example, when we do an internal vulnerability assessment test in our network, the IDS picks it up (it’s really good at it). The vulnerability scanning tool will try all the methods available to figure out the next stage of the vulnerability, whether it is successful or not, and will show all the lines of the interrogation. The IDS will pick up all these activities -very thorough, but VERY noisy.

The result of all this is hundreds of thousands, even millions of alerts every day to the security team. I hear this from all sorts of organizations, from small colleges with a few thousand hosts, to huge telcos with over one hundred thousand hosts. Even the large SOC teams with dozens of analysts at some of the biggest companies can’t deal with the daily barrage of alerts from their IDS.

What can be done to better manage noisy IDSs? 

So how do SOC teams try to deal with their noisy IDS tools? One way is to set them so that a certain percentage of the alerts are automatically discarded. But this is risky, as we can’t be confident that the type of alerts we “drop” don’t hold valuable information on real potential threats.

There are a number of steps security professionals can take to improve the performance of their IDS tools, and lower the noise:

  1. Classify the triggered attack signature into MITRE ATT&CKTM representations. MITRE is a common language used by SOC analysts which allows the teams to accelerate investigation and response.
  2. Prioritize the defined MITRE ATT&CKTM techniques and tactics in your organization: What type of technique is more important? What type is less? Who is the attack targeting (ie. Focusing on the entities in the organization)? Then define your dashboards accordingly.
  3. Eliminate noise: correlate triggered attack signatures (classified into these prioritized MITRE ATT&CKTM behaviors) with other third-party data sources to triage and validate each alert, including an integration with vulnerability assessment tools.

At the end of the day, IDSs are really only doing what they are supposed to do – alert. But to get the “milk” from this noisy cow, it must be paired up with tools that can take the mass of alerts and use automation to sift through them, floating up to the SOC teams a much smaller group of truly high-risk alerts.

I was working with a billion-dollar manufacturing company whose Suricata IDS alerted about a malicious internal host. The alert could easily have gotten lost in the mountain of over a hundred thousand alerts it brought in that day, and shut the factory down, causing grave damage to the business. With the combination of automation technology that we brought to the table, and the Suricata’s alert, we were able to weed out this truly high-risk alert from the haystack and stop the attack in its tracks.

I began with a Polish proverb, and so I’ll end with another proverb, this time an African one: Noise and hunting don’t go together. This is as true in the wild desert of security networks as it is in the African savannah.

KEYWORDS: cyber security information security intrusion detection network security Security Operations Center (SOC)

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Antonyfarrow

Antony Farrow is Field CTO at empow. Antony has been a key team member at empow since the company's founding in 2015, currently serving as Field CTO. Antony has over 20 years of experience in engineering and sales support, at companies including Nortel Networks EMEA, Crossbeam and Plexxi.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Leadership and Management
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Security Enterprise Services
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Cybersecurity Education & Training
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Sureview screen
    Sponsored bySureView Systems

    The Evolution of Automation in the Command Center

  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

Popular Stories

Rendered computer with keyboard

16B Login Credentials Exposed in World’s Largest Data Breach

Verizon on phone screen

61M Records Listed for Sale Online, Allegedly Belong to Verizon

Security camera

40,000 IoT Security Cameras Are Exposed Online

Security’s 2025 Women in Security

Security’s 2025 Women in Security

Red spiderweb

From Retail to Insurance, Scattered Spider Changes Targets

2025 Security Benchmark banner

Events

July 17, 2025

Tech in the Jungle: Leveraging Surveillance, Access Control, and Technology in Unique Environments

What do zebras, school groups and high-tech surveillance have in common? They're all part of a day’s work for the security team at the Toledo Zoo.

August 7, 2025

Threats to the Energy Sector: Implications for Corporate and National Security

The energy sector has found itself in the crosshairs of virtually every bad actor on the global stage.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • Golden lights

    Silence in the Logs: Are Organizations Missing Signs of a Breach?

    See More
  • typing hands on computer keyboard

    Overcoming the cybersecurity talent shortage starts with hiring

    See More
  • cyber security employee

    Overcoming the cybersecurity skills gap with hiring practices

    See More

Related Products

See More Products
  • Risk-Analysis.gif

    Risk Analysis and the Security Survey, 4th Edition

  • databasehacker

    The Database Hacker's Handboo

  • 9780367030407.jpg

    National Security, Personal Privacy and the Law

See More Products
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing