Print Email Facebook Twitter Ruling the Rules Title Ruling the Rules: Quantifying the Evolution of Rulesets, Alerts and Incidents in Network Intrusion Detection Author Vermeer, M. (TU Delft Organisation & Governance) van Eeten, M.J.G. (TU Delft Organisation & Governance) Hernandez Ganan, C. (TU Delft Organisation & Governance) Date 2022 Abstract Notwithstanding the predicted demise of signature-based network monitoring, it is still part of the bedrock of security operations. Rulesets are fundamental to the efficacy of Network Intrusion Detection Systems (NIDS). Yet, they have rarely been studied in production environments. We partner with a Managed Security Service Provider (MSSP) to gain more insight into the evolution of rulesets, the alerts that they trigger and the incidents that get investigated. We analyze a combined ruleset - including both commercial and proprietary rules - that consists of 130 thousand rules and was used to monitor hundreds of networks. We find that these rulesets keep growing over time but there is almost no overlap among them in terms of detection options or what indicators of compromise they contain. The combined ruleset triggered more than 62 million alerts and led to 150 thousand incident investigations by SOC analysts, though the vast majority of rules never triggered a single alert. We find that just 0.5% of all rules are responsible for more than 80% of the alerts and incidents and only 1.2% of all alerts were deemed to merit closer investigation. Of all incidents, 16% were labeled as false positives and 9% carried significant risk to the client organization. Independently of the type of rule, updating rules is a minor activity. Most rules are never modified and only a fraction is deleted, except for periodic purges in some sets. Seven in-depth interviews with rule developers corroborate the patterns we found in our analysis. Finally, we identify several rule management practices that influence rule and ruleset efficacy, such as supplementing commercial rules with your own and making rules as specific as possible. Subject alertsintrusion detectionnetwork securitynidsrulessoc To reference this document use: http://resolver.tudelft.nl/uuid:b8271b80-a38e-41f1-8455-a728040ce795 DOI https://doi.org/10.1145/3488932.3517412 Publisher Association for Computing Machinery (ACM) ISBN 978-1-4503-9140-5 Source ASIA CCS 2022 - Proceedings of the 2022 ACM Asia Conference on Computer and Communications Security Event 17th ACM ASIA Conference on Computer and Communications Security 2022, ASIA CCS 2022, 2022-05-30 → 2022-06-03, Virtual, Online, Japan Series ASIA CCS 2022 - Proceedings of the 2022 ACM Asia Conference on Computer and Communications Security Part of collection Institutional Repository Document type conference paper Rights © 2022 M. Vermeer, M.J.G. van Eeten, C. Hernandez Ganan Files PDF 3488932.3517412.pdf 994.65 KB Close viewer /islandora/object/uuid:b8271b80-a38e-41f1-8455-a728040ce795/datastream/OBJ/view