I'm sure this topic of discussion has come up many times before, though I haven't really seen a whole lot of in-depth discussion about it.
I manage HIP on more than 20,000 endpoints (all workstations, no servers) and we use IPS turned on for blocking on High signatures only. We routinely trigger IPS events on a daily basis, usually 50-100 per day. We have over 100 remote offices and I don't have a lot of access to these machines (either remote or local). My trouble is that I cannot really prove whether or not any of these IPS signature hits are actually malicious or not.
My management has been inquiring as to whether or not the IPS is useful for our enviornment. I'm sure it's blocking some malicious stuff, but I don't really know. They want to know if we had X number of threats to our systems blocked in X amount of time. I can show the IPS events that we have, but I know that a lot of them are false positives.
Does anyone have a methodology they use for determining whether a particular IPS event is malicious or a false positive? Please see the attached screenshots... this is the only type of information I have to go on to research these. The problem is, after the fact, even if I contacted the user they wouldn't have any idea what they were doing at that particular time when the event occurred, and there isn't going to be any other evidence of the event on the actual endpoint.
Screenshot 1: Generic Buffer Overflow
Screenshot 2: Internet Explorer HTA Execution Vulnerability
Screenshot 3: Vulnerability in Windows Media Player ASX PlayList File