Excellent questions.

Let me first say that intrusion monitoring and analysis takes actual work, every single day. It's someone's job. There is simply no way to completely automate this function in any enterprise. (Though it can be outsourced.)

Given that, the person (or team) that is doing the ongoing tuning/monitoring is probably going to gain a very good sense of what's "normal" and what's not. Experience, both with IDS in general, and with a specific enterprise's traffic is what makes 20% not too onerous to deal with.

Absolute numbers matter too. If you're only getting a few hundred events per day, 20% is no big deal. If you're getting tens of thousands per day, that might be a bit rough. What's average? That just depends on the size of the enterprise, the number of ingress points, the amount of traffic, the number of exposed services, sensor placement, and so forth.

I don't personally provide operational event monitoring on an ongoing basis for any of my clients, but there are services that do. Counterpane comes to mind, but there are others. Some of my clients outsource that task, others do it in-house.

But in either model, *someone* has to monitor the events, decide which require some remediation, and escalate them appropriately. How do we decide? It depends on the threat.

Sometimes it's as simple as manually comparing the captured traffic to the signature it triggered in order to determine *why* (not all IDSs support that level of inspection though). In other cases it might involve the work of correlating all of the events for a specific system, to see if there's a pattern that appears to lead to compromise. In yet other cases it may involve tracking down the system involved and inspecting it for any further evidence of a successful compromise.

Hope that helps.

/jonathan