Dailydave mailing list archives
Re: Britney and Kevin are Chaotic
From: Steve Lord <steve () buyukada co uk>
Date: Fri, 27 May 2005 18:54:21 +0100
byte_jump wrote:
I see two options. Get your house in order or give up and go to the pub. For many organisations, the pub seems to be unanimously preferable.This is a question for everyone that is bashing IDS: What is an alternative?
The problems I see with IDS are (in no particular order, and you may see others):
After the event notification:This wouldn't be so bad if there was some kind of snapshotting functionality so that systems could be re-built/rolled back fairly quickly, but people don't do this. They're sold a box solution to detect and block hackers.
False positives:You've been hit by a worm. You've been hit by a worm. You've been hit by a worm etc.
Religious baselining of the network/host required:Most organisations with infrastructures of any real size don't know what services they have, what they're running, what they're doing. The effort required in configuring IDS/IPS/IBS properly is so great that in some cases it's just not practical. I believe that I[D/P/B]S can provide some assurance if the scope is well-defined with specific assets in mind, but for many it's simply deployed almost at random.
I think the solution is better monitoring. Most organisations I've met are unsuitable for IDS because they don't know *what* they're trying to protect, let alone how they implemented it. Simply setting up effective centralised logging goes a long way towards solving the problem. Once you know what you want to protect, how much it's worth and what threats there are, you'll know what risks to mitigate against. Furthermore, if you consider the accountability part of CIA principles (Confidentiality, Integrity, Availability and Accountability - it used to be CIA2) you'll see that IDS should fit into your existing monitoring and reporting functions, rather than *being* your monitoring and reporting functions. If someone has better ideas that aren't a product, please tell me because I'd really like to know!
Steve _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: Britney and Kevin are Chaotic, (continued)
- Re: Britney and Kevin are Chaotic Chris Anley (May 26)
- Re: Britney and Kevin are Chaotic Adam Shostack (May 26)
- Re: Britney and Kevin are Chaotic byte_jump (May 26)
- Re: Britney and Kevin are Chaotic Holden Williamson (May 26)
- Re: Britney and Kevin are Chaotic dan (May 26)
- Re: Britney and Kevin are Chaotic Andrew R. Reiter (May 26)
- RE: Britney and Kevin are Chaotic El Nahual (May 26)
- Re: Britney and Kevin are Chaotic joanna (May 27)
- RE: Britney and Kevin are Chaotic El Nahual (May 27)
- Re: Britney and Kevin are Chaotic joanna (May 27)
- Re: Britney and Kevin are Chaotic Steve Lord (May 27)