Dailydave mailing list archives

Re: lots of monkeys staring at a screen....security?


From: Gadi Evron <ge () linuxbox org>
Date: Sat, 28 Oct 2006 00:56:32 -0500 (CDT)

On Fri, 27 Oct 2006, liquidfish wrote:
There is another value that IDS can afford a business which has not yet been
discussed in this thread. I agree 100% with the previous comments on the
worth (or lack thereof) of an IDS in catching and responding to attacks in
progress.

However, there is value in trending from the alerts of an IDS. By monitoring
and trending what types of attacks your network sees the most of, and which
parts of the network have the higher number of attacks, you can begin to
understand where your focus for future security projects should be and help
decide what types of things should be budgeted for. I will agree that in
many cases these things should already be obvious and you shouldn't need an
IDS to tell you them, but there are cases where many admins are surprised
when they start paying attention and see what is really going on, as opposed
to what they assumed was going on. Additionally, generating pretty graphs
from IDS alert trending to present to upper management can often help them
understand the need to budget for things you already know need to be taken
care of. See a lot of web application attacks? Show management the numbers
and finally get that budget set aside to send the web developers to some
secure programming training etc.

IDS can provide value, peoples (more often than not, managements)
expectations of what that value is just needs to catch up with reality.

This is somewhat close to heart here now, as, for example, Mcafee is the
first (among many to come) trying to re-brand IPS or other products as
save-all solutions for botnets, now a buzzword.

So, let us list what I[DP]S does right:
1. Policy enforcement.
2. Board-room budget meeting graphs and statistics generation.
3. ...?

Only place I had use for an IDS was when I ran security for the Israeli
Gov't Internet Security Operations. I cared about "everything".

That does not apply to nearly any organization out there.

        Gadi.

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave


Current thread: