IDS mailing list archives
RE: IDS failures and avoiding them (WAS: Rather funny; looks like page defacement to me)
From: "Mike Lyman" <mlyman () west-point org>
Date: Sat, 14 Jun 2003 11:41:40 -0700
So most IDS systems are a waste of money. They may be useful if they are installed by a MSSP who actually understands security, but not by the average sysadmin handed another box and told to install the IDS because the auditors say we need one.
I've given this area a lot of thought lately because we are reevaluating parts of our system and I've talked with other orgs where their IDS deployments have been at best disappointing and in some cases disasters. In my mind, IDSs can serve four basic purposes: 1) Intelligence gathering 2) Investigation support 3) Real-time intrusion detection and investigation 4) Intrusion Prevention I've listed them in order of what I think the resource required are and the knowledge required are. The lines blur between the purposes quite a bit and intelligence gathering systems can occasionally result in intrusion prevention and intrusion prevention can certainly provide intelligence. Still, I think the four basic purposes are a good way to look at things. I think most deployments are a disappointment because too many places aim immediately for 3 & 4 without the knowledge, experience or resources to make it successful. It is better to start small, gain experience and grow as you are able. Some may argue that starting small will not get you the full benefit of IDS but you will gain some benefit and some benefit is better than none and could very well be better than a failed deployment. A good example of starting small was our deployment of HIDS. Most people seem to think about targeting their critical systems immediately. We went after the desktops first. Our thinking was based on a number of things. First, at the time we lacked the testing resources to do the testing necessary to move into business critical systems and at the time if we impacted performance at all, we'd have to be willing to cough up the resources to make up for the impact. Second, we knew the desktops were the low hanging fruit that would be the places first targeted by an intruder. Third, we knew that we could detect reconnaissance just as well on the desktops as we could on the servers and probably better because there are more desktops. Finally, there are lots of spare resources on the desktop and impacts there were far less likely to be noticed and if necessary, we could easily uninstall things. Admittedly, that desktop HIDS deployment was done as the path of least resistance but in hindsight, it was a good approach that allowed us to gain the experience that allowed us to move into the critical systems with a far more intelligent plan than we would have put together when we first looked at HIDS. We had proven the technology worked and that we could gain benefit from it by just shooting for investigation support and occasionally stretching things to real-time detection. We have always shot for 1 and 2 and still have occasionally been disappointed by parts of our deployment but those disappointments never resulted in us scraping IDS completely. In shooting for 1 and 2, we have gained valuable experience, learned to tune things for our environment and been able to sometimes create and stretch things into 3 and 4 without the resources that are often required to normally get to those levels. Of course there are exceptions. Small environments or environments with the right people and skills might get to 3 and 4 quickly and with fewer resources than other places and improved technology are helping as well. As usually, YMMV. Sometimes it is better to look for even a partial solution than a 100% solution. You still get benefit and are less likely to fail than you are shooting for a complete solution in one fell swoop when you are ill prepared for the complete solution. Mike Lyman CISSP mlyman () west-point org pgp keyid 0xD7BBADAD ------------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com -------------------------------------------------------------------------------
Current thread:
- Rather funny; looks like page defacement to me Anton Chuvakin (Jun 13)
- Re: Rather funny; looks like page defacement to me adam (Jun 14)
- Re: [security-elvandar] Re: Rather funny; looks like page defacement to me Remko Lodder (Jun 18)
- Re: [security-elvandar] Re: Rather funny; looks like page defacement to me Paul Schmehl (Jun 18)
- Re: [security-elvandar] Re: Rather funny; looks like page defacement to me Remko Lodder (Jun 18)
- Re: Rather funny; looks like page defacement to me Jerry M. Howell II (Jun 14)
- Re: Rather funny; looks like page defacement to me Michael Sierchio (Jun 17)
- Re: Rather funny; looks like page defacement to me Paul Schmehl (Jun 17)
- Re: Rather funny; looks like page defacement to me George W. Capehart (Jun 17)
- Gartner comments (was Re: Rather funny; looks like page defacement to me) Randy Taylor (Jun 17)
- <Possible follow-ups>
- Re: Rather funny; looks like page defacement to me broyds (Jun 14)
- RE: IDS failures and avoiding them (WAS: Rather funny; looks like page defacement to me) Mike Lyman (Jun 17)
- RE: IDS failures and avoiding them (WAS: Rather funny; looks like page defacement to me) Jim Butterworth (Jun 17)
- RE: IDS failures and avoiding them (WAS: Rather funny; looks like page defacement to me) Angel Rivera (Jun 17)
- RE: IDS failures and avoiding them (WAS: Rather funny; looks like page defacement to me) Mike Lyman (Jun 17)
- RE: Rather funny; looks like page defacement to me Roger A. Grimes (Jun 17)
- Re: Rather funny; looks like page defacement to me Bill Royds (Jun 17)
- RE: Rather funny; looks like page defacement to me Roger A. Grimes (Jun 17)
- Re: Rather funny; looks like page defacement to me adam (Jun 14)
- Re: Rather funny; looks like page defacement to me Callan K L Tham (Jun 17)
- Re: Rather funny; looks like page defacement to me Paul Schmehl (Jun 17)
- Re: Rather funny; looks like page defacement to me Bill Royds (Jun 18)
- Re: Rather funny; looks like page defacement to me Callan K L Tham (Jun 18)