RE: IDS failures and avoiding them (WAS: Rather funny; looks like page defacement to me)

["Mike Lyman" <mlyman () west-point org>]

>   So most IDS systems are a waste of money. They may be 
> useful if they are installed by a MSSP who actually 
> understands security, but not by the average sysadmin handed 
> another box and told to install the IDS because the auditors 
> say we need one.

I've given this area a lot of thought lately because we are
reevaluating parts of our system and I've talked with other orgs where
their IDS deployments have been at best disappointing and in some
cases disasters.

In my mind, IDSs can serve four basic purposes:

1) Intelligence gathering
2) Investigation support
3) Real-time intrusion detection and investigation
4) Intrusion Prevention

I've listed them in order of what I think the resource required are
and the knowledge required are. The lines blur between the purposes
quite a bit and intelligence gathering systems can occasionally result
in intrusion prevention and intrusion prevention can certainly provide
intelligence. Still, I think the four basic purposes are a good way to
look at things.

I think most deployments are a disappointment because too many places
aim immediately for 3 & 4 without the knowledge, experience or
resources to make it successful. It is better to start small, gain
experience and grow as you are able. Some may argue that starting
small will not get you the full benefit of IDS but you will gain some
benefit and some benefit is better than none and could very well be
better than a failed deployment.

A good example of starting small was our deployment of HIDS. Most
people seem to think about targeting their critical systems
immediately. We went after the desktops first. Our thinking was based
on a number of things. First, at the time we lacked the testing
resources to do the testing necessary to move into business critical
systems and at the time if we impacted performance at all, we'd have
to be willing to cough up the resources to make up for the impact.
Second, we knew the desktops were the low hanging fruit that would be
the places first targeted by an intruder. Third, we knew that we could
detect reconnaissance just as well on the desktops as we could on the
servers and probably better because there are more desktops. Finally,
there are lots of spare resources on the desktop and impacts there
were far less likely to be noticed and if necessary, we could easily
uninstall things.

Admittedly, that desktop HIDS deployment was done as the path of least
resistance but in hindsight, it was a good approach that allowed us to
gain the experience that allowed us to move into the critical systems
with a far more intelligent plan than we would have put together when
we first looked at HIDS. We had proven the technology worked and that
we could gain benefit from it by just shooting for investigation
support and occasionally stretching things to real-time detection. 

We have always shot for 1 and 2 and still have occasionally been
disappointed by parts of our deployment but those disappointments
never resulted in us scraping IDS completely. In shooting for 1 and 2,
we have gained valuable experience, learned to tune things for our
environment and been able to sometimes create and stretch things into
3 and 4 without the resources that are often required to normally get
to those levels.

Of course there are exceptions. Small environments or environments
with the right people and skills might get to 3 and 4 quickly and with
fewer resources than other places and improved technology are helping
as well. As usually, YMMV.

Sometimes it is better to look for even a partial solution than a 100%
solution. You still get benefit and are less likely to fail than you
are shooting for a complete solution in one fell swoop when you are
ill prepared for the complete solution.

Mike Lyman
CISSP
mlyman () west-point org
pgp keyid 0xD7BBADAD 


-------------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
world's premier technical IT security event! 10 tracks, 15 training sessions,
1,800 delegates from 30 nations including all of the top experts, from CSO's to
"underground" security specialists.  See for yourself what the buzz is about!
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
-------------------------------------------------------------------------------