IDS mailing list archives
RE: Is IDS/IPS worthless?
From: "Bob Walder" <bwalder () spamcop net>
Date: Thu, 26 Feb 2004 08:29:55 +0100
Andrew, EXACTLY the same things happens with network management - there are plenty of stories doing the rounds about the OpenView console that sits on a shelf in a darkened room somewhere with little red icons flashing, but everyone ignores it because no one knows how this big complex network management system works since old Fred retired.... Anti-virus products received lots of negative press in the early days - stories of vendors inventing and releasing viruses to boost sales, over-hyping the problem, etc, etc.... "has anyone actually SEEN any of these virus thingys in the wild?" we would ask.... Now look at us. Does anyone actually NOT have an AV scanner somewhere in their data path? Same thing happened with firewalls.... Who would actually NEED that level of security? Who wants to look at MY data? Stories of firewalls implemented with PERMIT ANY ANY rules because the "security administrator" couldn't figure out which rule was breaking the CEO's stock ticker feed... In other words, at any given point in time there will be "hot buttons" - they just seem to come around with alarming frequency in this particular industry. Gartner and its ilk will always start off hyping those hot buttons.... Then move on to trashing them.... Then later revise its opinion to say "told you they would be good for us". The "naysayers" will always trash those products because they are afraid of change and don't like to open their minds to anything that they don't already have installed on their own "perfect" network. "NO, no, no, no... You don't need one of those.... Just look how I have MY GH5670 configured to do exactly the same job..... Well, almost..." Five years down the line we will wonder what all the fuss was about! Everyone will have IDS/IPS in some form - that may be as part of a deep inspection firewall or a multi-mode security gateway device, but you will all be using it ;o) And if you're not, then I will eat Gartner's hat. Regards, Bob Walder Director The NSS Group www.nss.co.uk
-----Original Message----- From: Andrew Plato [mailto:aplato () anitian com] Sent: 24 February 2004 19:52 To: focus-ids () securityfocus com Subject: RE: Is IDS/IPS worthless? First, thank you to everybody who has replied on and off list to this issue. Lots of great ideas. After reading all these responses I've come to the conclusion that the key problem with IDS/IPS seems to be education (or mis-education). People have a lot of inaccurate or incomplete data about IPS/IDS in the general public (not here on the list.) And they base their opinions on the effectiveness of these technologies on that faulty information. For example, there is an infosec "celebrity" I see occasionally who repeatedly tells a story about ONE company he visited where they left their IDS unused, sitting on a shelf. That story has taken on a life of its own. People now use that story as justification for why IPS/IDS isn't worth the investment. What this celebrity fails to mention is that the reason people leave IDS/IPS on a shelf: inexperience. Either the IT team failed to implement the IDS/IPS properly or the reseller/vendor misrepresented its capabilities or implementation challenges. As such, I think Gartner is really just echoing what a lot of people believe. IDS is dead because its consistently implemented and used incorrectly. And thus, people think IDS is useless because the person before them refused to learn how to make an IPS/IDS effective. It's a positive feedback loop of sorts. 1. Vendors over-sell their products' capabilities and/or resellers fail to educate their customers. 2. The products are improperly implemented and/or used. 3. These failures spread via "celebrity" stories and "research" reports. 4. A valuable technology gains a stigma of ineffectiveness when in reality the problem is an education failure. This is my interpretation of the problem. Does anybody agree with this? Or am I being a moron and missing something obvious. ___________________________________ Andrew Plato, CISSP President/Principal Consultant ANITIAN ENTERPRISE SECURITY 3800 SW Cedar Hills Blvd, Suite 298 Beaverton, OR 97005 503-644-5656 Office 503-214-8069 Fax 503-201-0821 Mobile www.anitian.com ___________________________________ GPG fingerprint: 16E6 C5B0 B6CB F287 776E E9A9 AF47 9914 3582 633D GPG public key available at: http://www.anitian.com/corp/keys.htm ___________________________________ Andrew Plato, CISSP President/Principal Consultant Anitian Enterprise Security ------------------------------------------------------------- -------------- ------------------------------------------------------------- --------------
--------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- RE: Is IDS/IPS worthless?, (continued)
- RE: Is IDS/IPS worthless? Matthew L. McGuirl (Feb 23)
- RE: Is IDS/IPS worthless? Robert Jackson (Feb 23)
- RE: Is IDS/IPS worthless? Cure, Samuel J (Feb 23)
- Re: Is IDS/IPS worthless? Webb Wang CS (Feb 23)
- RE: Is IDS/IPS worthless? DeGennaro, Gregory (Feb 23)
- RE: Is IDS/IPS worthless? Matthew L. McGuirl (Feb 23)
- RE: Is IDS/IPS worthless? Bell, Gregory (ISS Atlanta) (Feb 23)
- IDS/IPS Value Chuck Jenson (Feb 25)
- RE: Is IDS/IPS worthless? Bob Walder (Feb 24)
- RE: Is IDS/IPS worthless? Andrew Plato (Feb 25)
- RE: Is IDS/IPS worthless? Bob Walder (Feb 26)