RE: Is IDS/IPS worthless?

["Bob Walder" <bwalder () spamcop net>]

Andrew,

EXACTLY the same things happens with network management - there are
plenty of stories doing the rounds about the OpenView console that sits
on a shelf in a darkened room somewhere with little red icons flashing,
but everyone ignores it because no one knows how this big complex
network management system works since old Fred retired....

Anti-virus products received lots of negative press in the early days -
stories of vendors inventing and releasing viruses to boost sales,
over-hyping the problem, etc, etc.... "has anyone actually SEEN any of
these virus thingys in the wild?" we would ask.... Now look at us. Does
anyone actually NOT have an AV scanner somewhere in their data path?

Same thing happened with firewalls.... Who would actually NEED that
level of security? Who wants to look at MY data? Stories of firewalls
implemented with PERMIT ANY ANY rules because the "security
administrator" couldn't figure out which rule was breaking the CEO's
stock ticker feed...

In other words, at any given point in time there will be "hot buttons" -
they just seem to come around with alarming frequency in this particular
industry. Gartner and its ilk will always start off hyping those hot
buttons.... Then move on to trashing them.... Then later revise its
opinion to say "told you they would be good for us". The "naysayers"
will always trash those products because they are afraid of change and
don't like to open their minds to anything that they don't already have
installed on their own "perfect" network. "NO, no, no, no... You don't
need one of those.... Just look how I have MY GH5670 configured to do
exactly the same job..... Well, almost..."

Five years down the line we will wonder what all the fuss was about!
Everyone will have IDS/IPS in some form - that may be as part of a deep
inspection firewall or a multi-mode security gateway device, but you
will all be using it ;o)

And if you're not, then I will eat Gartner's hat.

Regards,

Bob Walder
Director
The NSS Group
www.nss.co.uk




> > -----Original Message-----
> > From: Andrew Plato [mailto:aplato () anitian com] 
> > Sent: 24 February 2004 19:52
> > To: focus-ids () securityfocus com
> > Subject: RE: Is IDS/IPS worthless?
> >
> >
> > First, thank you to everybody who has replied on and off 
> > list to this issue. Lots of great ideas. 
> >
> > After reading all these responses I've come to the 
> > conclusion that the key problem with IDS/IPS seems to be 
> > education (or mis-education). People have a lot of 
> > inaccurate or incomplete data about IPS/IDS in the general 
> > public (not here on the list.) And they base their opinions 
> > on the effectiveness of these technologies on that faulty 
> > information.
> >
> > For example, there is an infosec "celebrity" I see 
> > occasionally who repeatedly tells a story about ONE company 
> > he visited where they left their IDS unused, sitting on a 
> > shelf. That story has taken on a life of its own. People now 
> > use that story as justification for why IPS/IDS isn't worth 
> > the investment. 
> >
> > What this celebrity fails to mention is that the reason 
> > people leave IDS/IPS on a shelf: inexperience. Either the IT 
> > team failed to implement the IDS/IPS properly or the 
> > reseller/vendor misrepresented its capabilities or 
> > implementation challenges. 
> >
> > As such, I think Gartner is really just echoing what a lot 
> > of people believe. IDS is dead because its consistently 
> > implemented and used incorrectly. And thus, people think IDS 
> > is useless because the person before them refused to learn 
> > how to make an IPS/IDS effective. 
> >
> > It's a positive feedback loop of sorts. 
> >
> > 1. Vendors over-sell their products' capabilities and/or 
> > resellers fail to educate their customers. 
> >
> > 2. The products are improperly implemented and/or used. 
> >
> > 3. These failures spread via "celebrity" stories and 
> > "research" reports.
> >
> > 4. A valuable technology gains a stigma of ineffectiveness 
> > when in reality the problem is an education failure. 
> >
> > This is my interpretation of the problem. Does anybody agree 
> > with this? Or am I being a moron and missing something obvious.
> >
> > ___________________________________
> > Andrew Plato, CISSP
> > President/Principal Consultant
> > ANITIAN  ENTERPRISE  SECURITY
> >
> > 3800 SW Cedar Hills Blvd, Suite 298
> > Beaverton, OR 97005
> > 503-644-5656 Office
> > 503-214-8069 Fax
> > 503-201-0821 Mobile
> > www.anitian.com
> > ___________________________________
> >
> > GPG fingerprint: 16E6 C5B0 B6CB F287 776E E9A9 AF47 9914 
> > 3582 633D GPG public key available at: 
> > http://www.anitian.com/corp/keys.htm 
> >
> >
> >
> >
> >
> >
> >  
> >
> >
> >
> > ___________________________________
> > Andrew Plato, CISSP
> > President/Principal Consultant
> > Anitian Enterprise Security
> >
> >
> >
> > -------------------------------------------------------------
> > --------------
> > -------------------------------------------------------------
> > --------------



---------------------------------------------------------------------------
---------------------------------------------------------------------------