RE: Is IDS/IPS worthless?

[Omar Herrera <oherrera () prodigy net mx>]

Andrew,

I had a similar conversation recently with my CIO and I answered more or
less like you. The truth is that IDS solutions are not for everyone, if
you are not going to (or are unable to) assign the resources needed to
use an IDS appropriately, it is worthless.

But that's where all the confusion started; we had several small
companies investing in IDS technology without having someone actually
capable of analyzing what was going on... of course this led to failure
and all those companies are getting rid of IDS.

However, it is curious now how several big companies and institutions
are not only deploying IDS but also are acquiring so called "threat
early warning systems" (TEWS). TEWS gives an organization an insight of
what is going on around the world. Even after tuning, you might be
receiving quite a lot of information that you still have to correlate,
but it is of enormous value.

If TEWS are your eyes for what is going in the rest of the world, IDS
are your eyes to see what happens inside and at the perimeter of your
network. Even if you can't calculate a ROI on that (you might not see
anything in a year) the fact is that several companies just can't afford
to be blind.

Also there is a trend to move from negative logic security components
such as nIDS and Antivirus to positive logic security controls
(firewalls for example). The reason is that negative logic is reactive
in nature and we do need more preventive security, especially now with
worms and exploits hitting us faster than they did years ago. Negative
logic controls focus on what is dangerous/forbidden (virus signatures in
AV, attack signatures in nIDS) while positive controls just allow what
is explicitly permitted and deny everything else (firewalls). In 10
years, how many virus signatures do you think we are going to have over
there? It is much easier to identify and certify permitted applications
to run and just block anything else from being executed than keeping
track of ALL malware.

Now, don't get me wrong, AV and nIDS will still be useful, but we will
rely on them for slightly different things. For instance, positive logic
controls are not able to cope with all possible threats... firewalls get
evaded and many times we need to identify exactly what is wrong. To be
effective with a combination of negative and positive logic controls,
you will need to correlate information from both and automate a few
things, and that's another trend (which is actually nice).

In the end, IDS/IPS will still be a technology for just a couple of
organizations, but other organizations have an alternative: outsourcing.
security outsourcing will include IDS tools and analysis at an
affordable cost (many times), even if the company never sees the them.

Regards,

Omar Herrera

>  I've noticed something lately and I wonder if anybody else has
>  experienced this. At a meeting recently, I was told by a number of
>  people that IDS/IPS is a "worthless waste of IT resources" and
>  "providing no real value to an organization."  The speaker at this
>  particular meeting challenged me to say "what business goals did the
>  implementation of an IDS/IPS achieve?"  I responded that an IDS gives
>  insight to what is happening on a network and provides critical data
to
>  more effectively focus resources on real problems. An IPS builds a
level
>  of trust and protection from intrusions as well as insight into the
>  function and behavior of a network. (Okay, it was a vanilla answer, I
>  admit.)
>  
>  So this speaker then challenged me to come up with verifiable
metrics. I
>  replied that he would have to define what metrics he wants? What does
he
>  consider a "viable metric" for performance.  He said "did they sell
more
>  products, make more money?"  I replied "why is that the only metric
that
>  businesses can understand?  A lot of complex things go into 'making
>  money' and IT operations is a small part of that. Marketing,
strategic
>  vision, and many other factors have a much more profound impact on
>  'making money' than a single IT security solution. However, insight
into
>  operations and security is a critical component of IT. How do you
know
>  you have been broken into if you don't have any mechanisms to detect
>  those intrusions? There is clear value in investment in locks and
>  security cameras, why not have similar investments into the digital
>  equivalents."
>  
>  This shut him up, for a while, but it highlighted a growing trend I
am
>  noticing. It seems like there are a lot of people with an agenda
right
>  now to shoot down the value of IPS/IDS technologies. IPS in
particular
>  seems to be painted as a "marketing ploy."  I also hear the story
"they
>  bought and IDS and it just sat in a rack and did nothing"  a lot
>  (usually from people who don't even know what an IDS does.)
>  
>  What is happening here?  Anybody have any idea why there is a growing
>  "anti-IDS" attitude. Is it the failure of IDS to produce value in an
>  organization? Is the Gartner "IDS is dead" report having THAT much
>  affect on the industry?  Are the IDS vendors victims of their own
>  over-marketing?  Am I a paranoid moron?
>  
>  I am curious to hear other people's ideas on and strategies for
dealing
>  with these objections.
>  




---------------------------------------------------------------------------
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

Protect your network with the comprehensive security solution that integrates 
six applications for ease of use and lower TCO.

Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.

Download 30-day evaluation at:
http://www.securityfocus.com/sponsor/Astaro_focus-ids_040219
---------------------------------------------------------------------------