IDS mailing list archives
RE: Is IDS/IPS worthless?
From: Omar Herrera <oherrera () prodigy net mx>
Date: Sat, 21 Feb 2004 09:13:35 -0600
Andrew, I had a similar conversation recently with my CIO and I answered more or less like you. The truth is that IDS solutions are not for everyone, if you are not going to (or are unable to) assign the resources needed to use an IDS appropriately, it is worthless. But that's where all the confusion started; we had several small companies investing in IDS technology without having someone actually capable of analyzing what was going on... of course this led to failure and all those companies are getting rid of IDS. However, it is curious now how several big companies and institutions are not only deploying IDS but also are acquiring so called "threat early warning systems" (TEWS). TEWS gives an organization an insight of what is going on around the world. Even after tuning, you might be receiving quite a lot of information that you still have to correlate, but it is of enormous value. If TEWS are your eyes for what is going in the rest of the world, IDS are your eyes to see what happens inside and at the perimeter of your network. Even if you can't calculate a ROI on that (you might not see anything in a year) the fact is that several companies just can't afford to be blind. Also there is a trend to move from negative logic security components such as nIDS and Antivirus to positive logic security controls (firewalls for example). The reason is that negative logic is reactive in nature and we do need more preventive security, especially now with worms and exploits hitting us faster than they did years ago. Negative logic controls focus on what is dangerous/forbidden (virus signatures in AV, attack signatures in nIDS) while positive controls just allow what is explicitly permitted and deny everything else (firewalls). In 10 years, how many virus signatures do you think we are going to have over there? It is much easier to identify and certify permitted applications to run and just block anything else from being executed than keeping track of ALL malware. Now, don't get me wrong, AV and nIDS will still be useful, but we will rely on them for slightly different things. For instance, positive logic controls are not able to cope with all possible threats... firewalls get evaded and many times we need to identify exactly what is wrong. To be effective with a combination of negative and positive logic controls, you will need to correlate information from both and automate a few things, and that's another trend (which is actually nice). In the end, IDS/IPS will still be a technology for just a couple of organizations, but other organizations have an alternative: outsourcing. security outsourcing will include IDS tools and analysis at an affordable cost (many times), even if the company never sees the them. Regards, Omar Herrera
I've noticed something lately and I wonder if anybody else has experienced this. At a meeting recently, I was told by a number of people that IDS/IPS is a "worthless waste of IT resources" and "providing no real value to an organization." The speaker at this particular meeting challenged me to say "what business goals did the implementation of an IDS/IPS achieve?" I responded that an IDS gives insight to what is happening on a network and provides critical data
to
more effectively focus resources on real problems. An IPS builds a
level
of trust and protection from intrusions as well as insight into the function and behavior of a network. (Okay, it was a vanilla answer, I admit.) So this speaker then challenged me to come up with verifiable
metrics. I
replied that he would have to define what metrics he wants? What does
he
consider a "viable metric" for performance. He said "did they sell
more
products, make more money?" I replied "why is that the only metric
that
businesses can understand? A lot of complex things go into 'making money' and IT operations is a small part of that. Marketing,
strategic
vision, and many other factors have a much more profound impact on 'making money' than a single IT security solution. However, insight
into
operations and security is a critical component of IT. How do you
know
you have been broken into if you don't have any mechanisms to detect those intrusions? There is clear value in investment in locks and security cameras, why not have similar investments into the digital equivalents." This shut him up, for a while, but it highlighted a growing trend I
am
noticing. It seems like there are a lot of people with an agenda
right
now to shoot down the value of IPS/IDS technologies. IPS in
particular
seems to be painted as a "marketing ploy." I also hear the story
"they
bought and IDS and it just sat in a rack and did nothing" a lot (usually from people who don't even know what an IDS does.) What is happening here? Anybody have any idea why there is a growing "anti-IDS" attitude. Is it the failure of IDS to produce value in an organization? Is the Gartner "IDS is dead" report having THAT much affect on the industry? Are the IDS vendors victims of their own over-marketing? Am I a paranoid moron? I am curious to hear other people's ideas on and strategies for
dealing
with these objections.
--------------------------------------------------------------------------- Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection Protect your network with the comprehensive security solution that integrates six applications for ease of use and lower TCO. Firewall - Virus protection - Spam protection - URL blocking - VPN - Wireless security. Download 30-day evaluation at: http://www.securityfocus.com/sponsor/Astaro_focus-ids_040219 ---------------------------------------------------------------------------
Current thread:
- Is IDS/IPS worthless? Andrew Plato (Feb 20)
- Re: Is IDS/IPS worthless? Mike Lyman (Feb 23)
- RE: Is IDS/IPS worthless? Fergus Brooks (Feb 23)
- Re: Is IDS/IPS worthless? Stefano Zanero (Feb 26)
- Re: Is IDS/IPS worthless? Josh Tolley (Feb 23)
- Re: Is IDS/IPS worthless? Konrad Rieck (Feb 23)
- RE: Is IDS/IPS worthless? Brian Taylor (Feb 23)
- RE: Is IDS/IPS worthless? Fergus Brooks (Feb 23)
- RE: Is IDS/IPS worthless? Duston Sickler (Feb 24)
- RE: Is IDS/IPS worthless? Fergus Brooks (Feb 23)
- RE: Is IDS/IPS worthless? Omar Herrera (Feb 23)
- Re: Is IDS/IPS worthless? Michael Stone (Feb 23)
- Re: Is IDS/IPS worthless? Andy Cuff (Feb 23)
- Re: Is IDS/IPS worthless? Mike Hoskins (Feb 23)
- Re: Is IDS/IPS worthless? Olaf Gellert (Feb 23)
- Re: Is IDS/IPS worthless? SecurIT Informatique Inc. (Feb 23)
- Re: Is IDS/IPS worthless? Olaf Gellert (Feb 23)
- Re: Is IDS/IPS worthless? SecurIT Informatique Inc. (Feb 23)
- Re: Is IDS/IPS worthless? Xiaoyong Wu (Feb 24)
- Re: Is IDS/IPS worthless? Michael Stone (Feb 25)
- Re: Is IDS/IPS worthless? SecurIT Informatique Inc. (Feb 23)
- Re: Is IDS/IPS worthless? Mike Lyman (Feb 23)
- Re: Is IDS/IPS worthless? Mike Hoskins (Feb 23)