RE: Is IDS/IPS worthless?

["Wolfpaw - Dale Corse" <admin-lists () wolfpaw net>]

Hi Andrew,

An interesting Analogy is that an IDS is like hiring a security
guard for your network. If you depend on your inventory for example,
to make money.. You install an alarm system, or hire a guard. If you
don't want to "waste the money" and protect yourself, don't be all
that surprised when someone drives a truck through the front window,
and cleans you out.

They are time consuming to configure, and by no means a guarantee. 
But when you consider the seemingly growing global threat to any 
machine (especially a business) that is attached to the internet, 
I would hardly toss an IDS in the "waste" category.

Just my 2 cents, and pretty much what I would have said in a meeting
such as that :)

Just a blunt IT guy..
D.
--------------------------------
Dale Corse
System Administrator
Wolfpaw Services Inc.
http://www.wolfpaw.net
(780) 474-4095

> -----Original Message-----
> From: Andrew Plato [mailto:aplato () anitian com] 
> Sent: Friday, February 20, 2004 9:32 AM
> To: focus-ids () securityfocus com
> Subject: Is IDS/IPS worthless? 
>
>
>
> I've noticed something lately and I wonder if anybody else 
> has experienced this. At a meeting recently, I was told by a 
> number of people that IDS/IPS is a "worthless waste of IT 
> resources" and "providing no real value to an organization."  
> The speaker at this particular meeting challenged me to say 
> "what business goals did the implementation of an IDS/IPS 
> achieve?"  I responded that an IDS gives insight to what is 
> happening on a network and provides critical data to more 
> effectively focus resources on real problems. An IPS builds a 
> level of trust and protection from intrusions as well as 
> insight into the function and behavior of a network. (Okay, 
> it was a vanilla answer, I
> admit.)
>  
> So this speaker then challenged me to come up with verifiable 
> metrics. I replied that he would have to define what metrics 
> he wants? What does he consider a "viable metric" for 
> performance.  He said "did they sell more products, make more 
> money?"  I replied "why is that the only metric that 
> businesses can understand?  A lot of complex things go into 
> 'making money' and IT operations is a small part of that. 
> Marketing, strategic vision, and many other factors have a 
> much more profound impact on 'making money' than a single IT 
> security solution. However, insight into operations and 
> security is a critical component of IT. How do you know you 
> have been broken into if you don't have any mechanisms to 
> detect those intrusions? There is clear value in investment 
> in locks and security cameras, why not have similar 
> investments into the digital equivalents."  
>  
> This shut him up, for a while, but it highlighted a growing 
> trend I am noticing. It seems like there are a lot of people 
> with an agenda right now to shoot down the value of IPS/IDS 
> technologies. IPS in particular seems to be painted as a 
> "marketing ploy."  I also hear the story "they bought and IDS 
> and it just sat in a rack and did nothing"  a lot (usually 
> from people who don't even know what an IDS does.) 
>  
> What is happening here?  Anybody have any idea why there is a 
> growing "anti-IDS" attitude. Is it the failure of IDS to 
> produce value in an organization? Is the Gartner "IDS is 
> dead" report having THAT much affect on the industry?  Are 
> the IDS vendors victims of their own over-marketing?  Am I a 
> paranoid moron? 
>  
> I am curious to hear other people's ideas on and strategies 
> for dealing with these objections. 
>  
>  
> ___________________________________
> Andrew Plato, CISSP
> President/Principal Consultant
> ANITIAN  ENTERPRISE  SECURITY
>
> 3800 SW Cedar Hills Blvd, Suite 298
> Beaverton, OR 97005
> 503-644-5656 Office
> 503-214-8069 Fax
> 503-201-0821 Mobile
> www.anitian.com
> ___________________________________
>
> GPG fingerprint: 16E6 C5B0 B6CB F287 776E E9A9 AF47 9914 3582 
> 633D GPG public key available at: 
> http://www.anitian.com/corp/keys.htm 
>
>
> --------------------------------------------------------------
> -------------
> Free trial: Astaro Security Linux -- firewall with Spam/Virus 
> Protection
>
> Protect your network with the comprehensive security solution 
> that integrates 
> six applications for ease of use and lower TCO.
>
> Firewall - Virus protection - Spam protection - URL blocking - VPN
> - Wireless security.
>
> Download 30-day evaluation at: 
> http://www.securityfocus.com/sponsor/Astaro_fo> cus-ids_040219
>
>
> --------------------------------------------------------------
> -------------


---------------------------------------------------------------------------
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

Protect your network with the comprehensive security solution that integrates 
six applications for ease of use and lower TCO.

Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.

Download 30-day evaluation at:
http://www.securityfocus.com/sponsor/Astaro_focus-ids_040219
---------------------------------------------------------------------------