RE: [Securityfocus-focus-ids] RE: Is IDS/IPS worthless?

["Remko Lodder" <remko () elvandar org>]

Hi,

I read a gartner report some while back state-ing an anti-ids report.
I cannot believe those responces, while i work in an enterprise company,
we find IDS extremely usefull. Not only can it detect weird traffic in
our network, we can also spot viruspatterns traveling along the network,
even if it's not detected yet by the scanners.

This means we can pro-actively respond to weird traffic, and virusses,
saving us a lots of money {virusoutbreak, real hack etc.}

So, IDS is extremely valuable, for detecting al sorts of traffic. Persons
with a ANTI-IDS opinion , never had any proffit of a IDS system build up,
they only see money flow... Till a new virus or worm is spreading quickly
around the perhaps enterprise level company infecting machines, letting
remote users in the company, do a lot of harm, causing a large costpost,
and a director of the company thinking, "Why did i ever listen to that
employee
that stated we did not need IDS, while experts just told me, and showed me
that a long past hole in the system was present, which could have been
detected
by ANY IDS engine".

Perhaps expanding IDS to Intrusion Detection System and IPS to Intrusion
Prevention
System helps a bit...{logically rewritten it states my above 'case'}

Hope my opinion helps somewhat :)

Cheers,

--

Kind regards,

Remko Lodder
Elvandar.org/DSINet.org
www.mostly-harmless.nl Dutch community for helping newcomers on the
hackerscene

mrtg.grunn.org Dutch mirror of MRTG

-----Oorspronkelijk bericht-----
Van: securityfocus-focus-ids-bounces () lists elvandar org
[mailto:securityfocus-focus-ids-bounces () lists elvandar org]Namens Bénoni
MARTIN
Verzonden: maandag 23 februari 2004 10:46
Aan: Andrew Plato; focus-ids () securityfocus com
Onderwerp: [Securityfocus-focus-ids] RE: Is IDS/IPS worthless?


Hi,

First of all, I want to tell that I have never heard of an "Anti-IDS
attitude", and that in all the companies I have been working in, IDS seemed
to be important. But, I will check out the Gartner's report, even if I
prefer thinking by myself and not by another's one mind.

Three things:
-  First, a lot of tools today are not only firewalls, or routers, or
whatever. Many of them provide more features than the original one(,)and
probably for some small companies, a FW seems to be enough.
-  Then, I think that the bigger and the more famous a company is, the more
important it will be to monitor the network.
- If everybody would agree with this behaviour, the companies selling that
kind of products will go bankrupt very quickly... And as far as I know,
nothing like that happens.

I also think it would be interesting to know for what kind of company this
guy works for... )



-----Message d'origine-----
De : Andrew Plato [mailto:aplato () anitian com]
Envoyé : vendredi 20 février 2004 17:32
À : focus-ids () securityfocus com
Objet : Is IDS/IPS worthless?


I've noticed something lately and I wonder if anybody else has
experienced this. At a meeting recently, I was told by a number of
people that IDS/IPS is a "worthless waste of IT resources" and
"providing no real value to an organization."  The speaker at this
particular meeting challenged me to say "what business goals did the
implementation of an IDS/IPS achieve?"  I responded that an IDS gives
insight to what is happening on a network and provides critical data to
more effectively focus resources on real problems. An IPS builds a level
of trust and protection from intrusions as well as insight into the
function and behavior of a network. (Okay, it was a vanilla answer, I
admit.)

So this speaker then challenged me to come up with verifiable metrics. I
replied that he would have to define what metrics he wants? What does he
consider a "viable metric" for performance.  He said "did they sell more
products, make more money?"  I replied "why is that the only metric that
businesses can understand?  A lot of complex things go into 'making
money' and IT operations is a small part of that. Marketing, strategic
vision, and many other factors have a much more profound impact on
'making money' than a single IT security solution. However, insight into
operations and security is a critical component of IT. How do you know
you have been broken into if you don't have any mechanisms to detect
those intrusions? There is clear value in investment in locks and
security cameras, why not have similar investments into the digital
equivalents."

This shut him up, for a while, but it highlighted a growing trend I am
noticing. It seems like there are a lot of people with an agenda right
now to shoot down the value of IPS/IDS technologies. IPS in particular
seems to be painted as a "marketing ploy."  I also hear the story "they
bought and IDS and it just sat in a rack and did nothing"  a lot
(usually from people who don't even know what an IDS does.)

What is happening here?  Anybody have any idea why there is a growing
"anti-IDS" attitude. Is it the failure of IDS to produce value in an
organization? Is the Gartner "IDS is dead" report having THAT much
affect on the industry?  Are the IDS vendors victims of their own
over-marketing?  Am I a paranoid moron?

I am curious to hear other people's ideas on and strategies for dealing
with these objections.


___________________________________
Andrew Plato, CISSP
President/Principal Consultant
ANITIAN  ENTERPRISE  SECURITY

3800 SW Cedar Hills Blvd, Suite 298
Beaverton, OR 97005
503-644-5656 Office
503-214-8069 Fax
503-201-0821 Mobile
www.anitian.com
___________________________________

GPG fingerprint: 16E6 C5B0 B6CB F287 776E E9A9 AF47 9914 3582 633D
GPG public key available at: http://www.anitian.com/corp/keys.htm

---------------------------------------------------------------------------
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

Protect your network with the comprehensive security solution that
integrates
six applications for ease of use and lower TCO.

Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.

Download 30-day evaluation at:
http://www.securityfocus.com/sponsor/Astaro_focus-ids_040219
---------------------------------------------------------------------------




---------------------------------------------------------------------------
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

Protect your network with the comprehensive security solution that
integrates
six applications for ease of use and lower TCO.

Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.

Download 30-day evaluation at:
http://www.securityfocus.com/sponsor/Astaro_focus-ids_040219
---------------------------------------------------------------------------

_______________________________________________
Securityfocus-focus-ids mailing list
Securityfocus-focus-ids () lists elvandar org
http://lists.elvandar.org/mailman/listinfo/securityfocus-focus-ids


---------------------------------------------------------------------------
---------------------------------------------------------------------------