Adam

I tend to agree with you since I have seen both side of the world, IDS is
evolving slowly but surely. With the arrival of new products on the market
trying to justify cost to manage IDS as oppose to IPS is ridiculous, a good
network monitoring is done by folks that takes proactive approach to their
work and continuously fine tune their NIDS/HIDS accordingly; it?s an ongoing
process especially with new signatures being develop each day/week etc.

I feel that IPS manufacturer are trying to lure business into low cost or
low manning for a resolution vice a slight higher coast of an IDS team.
Automation of network protection is ludicrous, human intervention and
knowledge is what makes a good Intrusion team and certainly not a machine
decision one.

Adam I would like to find out more about your series of tools off line if
you don?t mind, I am always looking for improvements to our IDS environment
and facilitate analyst on their day to day workload.

Martin

-----Original Message-----
From: SecurIT Informatique Inc. [mailto:securit (at) iquebec (dot) com [email concealed]]
Sent: Monday, February 23, 2004 1:36 PM
To: Andrew Plato
Cc: focus-ids (at) securityfocus (dot) com [email concealed]
Subject: Re: Is IDS/IPS worthless?

Hello. I thought I'd chip in my 2 cents...

First of all, I think that there is some confusion building around the
terms IDS and IPS, and the Gartner report is probably one of the main
reasons for that, along with vendor's marketing pitches. Without having a
clear definition of these two terms, it becomes futiles to determine if
they are useful or not.

IPS seems to mean "firewalls with IDS built-in", but in this definition, I
think it is too limiting to what an IDS really is; an IDS is not only a
NIDS, but also HIDS, anomally based, log analysis, etc... Also, I simply
don't see how someone could move "IDS" capabilities into a firewall and
end-up with a similar security level than by using a more traditional,
decentralized approach. For example, how can an IPS check for system
binaires integrity on the hosts on your network?

Now, with that being said, I think it is just plain misleading to speak of
IDS/IPS in the same sentence, as I've showed demonstrated clearly that an
IPS could be more seen as an evolution of the traditional NIDS
setup. While I don't have much faith in IPS as they are presented today, I
don't think that the fate of IDS at large is not linked to the future
success or failure of IPS technology.

I have developped a whole series of tools in the only goal of improving
ways to detect intrusions using new techniques that can be built around an
existing security architecture. I wrote an article on this whole topic,
which is yet to be released as it is planned for presentation at some
conferences this year, and I have submitted it to SecurityFocus on numerous
tries, but with no news from them so far. I plan to release it in 1-2
months from now.

To finish, I'd just say that I really don't think that IDS is dead, it is
just going to evolve, and I've been trying hard at implementing some of
these evolutions myself in the Windows world. Just don't be surprised that
if someone tries to sell you a cometitive product to IDS'es, then they'll
try to downplay the role of IDS technologies in order to make their own
product look good. At this point, it is up to everybody and make their own
decisions in this debate, and see the real trends out of the pure marketing
hype.

MHO

Adam Richard
SécurIT Informatique Inc.
http://securit.iquebec.com/

At 11:31 AM 20/02/2004, Andrew Plato wrote:

>I've noticed something lately and I wonder if anybody else has
>experienced this. At a meeting recently, I was told by a number of
>people that IDS/IPS is a "worthless waste of IT resources" and
>"providing no real value to an organization." The speaker at this
>particular meeting challenged me to say "what business goals did the
>implementation of an IDS/IPS achieve?" I responded that an IDS gives
>insight to what is happening on a network and provides critical data to
>more effectively focus resources on real problems. An IPS builds a level
>of trust and protection from intrusions as well as insight into the
>function and behavior of a network. (Okay, it was a vanilla answer, I
>admit.)
>
>So this speaker then challenged me to come up with verifiable metrics. I
>replied that he would have to define what metrics he wants? What does he
>consider a "viable metric" for performance. He said "did they sell more
>products, make more money?" I replied "why is that the only metric that
>businesses can understand? A lot of complex things go into 'making
>money' and IT operations is a small part of that. Marketing, strategic
>vision, and many other factors have a much more profound impact on
>'making money' than a single IT security solution. However, insight into
>operations and security is a critical component of IT. How do you know
>you have been broken into if you don't have any mechanisms to detect
>those intrusions? There is clear value in investment in locks and
>security cameras, why not have similar investments into the digital
>equivalents."
>
>This shut him up, for a while, but it highlighted a growing trend I am
>noticing. It seems like there are a lot of people with an agenda right
>now to shoot down the value of IPS/IDS technologies. IPS in particular
>seems to be painted as a "marketing ploy." I also hear the story "they
>bought and IDS and it just sat in a rack and did nothing" a lot
>(usually from people who don't even know what an IDS does.)
>
>What is happening here? Anybody have any idea why there is a growing
>"anti-IDS" attitude. Is it the failure of IDS to produce value in an
>organization? Is the Gartner "IDS is dead" report having THAT much
>affect on the industry? Are the IDS vendors victims of their own
>over-marketing? Am I a paranoid moron?
>
>I am curious to hear other people's ideas on and strategies for dealing
>with these objections.
>
>
>___________________________________
>Andrew Plato, CISSP
>President/Principal Consultant
>ANITIAN ENTERPRISE SECURITY
>
>3800 SW Cedar Hills Blvd, Suite 298
>Beaverton, OR 97005
>503-644-5656 Office
>503-214-8069 Fax
>503-201-0821 Mobile
>www.anitian.com
>___________________________________
>
>GPG fingerprint: 16E6 C5B0 B6CB F287 776E E9A9 AF47 9914 3582 633D
>GPG public key available at: http://www.anitian.com/corp/keys.htm
>
>-----------------------------------------------------------------------
----
>Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection
>
>Protect your network with the comprehensive security solution that
integrates
>six applications for ease of use and lower TCO.
>
>Firewall - Virus protection - Spam protection - URL blocking - VPN
>- Wireless security.
>
>Download 30-day evaluation at:
>http://www.securityfocus.com/sponsor/Astaro_focus-ids_040219
>-----------------------------------------------------------------------
----
>
>_____________________________________________________________________
>Un mot doux à envoyer? Une sortie ciné à organiser? Faites le en temps
>réel avec MSN Messenger! C'est gratuit! http://ifrance.com/_reloc/m

------------------------------------------------------------------------
---
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

Protect your network with the comprehensive security solution that integrates
six applications for ease of use and lower TCO.

Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.

Download 30-day evaluation at:
http://www.securityfocus.com/sponsor/Astaro_focus-ids_040219
------------------------------------------------------------------------
---

[ reply ]