Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs
Don't blame the IDS
Don Parker, 2007-11-09

Some years ago, I remember reading a press release from the Gartner Group. It was about intrusion detection systems (IDS) offering little return for the monetary investment in them and furthermore, that this very same security technology would be obsolete by the year 2005. A rather bold statement and an even bolder prediction on their part.

Comments Mode:
Don't blame the IDS 2007-11-10
Anonymous
Don!
Very nice article.
I'd share the same thought. However, tuning is an endless chain and I do agree sometimes it's rather boring. :)...

[ more ]  [ reply ]
Don't blame the IDS 2007-11-11
Param
>> Dave is of the same opinion as Gartner -- in essence.
>> He sees little added value in an IDS. They can be
>> bypassed by a skilled attacker, such as himself.

This is like saying, "Most of the computer attacks can be prevented if you keep your boxes updated, patched, apply firewall and ant...

[ more ]  [ reply ]
Yes, let's blame the IDS 2007-11-12
assurbanipal (1 replies)
IDS are in practice often worthless because tuning them requires extraordinary efforts, and is rarely done properly, and partly as a consequence of this in many environments nobody seriously look at them! In my experience this is not the exception but the rule.
What is needed is a technology that c...

[ more ]  [ reply ]
Re: Yes, let's blame the IDS 2007-11-13
Anonymous
that goes for any technology ...
firewalls with an egress any-any rule ...
content filters with anything allowed for specific groups (you know who you are)...
a customer site with client authentication based on certificates, however all customers are sent the same certificate :s
need to go on ?...

[ more ]  [ reply ]
Don't blame the IDS 2007-11-12
Gandalf
""""To do it well you need to have a large body of knowledge. Not only that, you must also take the time to properly tune the IDS to its environment.""""""

key point here...

You see, Don , what they fail to see in addition to the above comment, is that IDS is a live-reaction system , which wil...

[ more ]  [ reply ]
Don't blame the IDS 2007-11-12
Anonymous (1 replies)
Actually being a IDS Expert (thats what they call me) myself.. I see IDS technology going away in the next few years for Abornamility detection.. all the big vendors are buying in on this...

[ more ]  [ reply ]
Re: Don't blame the IDS 2007-11-13
Ryan Wegner
A good IDS like Snort already provides capabilities for anomaly detection. It's just an extension of the current technology really, and it's been in the works for years. It just takes a lot of work and skill on the IDS administrator's part to pull it off. Not just downloading the latest rules and...

[ more ]  [ reply ]
Don't blame the IDS 2007-11-13
Anonymous
Nice article..
There is no substitute for manual review of IDS logs in order to be effective. The same goes for software development testing.. there is only so much you can automate with tools.
Is it a boring, mundane job to manually review logs or test software? Yes..
Is it necessary for good...

[ more ]  [ reply ]
Don't blame the IDS 2007-11-14
John Sloan (1 replies)
Yes, of course IDS is a pain to configure and to manage, and you need to have an analyst looking at it who can do more than tie their shoes and wave bye-bye.

But IDS is how you look at your network. If you don't have an IDS (or something that provides the equivalent functionality), you are not lo...

[ more ]  [ reply ]
Re: Don't blame the IDS 2007-11-17
Ari Takanen (Codenomicon)
This is related to an old discussion about reactive versus proactive security. Reactive tools look for worms and viruses (attacks), whereas proactive tools find and fix the actual worm-size holes (vulnerabilities). Unfortunately reactive tools tend to always be 30-60 days late when compared to the e...

[ more ]  [ reply ]
Don't blame the IDS 2007-11-19
Anonymous
Dropping the IDS concept is essentially stepping away from a viable and proactive approach to security. This is the same for IPSs. Incident handling is simply reactive. We must automate what we can as much as possible and in a secure manner to properly defend our critical systems in real time. No hu...

[ more ]  [ reply ]
NSM == IDS++ 2007-11-26
Hanashi
Honestly, I just don't see how an organization of any size can really do without IDS at some level. True, there are limitations to IDS technology, but that's no reason to junk it. Instead, you can leverage other data sources to extend and enhance the core IDS. This is the premise of Network Secur...

[ more ]  [ reply ]
Don't blame the IDS 2009-08-14
Anonymous
It's all very well to speak in the abstract about what firewalls and other security devices could do. Back in the real world however I've yet to seen an effective IDS. By effective I mean that causes something to change - i.e. we caught someone doing something bad, or we see a lot of hack attempts f...

[ more ]  [ reply ]




 

Privacy Statement
Copyright 2009, SecurityFocus