This is related to an old discussion about reactive versus proactive security. Reactive tools look for worms and viruses (attacks), whereas proactive tools find and fix the actual worm-size holes (vulnerabilities). Unfortunately reactive tools tend to always be 30-60 days late when compared to the emergence of new vulnerabilities and attacks.

Whereas IDS is useful to those who cannot fix their systems, the problem with them is that their functionality is irrelevant when the actual vulnerabilities are fixed. Who cares about attacks against patched legacy vulnerabilities. Why panic about this or that knocking on the door with , when it is locked. IDS is like taking pictures of everyone walking close to your house, just in case you have an incident and want to go back to the event to see what happened. I understand some people do that with their house even now, but I am not sure if that is an healthy attitude, as it is just building up the paranoia and fear. Dedicating the same effort in actually fixing the problems would save a lot of sleepless nights.

Fear is a good business in security, and therefore it is easier selling reactive tools for ten times higher price than proactive tools. Reactive tools are measurable, i.e. you can calculate value of caught (no matter how irrelevant) attacks. Proactive security is immeasurable, like health-care. You cannot easily estimate how many holes you would have in your teeth if you hadn't seen a dentist regularly (or would have, if you haven't). But everyone knows that you have saved a huge amount of money by being proactive.

Proactive measures are cheaper than reactive, which are cheaper than the cost of incidents. I am not saying all of them are useful.

Distantly related (take this with humor if you can): If regulations require you to report all recognized incidents, you will be compliant if you stop to looking for them. ;)

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/457/34803#34803