Digg this story   Add to del.icio.us  
Don't blame the IDS
Don Parker, 2007-11-09

Some years ago, I remember reading a press release from the Gartner Group. It was about intrusion detection systems (IDS) offering little return for the monetary investment in them and furthermore, that this very same security technology would be obsolete by the year 2005. A rather bold statement and an even bolder prediction on their part.

Well, here we are in the year 2007 and the IDS is still going strong. Personally, I don't put a whole lot of stock in these types of predictions, especially so from groups such as Gartner. What does make me sit up and listen though is when noted security researcher Dave Aitel chimes in with his two cents worth. Dave is of the same opinion as Gartner -- in essence. He sees little added value in an IDS. They can be bypassed by a skilled attacker, such as himself, and that one would be better off investing in "incident handling."

Do I agree with Dave's assertion? Actually I don't. That an IDS can be bypassed by a skilled attacker is a fact. Then again though, so can most other computer security technologies. Does that then make all such defensive measures, such as an IDS (amongst others) useless? Most definitely not. The problem with an IDS is that it's only as good as the person administering -- and monitoring -- its output. Also, I have heard many people claim that being an IDS analyst is a rather boring and mundane job. That is another point I would disagree on. To do it well you need to have a large body of knowledge. Not only that, you must also take the time to properly tune the IDS to its environment. That is one key mistake that so many people commit after having purchased an IDS -- not tuning it to their own network.

Is there a successor to the IDS?

Let's accept it at face value then that the IDS is indeed a technology past its prime. What is out there to replace it? Well, to hear the vendors say it, that would be the intrusion prevention system (IPS). One of their biggest claims is that the IPS will actually prevent attacks against your computer, whereas an IDS would only make note if it, assuming it even had a signature for it.

There is no arguing that an IPS takes an active role in computer network security. The problem is though that it is also susceptible to the same problems that the IDS has. A skilled attacker can still bypass an IPS using a variety of means, as well as inflict denial of service (DoS) conditions. Well it would seem then that we are no further ahead.

So far we have seen that neither the IDS nor the IPS is a fail-safe solution. What about other options then? Well, none come quickly to mind. What does come to mind though is the old axiom of "defense-in-depth." That was true ten years ago and remains true today. You still need to have a firewall and a well configured router with both inbound and outbound rules. On top of that the usual content filtering appliance is still required for the ever present surging tide of malware.

The IDS or IPS, depending on your preference, still has a place within your network defenses. While the IDS may certainly be showing its age, it still has value. What one needs to remember is that you also need to invest money in the person who will be working with it. Dropping large dollars on an IDS deployment is utterly useless if the person using it doesn't know the difference between HTTP status codes and SNMP OID's.

The way forward

Bearing in mind that there is no one bullet-proof solution for any network in existence today, we should look to the person working with these technologies a little closer, because it will always come down to a pair of human eyes that will have to parse the output of any intrusion detection or prevention system.

With that thought in mind it then makes sense to try and ensure that they have as much training as possible. This need not be expensive, or done out of town; rather, it can be done based on your own network's traffic. Getting the security analyst accustomed to recognizing normal traffic patterns will then allow them to spot what is abnormal all that much easier. Add that knowledge to the logs of an IDS or IPS and we are now starting to get somewhere.

It all comes down to leveraging both the security appliance and the person interacting with it. Neither one of those is going to be declared dead anytime soon, I can assure you.

Don Parker, GCIA GCIH, specializes in intrusion detection and incident handling. In addition to writing about network security he enjoys a role as guest speaker for various security conferences.
    Digg this story   Add to del.icio.us  
Comments Mode:
Don't blame the IDS 2007-11-10
Don't blame the IDS 2007-11-11
Yes, let's blame the IDS 2007-11-12
assurbanipal (1 replies)
Re: Yes, let's blame the IDS 2007-11-13
Don't blame the IDS 2007-11-12
Don't blame the IDS 2007-11-12
Anonymous (1 replies)
Re: Don't blame the IDS 2007-11-13
Ryan Wegner
Don't blame the IDS 2007-11-13
Don't blame the IDS 2007-11-14
John Sloan (1 replies)
Re: Don't blame the IDS 2007-11-17
Ari Takanen (Codenomicon)
Don't blame the IDS 2007-11-19
NSM == IDS++ 2007-11-26
Don't blame the IDS 2009-08-14


Privacy Statement
Copyright 2010, SecurityFocus