RE: IDS resourcing

From: McCammon, Keith (Keith.McCammon@eadvancemed.com)
Date: 07/24/01 

Message-ID: <BB7FD4FF9E440648A731452E5D341FB065435F@hitsexchange01.advance-med.com>
From: "McCammon, Keith" <Keith.McCammon@eadvancemed.com>
To: "'A.L.Lambert'" <alambert@manisec.com>, eFool <efool@postmaster.co.uk>
Subject: RE: IDS resourcing
Date: Tue, 24 Jul 2001 14:01:58 -0400

Ahhh...

But because you've outsourced you now have an administrator who will
probably never look at the traffic patterns and the granular behavior of his
network systems. I use my IDS more as a learning tool than as an early
warning system (not that it doesn't serve its purpose). By using an IDS,
firewall, etc., you learn behaviors and trends that could not otherwise be
known.

I can't count the number of times I've been called to look at a network
(security or connectivity) issue, only to have to get my information from an
administrator who tells me that "I've never had to look at that, because we
outsource to so-and-so to save ourselves the headache." Guess who's got the
headache when they're paying John Consultant (that's me!) $100+ an hour to
troubleshoot a problem that I could have fixed on my own network in minutes
because I know exactly where every packet should go, and for the most part,
what they should look like. Say nothing of the fact that, should an
intrusion "slip by" the boys watching your managed IDS, an admin with no
sniffin' experience on that network may never know...

This certainly isn't a bulletproof argument, so don't bother picking the
words. I just feel that outsourcing certain things, one of them being
network security, can be extremely dangerous given certain circumstances.
That said, most of the danger can be overcome by hiring an experienced,
motivated admin; however, we all know from experience that this is a rarity
in a great number of cases.

The great alternative is to outsource an IDS and run in-house at the same
time. Let the managed IDS boys fire off e-mails to offenders and do your
paperwork while you concentrate on watching and learning your systems. The
great problem with this solution, however, is $$$.

I won't even start the "dollar value of security" argument (flame-war,
thread, whatever you want to call it)...

cheers!

Keith W. McCammon

        <biased-opinion>

        Personally, I think it makes good sense to out-source the
monitoring/maintenance of the IDS system(s), rather than dedicate internal
resources to it. The cost savings is immense, the end result is
comparable, and it frees up internal resources so that you can afford to
put more effort into handling other aspects of network/server security
that are best not out-sourced.

        </biased-opinion>

Relevant Pages

  • Re: IDS resourcing
    ... Subject: IDS resourcing ... skill nor the resources, ... Security professionals. ... > I can't count the number of times I've been called to look at a network ...
    (Focus-IDS)
  • Re: IDS and NMS
    ... Start by designing and installing a network. ... Next, a more detailed view of the network is required, so a NMS is ... the network administrator wants to see what ... This is where integrating the IDS console into the NMS makes sense. ...
    (Focus-IDS)
  • Re: "false positive" inanity
    ... So Mr. Snyder is asking for an IDS that does not need to be configured? ... maximum control of his/her network. ... attack. ... > assuming that it is not an intrusion. ...
    (Focus-IDS)
  • Re: Secure Network Design (DMZ, LAN, etc)
    ... I'd like one outside the firewall and one ... I assumed I could make the first IDS ... should I have the IDS listening on the 192.168.1.0/24 network as well (web ... >Since the whole world will need access to your web servers, ...
    (Security-Basics)
  • Re: Need some information on HIDS!
    ... I have already invoked such a scenario in some of my previous IDS ... What I had in mind is something like encrypting the whole ... network traffic, to prevent sniffing from intruders (let's say wall-to-wall ... analysing and displaying logs. ...
    (Focus-IDS)
Quantcast