RE: Recent anti-NIDS Gartner article

From: Paul Benedek (paul.benedek_at_excis.co.uk)
Date: 06/19/03

  • Next message: broyds_at_rogers.com: "Re: IDS is dead, etc"
    To: "'Hall, Andrew (DPRS)'" <AndrewR.hall@aph.gov.au>, <focus-ids@securityfocus.com>
    Date: Thu, 19 Jun 2003 16:44:27 +0100
    
    

    The message of the Garner article seems to be based around the fiscal impact
    of security systems like NIDS. Whether or not the technology is sound, many
    organisations do not, will not, or find it hard to consider an investment
    with a high administrative overhead. Costs savings within the IT budget are
    crucial as IT Directors are always competing for budget. Even in the most
    technology lead organisations you often find IT reporting to Operations or
    Finance and as such are under constant scrutiny for expenditure. Small
    organisations also have an even harder time justifying security budget.

    Many organisations are also advised by vendors or suppliers purporting to
    sell the "Magic Bullet" to solve their issues. As a result of this, many
    organisations seem to focus on a single solution set to solve their problems
    or rely on a technology too greatly. Sadly as we all know, this is a false
    economy. Nevertheless many IT departments are able to report to their board
    that they have taken the appropriate measures to secure the organisation.

    The reality of our situation is that unless the technologies become more
    intuitive and less labour intensive, businesses and media will continue to
    discuss the benefits and disadvantages of any solution. The technologists
    within the organisation are still likely to be overworked and so be unable
    to focus on logs or information analysis. Therefore our focus should be to
    ensure that we can add value by developing solution sets that are easier to
    use and are intelligent enough to inform network management personnel of an
    event and to take the appropriate action without intervention.

    This in itself may be utopian however we can develop solutions that could be
    network aware and self tuning or plug and play. They may not be able to
    catch all threats, but could catch most known threats. By combining the
    network aware capabilities, they may also be able to stop unknown attacks as
    well. This reduction in setup and administration will put them in a class
    with other network devices such as routers or switches or could make them
    combined devices and so will make them affordable. This could justify some
    of the benefits to a sceptical IT Management. Therefore, whether in line or
    sniff and tap, IDS systems have a long way to go in their evolution.

    Regards,

    Paul Benedek
    Director
    Excis Networks Limited
    http://www.excis.co.uk
       

    -----Original Message-----
    From: Hall, Andrew (DPRS) [mailto:AndrewR.hall@aph.gov.au]
    Sent: 19 June 2003 00:14
    To: focus-ids@securityfocus.com
    Subject: RE: Recent anti-NIDS Gartner article

    Question - how may SOHO or SME clients have the money to purchase both a
    suitable inline IDS and pay to have a suitable admin set it up and
    maintain it? They are either going to end up with an very open sig set
    which is really adding little functionality or a sig set which will
    block heaps of legitimate traffic.

    I argue that a traditional IDS gives you three main things ... Trending,
    forensics and event notification ... All of which an SME/SOHO client
    will not be able to take advantage of. They probably will not look at
    the events/logs themselves, or understand them for that matter. Again,
    they will not spend the $$ to have someone else come in and interpret
    the logs either. Chances are as well that they will not event keep
    their logs so there is little forensic and post event analysis possible.

    IDS vendors need to target those markets which will spend the time and
    money to do IDS properly ... And I do not believe that the SOHO/SME
    market is a suitable market for this.

    If the SOHO/SME market truly want IDS then they should look to the
    managed security provider. I argue that the future for IDS is with MSPs
    / large gateways who have the economy of scale in deployment,
    monitoring, skill sets and vendor relationships. It is in these MSP /
    large gateway environments that sniff and tap IDSs will still be of use
    for gathering data used for trending and forensic purposes - and who
    have the power to analyse and produce something useful from these tools.

    Overall, I argue that the technology is still a fair way off until you
    could safely drop an inline IDS into a relatively unmanaged network and
    expect it would work with little money and little administration costs.

    Andrew

    -----Original Message-----
    From: Srinivasa Rao Addepalli [mailto:srao@intotoinc.com]
    Sent: Thursday, 19 June 2003 4:05 AM
    To: Srinivasa Rao Addepalli; focus-ids@securityfocus.com
    Subject: Re: Recent anti-NIDS Gartner article

    After seeing this article, I got several requests on what I think about
    this article (press release) and applicability of IDSes in different
    market segments. So, I thought I would expand on my previous email.

    IDSes which sniff or tap of the network, have several disadvantages
    - They might miss detection of exploits/attacks/intrusions.
    - They are too many ways to bypass Detection.
    - Need expensive hardware for good performance and detection rate. Due
    to this, these might not survive in SOHO and SME market segments.

    But, I feel Inline IDS are good bet for SOHO and SME segments and since
    all the traffic passes through this, there is no issue of missing
    packets or data. I also think that when enhanced with protection
    (dropping packets or connection ) capability, they are more attractive
    to this market segment. Today, IDSes can be configured to inform
    Firewall, but I don't think anybody seriously thinks that this solves
    all the problems. Having protection capability within the IDS provides
    more control or accurate protection.

    My opinion is that 'tap or sniff IDSes' may not survive longer (except
    in some minor market segment) and they are probably will be replaced
    with Inline IDSes OR Inline IDS/IPSes.

    Srini
    Intoto Inc.
    Enabling Security Infrastructure
    3160, De La Cruz Blvd #100
    Santa Clara, CA 95054
    www.intotoinc.com
    ----- Original Message -----
    From: "Srinivasa Rao Addepalli" <srao@intotoinc.com>
    To: <focus-ids@securityfocus.com>
    Sent: Tuesday, June 17, 2003 8:32 PM
    Subject: Recent anti-NIDS Gartner article

    > One of the primary goals of IDSes (inline or otherwise) is to detect
    > the intention of intrusions. Yes, it is true that Firewall with
    > application intelligence protect the servers and infrastructure and
    > they are needed as part of comprehensive security solution.
    >
    > I understand from the report that, more resources in IS department are

    > required to analyze the attacks. It is also true that today IDSes
    > generate too many logs which turn out to be either false positives OR
    > logs that are not applicable for that environment. Unless these
    > problems are fixed, IDSes will demise over the time.
    >
    > IDS technology is greatly improved in recent times with more and more
    > IDS products coming out with application intelligence. These reduce
    > the false positives. But, other problem that need to be fixed is
    > specific to the deployment environment. IDSes should be flexible to be

    > tunable by the users such as deletion of un-wanted signature rules,
    > modification of signature rules, setting up typical characteristics of

    > traffic etc.. This might sound like need for IT resources, but in the
    > effort it takes to analyze unwanted logs is significantly higher.
    >
    >
    > Thank you for your time.
    > Srini
    >
    >
    >
    > Intoto Inc.
    > Enabling Security Infrastructure
    > 3160, De La Cruz Blvd #100
    > Santa Clara, CA 95054
    > www.intotoinc.com

    ------------------------------------------------------------------------
    -------
    Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas,
    the
    world's premier technical IT security event! 10 tracks, 15 training
    sessions,
    1,800 delegates from 30 nations including all of the top experts, from
    CSO's to
    "underground" security specialists. See for yourself what the buzz is
    about!
    Early-bird registration ends July 3. This event will sell out.
    www.blackhat.com
    ------------------------------------------------------------------------
    -------

    ----------------------------------------------------------------------------

    ---
    Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
    world's premier technical IT security event! 10 tracks, 15 training
    sessions, 
    1,800 delegates from 30 nations including all of the top experts, from CSO's
    to 
    "underground" security specialists.  See for yourself what the buzz is
    about!  
    Early-bird registration ends July 3.  This event will sell out.
    www.blackhat.com
    ----------------------------------------------------------------------------
    ---
    -------------------------------------------------------------------------------
    Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
    world's premier technical IT security event! 10 tracks, 15 training sessions, 
    1,800 delegates from 30 nations including all of the top experts, from CSO's to 
    "underground" security specialists.  See for yourself what the buzz is about!  
    Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
    -------------------------------------------------------------------------------
    

  • Next message: broyds_at_rogers.com: "Re: IDS is dead, etc"

    Relevant Pages

    • Re: Concerns with NFR
      ... something about NFR's possible financials. ... > Security Magazine, taking part in a roundtable with ... > IDS land regarding the evolution of IDSs. ... >>of NFR in its technology innovation. ...
      (Focus-IDS)
    • RE: IDS is dead, etc
      ... How is that technology going to do that without causing more ... correlate all of the above, and much more, and apply filters ... and right now I don't se a better security ... In my opinion IDS will dead in actual form, ...
      (Focus-IDS)
    • RE: IDS and Spywares
      ... > a network based security control has better visibility than a host based ... Just as we do in IDS and network traffic analysis. ... > made spyware, or trojan, or any other kind of malware where you can install ...
      (Focus-IDS)
    • RE: Recommending an IDS system
      ... Not trying to make this a Cisco commercial, but I too am very satisfied with Cisco. ... We implemented an IDSM2, sensor device, and Cisco Security Agent for Host Intrusion Prevention. ... Subject: Recommending an IDS system ...
      (Security-Basics)
    • Re: Is IDS/IPS worthless?
      ... >>firewall instead of in front of it should BOTH ... >>fill in the gap left by the false sense of security firewalls give (a ... >IDS technology and I certainly believe in the usefullness of IDS. ... that is confusing IDS and NIDS together. ...
      (Focus-IDS)