Re: IDS is dead, etc

broyds_at_rogers.com
Date: 06/19/03

  • Next message: Roger A. Grimes: "RE: IDS is dead, etc"
    To: Martin Roesch <roesch@sourcefire.com>, <focus-ids@securityfocus.com>
    Date: Thu, 19 Jun 2003 13:49:54 -0400
    
    

    What I think is dead is a standalone IDS as a product to be run on client network independent of other security/networking systems on the LAN and independent of other IDS systems run at other places. Putting up a $50K IDS infrastructure on a LAN without paying 3 or 4 $50K/year experts is not useful. If your assets are only worth $100K/year to you, it is better not to waste your money.

      To mangle Bruce Schneier "IDS is not a product, IDS is a process". To properly use an IDS, one needs to correlate output with other systems, both internal to a particular enterprise network and to systems on the Internet as a whole, which is often better done by buying a service rather than a product.
      I see that IDS will evolve more and more into part of the managed security field so that the detailed configuration of an IDS is done by experts who can also monitor your network and re-configure it as exploits and vulnerabilities become available, correlate your detection with others that they are monitoring and give you value added in describing options on any incident.
      IDS will become the data monitoring part of security management, not a separate system on its own.

    >
    > From: Martin Roesch <roesch@sourcefire.com>
    > Date: 2003/06/19 Thu AM 11:57:13 EDT
    > To: focus-ids@securityfocus.com
    > Subject: IDS is dead, etc
    >
    > Just to throw my hat into the ring on this topic in this particular
    > forum, I thought I'd comment. (like I don't get enough email as it
    > is...)
    >
    > Boiling the Gartner report down, here are my take aways:
    >
    > 1) IDSes produce too many false positives (i.e. the quality of the
    > information they produce is low)
    >
    > 2) IDSes produce too much data (i.e. the quantity of information they
    > produce is high)
    >
    > 3) There is no solution to these problems, therefore IDS is dead and we
    > should all buy in-line IPS, er, "deep content inspection firewalls"!
    >
    > So, is there any way to make the quality of data coming out of the IDS
    > higher while at the same time diminishing the amount of information
    > generated? We've been talking about this exact topic on this list since
    > 1999 on and off and I think all the IDS vendors have ideas how to
    > achieve this goal by integrating network maps and host/service
    > identification into the IDS's world view. If those ideas should
    > actually make their way to market, would that make the systems more
    > useful? I believe so. (At this point I usually pitch Sourcefire, but
    > I'll spare you all.)
    >
    > IDS is all about giving people awareness of what's happening on their
    > networks independent of the network management picture or the other
    > security infrastructure. Deploying security infrastructure without
    > having a mechanism to monitor that infrastructure's behavior and
    > efficacy is like rolling out a spacecraft with all of the telemetry
    > systems removed, it may be doing its job but when something goes wrong
    > (and it will) you will be relying on data coming out of failed/bypassed
    > systems to try to effect repairs.
    >
    > The whole "ASICs will save us all" part of the argument is where I
    > really start scratching my head. How do ASICs, which tend to exchange
    > flexibility for performance, suddenly become these hyperintelligent
    > application layer analysis devices with enough flexibility to evolve
    > with the relatively rapid changes in the application protocols? NPUs I
    > can see, but ASICs really don't seem like an appropriate solution here.
    > I believe wishful thinking might be driving this line of argument...
    >
    > Finally, we have the "if you can detect the attacks, why don't you just
    > prevent them?!?!?" argument. What happens if I can't be 100% certain
    > about the attack? Blocking attacks is an all-or-nothing proposition, if
    > you're wrong you're 100% wrong and you just DoSed yourself, what are the
    > chances that large enterprise networks are going to trust their critical
    > infrastructure to that kind of system?
    >
    > Anyway, I hope that wasn't too much of a rehash of other people's
    > thoughts and you guys found it somewhat insightful. Obviously I think
    > Gartner is being inflammatory and creating their own hype cycle, but
    > I've got a vested interest in this technological field. I believe that
    > noisy, inaccurate IDS is definitely dying due to a number of factors,
    > but it's the vendors/developers themselves that are killing it.
    >
    >
    > -Marty
    >
    > --
    > Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
    > Sourcefire: Snort-based Enterprise Intrusion Detection Infrastructure
    > roesch@sourcefire.com - http://www.sourcefire.com
    > Snort: Open Source Network IDS - http://www.snort.org
    >
    >
    >
    > -------------------------------------------------------------------------------
    > Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
    > world's premier technical IT security event! 10 tracks, 15 training sessions,
    > 1,800 delegates from 30 nations including all of the top experts, from CSO's to
    > "underground" security specialists. See for yourself what the buzz is about!
    > Early-bird registration ends July 3. This event will sell out. www.blackhat.com
    > -------------------------------------------------------------------------------
    >
    >

    -------------------------------------------------------------------------------
    Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
    world's premier technical IT security event! 10 tracks, 15 training sessions,
    1,800 delegates from 30 nations including all of the top experts, from CSO's to
    "underground" security specialists. See for yourself what the buzz is about!
    Early-bird registration ends July 3. This event will sell out. www.blackhat.com
    -------------------------------------------------------------------------------


  • Next message: Roger A. Grimes: "RE: IDS is dead, etc"

    Relevant Pages

    • Re: [Full-Disclosure] Is Marty Lying?
      ... > enough to buy the hype of signature-based IDS and to think products like ... The compromise must definately have been limited to ... > their network so if it gets compromised, ... > Snort/Sourcefire network's security. ...
      (Full-Disclosure)
    • Re: Is IDS/IPS worthless?
      ... IMHO IDS and IPS are not dead, quite the reverse, but in order to make them ... useful they require a degree of continued investment and support. ... is a case for network defense not requiring IDS/IPS to protect their network ... may lull the staff into a false sense of security. ...
      (Focus-IDS)
    • Re: Is IDS/IPS worthless?
      ... What experience I have with network auditing has forced home the idea ... no elephants -- it's easy to say that IDS is worthless when you aren't ... > operations and security is a critical component of IT. ... Astaro Security Linux -- firewall with Spam/Virus Protection ...
      (Focus-IDS)
    • AW: Recent anti-NIDS Gartner article
      ... The Gartner article has a very narrow point of view. ... IMHO an IDS is more but a NIDS or IPS or whatever network-based IDS. ... Why do folks only talk about network based IDS? ... securiy-zones of different security and surveillance needs. ...
      (Focus-IDS)
    • Re: Is IDS/IPS worthless?
      ... > firewall instead of in front of it should BOTH ... > fill in the gap left by the false sense of security firewalls give (a ... > network services, and it is on the traffic related to these services ... IDS technology and I certainly believe in the usefullness of IDS. ...
      (Focus-IDS)