RE: IDS is dead, etc

From: Roger A. Grimes (rogerg_at_cox.net)
Date: 06/19/03

  • Next message: Andre Yee: "RE: Recent Gartner IDS/IPS report"
    To: "Martin Roesch" <roesch@sourcefire.com>, <focus-ids@securityfocus.com>
    Date: Thu, 19 Jun 2003 13:53:20 -0400
    
    

    Excellent points.

    What perplexes me more is how firewalls solve #1 or #2 even better than
    IDSs? Most firewall logs are just as tough to decipher as IDSs.

    (Note: If you're a firewall administrator and your logs are only full of
    real threats, let me know so I can get you on InfoSec's version of Oprah.)

    Automated security analytics is a tough animal I don't care what the system.
    Even honeypots, which are often touted because "any traffic to the honeypot
    is malicious", can suffer from false positives, albeit not as much. Note
    that many of existing and forthcoming log analyzing softwares interact with
    firewalls and IDSs, not just IDSs.

    Roger

    ***************************************************************************
    *Roger A. Grimes, Computer Security Consultant
    *CPA, MCSE (NT/2000), CNE (3/4), A+
    *email: rogerg@cox.net
    *cell: 757-615-3355
    *Author of Malicious Mobile Code: Virus Protection for Windows by O'Reilly
    *http://www.oreilly.com/catalog/malmobcode/
    ***************************************************************************

    -----Original Message-----
    From: Martin Roesch [mailto:roesch@sourcefire.com]
    Sent: Thursday, June 19, 2003 11:57 AM
    To: focus-ids@securityfocus.com
    Subject: IDS is dead, etc

    Just to throw my hat into the ring on this topic in this particular
    forum, I thought I'd comment. (like I don't get enough email as it
    is...)

    Boiling the Gartner report down, here are my take aways:

    1) IDSes produce too many false positives (i.e. the quality of the
    information they produce is low)

    2) IDSes produce too much data (i.e. the quantity of information they
    produce is high)

    3) There is no solution to these problems, therefore IDS is dead and we
    should all buy in-line IPS, er, "deep content inspection firewalls"!

    So, is there any way to make the quality of data coming out of the IDS
    higher while at the same time diminishing the amount of information
    generated? We've been talking about this exact topic on this list since
    1999 on and off and I think all the IDS vendors have ideas how to
    achieve this goal by integrating network maps and host/service
    identification into the IDS's world view. If those ideas should
    actually make their way to market, would that make the systems more
    useful? I believe so. (At this point I usually pitch Sourcefire, but
    I'll spare you all.)

    IDS is all about giving people awareness of what's happening on their
    networks independent of the network management picture or the other
    security infrastructure. Deploying security infrastructure without
    having a mechanism to monitor that infrastructure's behavior and
    efficacy is like rolling out a spacecraft with all of the telemetry
    systems removed, it may be doing its job but when something goes wrong
    (and it will) you will be relying on data coming out of failed/bypassed
    systems to try to effect repairs.

    The whole "ASICs will save us all" part of the argument is where I
    really start scratching my head. How do ASICs, which tend to exchange
    flexibility for performance, suddenly become these hyperintelligent
    application layer analysis devices with enough flexibility to evolve
    with the relatively rapid changes in the application protocols? NPUs I
    can see, but ASICs really don't seem like an appropriate solution here.
    I believe wishful thinking might be driving this line of argument...

    Finally, we have the "if you can detect the attacks, why don't you just
    prevent them?!?!?" argument. What happens if I can't be 100% certain
    about the attack? Blocking attacks is an all-or-nothing proposition, if
    you're wrong you're 100% wrong and you just DoSed yourself, what are the
    chances that large enterprise networks are going to trust their critical
    infrastructure to that kind of system?

    Anyway, I hope that wasn't too much of a rehash of other people's
    thoughts and you guys found it somewhat insightful. Obviously I think
    Gartner is being inflammatory and creating their own hype cycle, but
    I've got a vested interest in this technological field. I believe that
    noisy, inaccurate IDS is definitely dying due to a number of factors,
    but it's the vendors/developers themselves that are killing it.

         -Marty

    --
    Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
    Sourcefire: Snort-based Enterprise Intrusion Detection Infrastructure
    roesch@sourcefire.com - http://www.sourcefire.com
    Snort: Open Source Network IDS - http://www.snort.org
    ----------------------------------------------------------------------------
    ---
    Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
    world's premier technical IT security event! 10 tracks, 15 training
    sessions,
    1,800 delegates from 30 nations including all of the top experts, from CSO's
    to
    "underground" security specialists.  See for yourself what the buzz is
    about!
    Early-bird registration ends July 3.  This event will sell out.
    www.blackhat.com
    ----------------------------------------------------------------------------
    ---
    -------------------------------------------------------------------------------
    Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
    world's premier technical IT security event! 10 tracks, 15 training sessions, 
    1,800 delegates from 30 nations including all of the top experts, from CSO's to 
    "underground" security specialists.  See for yourself what the buzz is about!  
    Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
    -------------------------------------------------------------------------------
    

  • Next message: Andre Yee: "RE: Recent Gartner IDS/IPS report"

    Relevant Pages

    • Re: [security-elvandar] Re: Rather funny; looks like page defacement to me
      ... However, my opinion is that IDS sensors is needed at current time, since there ... Also i think that seperated IDS Sensors and Firewalls are better performing than ... management people who decide what hardware to buy for their network security. ... > is scheduled to speak on "Intrusion Detection is Dead, ...
      (Focus-IDS)
    • RE: Firewalls (was Re: IDS evaluations procedures)
      ... but having setup security systems ... And of course many of the early IDS problems burned a lot of people (too ... Struggling / What's after firewalls? ... expertise to this approach, be it for one set of tools or everything. ...
      (Focus-IDS)
    • RE: Is IDS/IPS worthless?
      ... use an IDS appropriately, it is worthless. ... Also there is a trend to move from negative logic security components ... such as nIDS and Antivirus to positive logic security controls ... is explicitly permitted and deny everything else (firewalls). ...
      (Focus-IDS)
    • RE: IDS vs. IPS deployment feedback
      ... Well, I am a security professional, and I am very much sold on IPS. ... Firewalls are not IPSs. ... IDS Dead? ...
      (Focus-IDS)
    • Re: IDS is dead, etc
      ... >3) There is no solution to these problems, therefore IDS is dead and we ... Technically, IDSs are sound. ... The only answer the IDS vendors can ... lack the security training to use IDS information effectively. ...
      (Focus-IDS)