Re: IDS is dead, etc

From: Andrew Plato (
Date: 06/24/03

  • Next message: Niels Provos: "Honeyd 0.6: Happy Summer/Pre-Birthday Release"
    Date: Mon, 23 Jun 2003 16:17:44 -0700
    To: <>

    Martin Roesch <> wrote...

    >Boiling the Gartner report down, here are my take aways:
    >1) IDSes produce too many false positives (i.e. the quality of the
    >information they produce is low)
    >2) IDSes produce too much data (i.e. the quantity of information they
    >produce is high)
    >3) There is no solution to these problems, therefore IDS is dead and we
    >should all buy in-line IPS, er, "deep content inspection firewalls"!

    >So, is there any way to make the quality of data coming out of the IDS
    >higher while at the same time diminishing the amount of information
    >generated? We've been talking about this exact topic on this list
    >1999 on and off and I think all the IDS vendors have ideas how to
    >achieve this goal by integrating network maps and host/service
    >identification into the IDS's world view. If those ideas should
    >actually make their way to market, would that make the systems more
    >useful? I believe so. (At this point I usually pitch Sourcefire, but
    >I'll spare you all.)

    I think what Gartner's article really demonstrates is that very few
    organizations are implementing and using their IDSs properly. Gartner's
    "data" and interpretation are based on the fact that many organizations
    are not using IDS effectively. As such, they are feeding Gartner with
    complaints, which Gartner is mis-interpreting as a technical problem.

    Technically, IDSs are sound. Its not the software or the hardware, it's
    the wetware. The brains (or lack thereof) that are supposed to be using
    and administering those IDSs.

    As a person who implements a lot of IDSs, I've come to realize that very
    few people really know how to work with IDS (or IPS for that matter).
    They order up a big expensive IDS solution, plug it in, and then
    promptly ignore it. When they get hacked or something goes awry, they
    complain that it doesn't work.

    Thus, I don't think new features like network maps or host/service data
    will resolve the problem entirely. It may remedy some of the symptoms,
    but the disease is that people do not understand IDS and do not use it

    For this I blame vendors and the high-volume IT resellers. Both of these
    groups are mis-informing their customers about the REAL costs of IDS.
    They haggle over features and the color of reports, but fail to inform
    their customers that in order for their IDS to be effective, they have
    to actually put a brain behind it. The only answer the IDS vendors can
    provide is expensive 24/7/365 monitoring, which is not financially
    possible for many organizations.

    Moreover, very few organizations develop the procedures and the policies
    necessary to manage the data an IDS produces. Also, many of the users
    lack the security training to use IDS information effectively.

    The result, is a perfectly good technology being misused by uninformed
    people. The vendors don't want to be too honest about this, because
    suddenly a $50,000 IDS becomes a $200,000 project. The high-volume
    resellers don't care about this because their whole game is margin on a
    massive scale. Educating customers is somebody else's problem.

    This is where I would sell the benefits of smaller consulting firms and
    outsourced management and support of and IDS. I would also specifically
    point out some of the on-site managed security services my company does
    - but I too will spare everybody the sales pitch.

    I think if the security community is going to form a response, it must
    consider that there is still a lot of ignorance and misunderstanding out
    there about what IDS is, how it works, and what benefits it provides.
    The Gartner report is merely evidence of how high-up the corporate
    ladder that misinformation had gotten.

    Andrew Plato, CISSP
    President / Principal Consultant
    Anitian Enterprise Security

    Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
    world's premier technical IT security event! 10 tracks, 15 training sessions,
    1,800 delegates from 30 nations including all of the top experts, from CSO's to
    "underground" security specialists. See for yourself what the buzz is about!
    Early-bird registration ends July 3. This event will sell out.

  • Next message: Niels Provos: "Honeyd 0.6: Happy Summer/Pre-Birthday Release"

    Relevant Pages

    • RE: IDS is dead, etc
      ... Most firewall logs are just as tough to decipher as IDSs. ... Automated security analytics is a tough animal I don't care what the system. ... firewalls and IDSs, not just IDSs. ... There is no solution to these problems, therefore IDS is dead and we ...
    • RE: IDS and Spywares
      ... > a network based security control has better visibility than a host based ... Just as we do in IDS and network traffic analysis. ... > made spyware, or trojan, or any other kind of malware where you can install ...
    • RE: Recommending an IDS system
      ... Not trying to make this a Cisco commercial, but I too am very satisfied with Cisco. ... We implemented an IDSM2, sensor device, and Cisco Security Agent for Host Intrusion Prevention. ... Subject: Recommending an IDS system ...
    • Re: Is IDS/IPS worthless?
      ... >>firewall instead of in front of it should BOTH ... >>fill in the gap left by the false sense of security firewalls give (a ... >IDS technology and I certainly believe in the usefullness of IDS. ... that is confusing IDS and NIDS together. ...
    • RE: Firewalls (was Re: IDS evaluations procedures)
      ... but having setup security systems ... And of course many of the early IDS problems burned a lot of people (too ... Struggling / What's after firewalls? ... expertise to this approach, be it for one set of tools or everything. ...