RE: Is IDS/IPS worthless?

From: Fergus Brooks (fergusb_at_evolve-online.com)
Date: 02/24/04

  • Next message: Fergus Brooks: "RE: Is IDS/IPS worthless?"
    To: <mlyman-security@comcast.net>, <focus-ids@securityfocus.com>
    Date: Tue, 24 Feb 2004 09:43:25 +0800
    
    

    Interesting statistic I read in the South China Morning Post this morning is
    that only 1.6% of companies surveyed in Hong Kong have IDS but ~45% have
    firewalls. Most have at least 1.5meg DSL. The firewall stat is a large
    increase over the last few years - IDS is little changed.

    So either the value of IDS is not being discussed with companies or the
    merits aren't apparent due to poor marketing etc.

    It can be a scary acronym-filled technology for end-users and a lot of
    businesses simply couldn't care less if someone goes poking around their
    perimeter. A few perceptions I guess it is up to the consultants and
    integrators to remedy.

    Can anyone tell me what the IDS take-up stats relative to firewalls are like
    in the US or Europe?

    Rgds...

    -----Original Message-----
    From: Mike Lyman [mailto:mlyman-security@comcast.net]
    Sent: Saturday, 21 February 2004 8:05 AM
    To: focus-ids@securityfocus.com
    Subject: Re: Is IDS/IPS worthless?

    On Fri, 2004-02-20 at 10:31, Andrew Plato wrote:
    > So this speaker then challenged me to come up with verifiable metrics.
    > I replied that he would have to define what metrics he wants? What
    > does he consider a "viable metric" for performance. He said "did they
    > sell more products, make more money?" I replied "why is that the only
    > metric that

    Standard security ROI question when security doesn't have an ROI unless
    you're selling security. Do locks on the doors help you sell more product
    (unless you sell locks) or sprinkler heads in the ceilings help you make
    more money?

    > What is happening here? Anybody have any idea why there is a growing
    > "anti-IDS" attitude. Is it the failure of IDS to produce value in an

    I think most people approach IDS/IPS to stop hacking and to stop virus and
    worms and they just can't do that job 100%. You can throw all the resources
    you want at IDS and it still won't be able to prevent all security breaches.
    From that point of view, it's a bottomless pit. You can put in as many
    sensors as you want and put as many people watching the data as you want and
    you still won't stop everything.

    There are realistic approaches and values for IDS/IPS to be had for a
    reasonable investment. Unfortunately they are not marketed that way or
    priced that way. (well for the most part they aren't priced that way) I
    think too many have fallen for the marketing and reality has long since set
    in. That may bring some reality to the marketing and the pricing.

    --
    Mike Lyman <mlyman-security@comcast.net>
    ---------------------------------------------------------------------------
    Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection
    Protect your network with the comprehensive security solution that
    integrates 
    six applications for ease of use and lower TCO.
    Firewall - Virus protection - Spam protection - URL blocking - VPN
    - Wireless security.
    Download 30-day evaluation at:
    http://www.securityfocus.com/sponsor/Astaro_focus-ids_040219
    ---------------------------------------------------------------------------
    --
    This message has been scanned by AVMail
    ---------------------------------------------------------------------------
    Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection
    Protect your network with the comprehensive security solution that integrates 
    six applications for ease of use and lower TCO.
    Firewall - Virus protection - Spam protection - URL blocking - VPN
    - Wireless security.
    Download 30-day evaluation at:
    http://www.securityfocus.com/sponsor/Astaro_focus-ids_040219
    ---------------------------------------------------------------------------
    

  • Next message: Fergus Brooks: "RE: Is IDS/IPS worthless?"