RE: Is IDS/IPS worthless?
From: Andrew Plato (aplato_at_anitian.com)
Date: 02/24/04
- Previous message: Tarek Amr Abdullah: "Port/Host Scanning Techniques"
- Maybe in reply to: Andrew Plato: "Is IDS/IPS worthless?"
- Next in thread: Bob Walder: "RE: Is IDS/IPS worthless?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 24 Feb 2004 10:52:18 -0800 To: <focus-ids@securityfocus.com>
First, thank you to everybody who has replied on and off list to this
issue. Lots of great ideas.
After reading all these responses I've come to the conclusion that the
key problem with IDS/IPS seems to be education (or mis-education).
People have a lot of inaccurate or incomplete data about IPS/IDS in the
general public (not here on the list.) And they base their opinions on
the effectiveness of these technologies on that faulty information.
For example, there is an infosec "celebrity" I see occasionally who
repeatedly tells a story about ONE company he visited where they left
their IDS unused, sitting on a shelf. That story has taken on a life of
its own. People now use that story as justification for why IPS/IDS
isn't worth the investment.
What this celebrity fails to mention is that the reason people leave
IDS/IPS on a shelf: inexperience. Either the IT team failed to implement
the IDS/IPS properly or the reseller/vendor misrepresented its
capabilities or implementation challenges.
As such, I think Gartner is really just echoing what a lot of people
believe. IDS is dead because its consistently implemented and used
incorrectly. And thus, people think IDS is useless because the person
before them refused to learn how to make an IPS/IDS effective.
It's a positive feedback loop of sorts.
1. Vendors over-sell their products' capabilities and/or resellers fail
to educate their customers.
2. The products are improperly implemented and/or used.
3. These failures spread via "celebrity" stories and "research" reports.
4. A valuable technology gains a stigma of ineffectiveness when in
reality the problem is an education failure.
This is my interpretation of the problem. Does anybody agree with this?
Or am I being a moron and missing something obvious.
___________________________________
Andrew Plato, CISSP
President/Principal Consultant
ANITIAN ENTERPRISE SECURITY
3800 SW Cedar Hills Blvd, Suite 298
Beaverton, OR 97005
503-644-5656 Office
503-214-8069 Fax
503-201-0821 Mobile
www.anitian.com
___________________________________
GPG fingerprint: 16E6 C5B0 B6CB F287 776E E9A9 AF47 9914 3582 633D
GPG public key available at: http://www.anitian.com/corp/keys.htm
___________________________________
Andrew Plato, CISSP
President/Principal Consultant
Anitian Enterprise Security
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: Tarek Amr Abdullah: "Port/Host Scanning Techniques"
- Maybe in reply to: Andrew Plato: "Is IDS/IPS worthless?"
- Next in thread: Bob Walder: "RE: Is IDS/IPS worthless?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
