IDS mailing list archives
RE: Recent anti-NIDS Gartner article
From: "Paul Benedek" <paul.benedek () excis co uk>
Date: Thu, 19 Jun 2003 16:44:27 +0100
The message of the Garner article seems to be based around the fiscal impact of security systems like NIDS. Whether or not the technology is sound, many organisations do not, will not, or find it hard to consider an investment with a high administrative overhead. Costs savings within the IT budget are crucial as IT Directors are always competing for budget. Even in the most technology lead organisations you often find IT reporting to Operations or Finance and as such are under constant scrutiny for expenditure. Small organisations also have an even harder time justifying security budget. Many organisations are also advised by vendors or suppliers purporting to sell the "Magic Bullet" to solve their issues. As a result of this, many organisations seem to focus on a single solution set to solve their problems or rely on a technology too greatly. Sadly as we all know, this is a false economy. Nevertheless many IT departments are able to report to their board that they have taken the appropriate measures to secure the organisation. The reality of our situation is that unless the technologies become more intuitive and less labour intensive, businesses and media will continue to discuss the benefits and disadvantages of any solution. The technologists within the organisation are still likely to be overworked and so be unable to focus on logs or information analysis. Therefore our focus should be to ensure that we can add value by developing solution sets that are easier to use and are intelligent enough to inform network management personnel of an event and to take the appropriate action without intervention. This in itself may be utopian however we can develop solutions that could be network aware and self tuning or plug and play. They may not be able to catch all threats, but could catch most known threats. By combining the network aware capabilities, they may also be able to stop unknown attacks as well. This reduction in setup and administration will put them in a class with other network devices such as routers or switches or could make them combined devices and so will make them affordable. This could justify some of the benefits to a sceptical IT Management. Therefore, whether in line or sniff and tap, IDS systems have a long way to go in their evolution. Regards, Paul Benedek Director Excis Networks Limited http://www.excis.co.uk -----Original Message----- From: Hall, Andrew (DPRS) [mailto:AndrewR.hall () aph gov au] Sent: 19 June 2003 00:14 To: focus-ids () securityfocus com Subject: RE: Recent anti-NIDS Gartner article Question - how may SOHO or SME clients have the money to purchase both a suitable inline IDS and pay to have a suitable admin set it up and maintain it? They are either going to end up with an very open sig set which is really adding little functionality or a sig set which will block heaps of legitimate traffic. I argue that a traditional IDS gives you three main things ... Trending, forensics and event notification ... All of which an SME/SOHO client will not be able to take advantage of. They probably will not look at the events/logs themselves, or understand them for that matter. Again, they will not spend the $$ to have someone else come in and interpret the logs either. Chances are as well that they will not event keep their logs so there is little forensic and post event analysis possible. IDS vendors need to target those markets which will spend the time and money to do IDS properly ... And I do not believe that the SOHO/SME market is a suitable market for this. If the SOHO/SME market truly want IDS then they should look to the managed security provider. I argue that the future for IDS is with MSPs / large gateways who have the economy of scale in deployment, monitoring, skill sets and vendor relationships. It is in these MSP / large gateway environments that sniff and tap IDSs will still be of use for gathering data used for trending and forensic purposes - and who have the power to analyse and produce something useful from these tools. Overall, I argue that the technology is still a fair way off until you could safely drop an inline IDS into a relatively unmanaged network and expect it would work with little money and little administration costs. Andrew -----Original Message----- From: Srinivasa Rao Addepalli [mailto:srao () intotoinc com] Sent: Thursday, 19 June 2003 4:05 AM To: Srinivasa Rao Addepalli; focus-ids () securityfocus com Subject: Re: Recent anti-NIDS Gartner article After seeing this article, I got several requests on what I think about this article (press release) and applicability of IDSes in different market segments. So, I thought I would expand on my previous email. IDSes which sniff or tap of the network, have several disadvantages - They might miss detection of exploits/attacks/intrusions. - They are too many ways to bypass Detection. - Need expensive hardware for good performance and detection rate. Due to this, these might not survive in SOHO and SME market segments. But, I feel Inline IDS are good bet for SOHO and SME segments and since all the traffic passes through this, there is no issue of missing packets or data. I also think that when enhanced with protection (dropping packets or connection ) capability, they are more attractive to this market segment. Today, IDSes can be configured to inform Firewall, but I don't think anybody seriously thinks that this solves all the problems. Having protection capability within the IDS provides more control or accurate protection. My opinion is that 'tap or sniff IDSes' may not survive longer (except in some minor market segment) and they are probably will be replaced with Inline IDSes OR Inline IDS/IPSes. Srini Intoto Inc. Enabling Security Infrastructure 3160, De La Cruz Blvd #100 Santa Clara, CA 95054 www.intotoinc.com ----- Original Message ----- From: "Srinivasa Rao Addepalli" <srao () intotoinc com> To: <focus-ids () securityfocus com> Sent: Tuesday, June 17, 2003 8:32 PM Subject: Recent anti-NIDS Gartner article
One of the primary goals of IDSes (inline or otherwise) is to detect the intention of intrusions. Yes, it is true that Firewall with application intelligence protect the servers and infrastructure and they are needed as part of comprehensive security solution. I understand from the report that, more resources in IS department are
required to analyze the attacks. It is also true that today IDSes generate too many logs which turn out to be either false positives OR logs that are not applicable for that environment. Unless these problems are fixed, IDSes will demise over the time. IDS technology is greatly improved in recent times with more and more IDS products coming out with application intelligence. These reduce the false positives. But, other problem that need to be fixed is specific to the deployment environment. IDSes should be flexible to be
tunable by the users such as deletion of un-wanted signature rules, modification of signature rules, setting up typical characteristics of
traffic etc.. This might sound like need for IT resources, but in the effort it takes to analyze unwanted logs is significantly higher. Thank you for your time. Srini Intoto Inc. Enabling Security Infrastructure 3160, De La Cruz Blvd #100 Santa Clara, CA 95054 www.intotoinc.com
------------------------------------------------------------------------ ------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ------------------------------------------------------------------------ ------- ---------------------------------------------------------------------------- --- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ---------------------------------------------------------------------------- --- ------------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com -------------------------------------------------------------------------------
Current thread:
- RE: Recent anti-NIDS Gartner article, (continued)
- RE: Recent anti-NIDS Gartner article Reverman, Peter C (Jun 17)
- RE: Recent anti-NIDS Gartner article - BruteForce Security Robert J. Mehler (Jun 17)
- Recent anti-NIDS Gartner article Srinivasa Rao Addepalli (Jun 18)
- RE: Recent anti-NIDS Gartner article Jim Butterworth (Jun 18)
- Re: Recent anti-NIDS Gartner article Michael Sierchio (Jun 18)
- RE: Recent anti-NIDS Gartner article - BruteForce Security Robert J. Mehler (Jun 17)
- Re: Recent anti-NIDS Gartner article Srinivasa Rao Addepalli (Jun 18)
- Re: Recent anti-NIDS Gartner article Stephen Samuel (Jun 19)
- Re: Recent anti-NIDS Gartner article Srinivasa Rao Addepalli (Jun 22)
- RE: Recent anti-NIDS Gartner article Jim Butterworth (Jun 19)
- Re: Recent anti-NIDS Gartner article Stephen Samuel (Jun 19)
- RE: Recent anti-NIDS Gartner article Hall, Andrew (DPRS) (Jun 19)
- RE: Recent anti-NIDS Gartner article Paul Benedek (Jun 22)
- Re: Recent anti-NIDS Gartner article Richard Ginski (Jun 19)
- RE: Recent anti-NIDS Gartner article Reverman, Peter C (Jun 17)