IDS mailing list archives
RE: Recent Gartner IDS/IPS report
From: "Andre Yee" <ayee () nfr com>
Date: Thu, 19 Jun 2003 14:51:09 -0400
As an IDS/IPS vendor, the problem we have with Gartner's report is threefold. First, it is an example of gross over-simplificiation to say if "you can detect it, why not prevent it". There some types of attacks that can be stopped on the fly such as a known virus/worm attachments over SMTP but stealth insider attacks are typically not detected with sufficient fidelity so as to prevent it on the fly..which leads to my next point, there's still value in knowing that suspicious and possibly malicious activity is taking place. Gartner has chosen to ignore the value of security monitoring and auditing which is part of any well-formed security strategy Finally, leading IDS vendors, including NFR are actually providing facilities to lower false positives by offering both passive and active mapping features that result in a "smarter" IDS. If Gartner would keep an open mind, they would view this as significant progress. Of course, I have a prediction of my own - How about.the demise of current generation industry analysts by 2005. Reason? Excessive false positives and lack of corporate value. They will be supplanted next-gen analysts who will deliver outrages claims with no loss of performance. After all, if you can make stuff up, why bother with thoughtful analysis. :-) Andre Yee NFR Security, Inc. -----Original Message----- From: Avi Chesla [mailto:avic () V-Secure com] Sent: Thursday, June 19, 2003 4:07 AM To: focus-ids () securityfocus com Subject: RE: Recent Gartner IDS/IPS report Hi, I agree with Gartner's statement, that the next generation of security products will integrate automatic prevention capabilities into their systems. This is already happening (IPS - Intrusion Prevention Systems) and my opinion is that this reflects the market's needs currently and in the future. Why is that? The increasing value of the Internet have raised the demands for faster security solutions and, most importantly, automatic active devices that can provide proper countermeasures to the attacks. Due to the speed and frequency of attack methods, these devices must also be able to execute defensive actions without human intervention in minimum time. The majority of Internet connected organizations do not have the necessary time or resources to properly analyze security reports, implement necessary countermeasures and execute them. If the organization's Internet infrastructure and applications aren't easily accessible or are difficult to use, the customers who expect to get fast and reliable online services will simply find another available service (usually from a competing organization). Human decisions and actions take time and, in a world dominated by fast hardware and communication lines, some of the decisions and countermeasures will have to be done automatically by the security devices in order to avoid losing customers. It is not clear however, what Gartner means by saying that firewalls (with more security functionalities - network and applications protections) will replace the IDS products. Intrusion analysis is an entirely different technology than the technology which is associated with current firewalls products. Integrating both technologies in the same product is possible and it seems that this is what Gartner was intending to explain, unsuccessfully. Although it might upset some vendors, if automatic prevention is what the market wants, it is a fact that the current IDS products which are associated with an excessive amount of false positives, will not be able to provide. Avi Chesla ---------------------------------------------------------------------------- --- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ---------------------------------------------------------------------------- --- ------------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com -------------------------------------------------------------------------------
Current thread:
- Recent Gartner IDS/IPS report Gary Golomb (Jun 18)
- Re: Recent Gartner IDS/IPS report Stephen Samuel (Jun 18)
- Re: Recent Gartner IDS/IPS report Andreas Hess (Jun 22)
- Re: Recent Gartner IDS/IPS report Jeff Nathan (Jun 22)
- <Possible follow-ups>
- RE: Recent Gartner IDS/IPS report Carey, Steve T GARRISON (Jun 18)
- RE: Recent Gartner IDS/IPS report oherrera (Jun 19)
- RE: Recent Gartner IDS/IPS report Avi Chesla (Jun 19)
- RE: Recent Gartner IDS/IPS report Andre Yee (Jun 22)
- RE: Recent Gartner IDS/IPS report Golomb, Gary (Jun 22)