Re: IDS is dead, etc

[Lance Spitzner <lance () honeynet org>]

On 19 Jun 2003, Martin Roesch wrote:

> Boiling the Gartner report down, here are my take aways:
>
> 1) IDSes produce too many false positives (i.e. the quality of the
> information they produce is low)
>
> 2) IDSes produce too much data (i.e. the quantity of information they
> produce is high)
>
> 3) There is no solution to these problems, therefore IDS is dead and we
> should all buy in-line IPS, er, "deep content inspection firewalls"!
>
> So, is there any way to make the quality of data coming out of the IDS
> higher while at the same time diminishing the amount of information
> generated?  

This is where I think honeypots represent such an exciting opportunity
by working with existing detection solutions.  Honeypots dramatically
reduce the amount of data and false positives an organization collects.
Honeypots have the added bonus of working in both IPv6 and encrypted
environments.  By corrolating these capabilities with current IDS
technologies, we can help address these issues.

       Honeypots: Simple, Effective Detection
       http://www.securityfocus.com/infocus/1690

lance


-------------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
-------------------------------------------------------------------------------