IDS mailing list archives

Re: Is IDS/IPS worthless?

From: Josh Tolley <josh () raintreeinc com>
Date: Fri, 20 Feb 2004 17:30:44 -0800

Could be the result of the "IT doesn't matter" argument going around.What experience I have with network auditing has forced home the ideathat you don't know what's going on when you're not paying attention.The story is told of the little kid who draws a picture of a monster toscare the elephants away, and is convinced that it works because he seesno elephants -- it's easy to say that IDS is worthless when you aren'tpaying attention to how hacked you're becoming (and a good hacker willhide his tracks, typically, so you never know about it if you don'tlook). Anyway, I'm with you -- it's a good idea so you know what youhave to defend against.


Josh Tolley

Andrew Plato wrote:

I've noticed something lately and I wonder if anybody else has
experienced this. At a meeting recently, I was told by a number of
people that IDS/IPS is a "worthless waste of IT resources" and
"providing no real value to an organization."  The speaker at this
particular meeting challenged me to say "what business goals did the
implementation of an IDS/IPS achieve?"  I responded that an IDS gives
insight to what is happening on a network and provides critical data to
more effectively focus resources on real problems. An IPS builds a level
of trust and protection from intrusions as well as insight into the
function and behavior of a network. (Okay, it was a vanilla answer, I
admit.)

So this speaker then challenged me to come up with verifiable metrics. I

replied that he would have to define what metrics he wants? What does he
consider a "viable metric" for performance.  He said "did they sell more
products, make more money?"  I replied "why is that the only metric that
businesses can understand?  A lot of complex things go into 'making
money' and IT operations is a small part of that. Marketing, strategic
vision, and many other factors have a much more profound impact on
'making money' than a single IT security solution. However, insight into
operations and security is a critical component of IT. How do you know
you have been broken into if you don't have any mechanisms to detect
those intrusions? There is clear value in investment in locks and
security cameras, why not have similar investments into the digital

equivalents."This shut him up, for a while, but it highlighted a growing trend I am

noticing. It seems like there are a lot of people with an agenda right
now to shoot down the value of IPS/IDS technologies. IPS in particular
seems to be painted as a "marketing ploy."  I also hear the story "they
bought and IDS and it just sat in a rack and did nothing"  a lot

(usually from people who don't even know what an IDS does.)What is happening here? Anybody have any idea why there is a growing

"anti-IDS" attitude. Is it the failure of IDS to produce value in an
organization? Is the Gartner "IDS is dead" report having THAT much
affect on the industry?  Are the IDS vendors victims of their own

over-marketing? Am I a paranoid moron?I am curious to hear other people's ideas on and strategies for dealingwith these objections.___________________________________

Andrew Plato, CISSP
President/Principal Consultant
ANITIAN  ENTERPRISE  SECURITY

3800 SW Cedar Hills Blvd, Suite 298
Beaverton, OR 97005
503-644-5656 Office
503-214-8069 Fax
503-201-0821 Mobile
www.anitian.com
___________________________________

GPG fingerprint: 16E6 C5B0 B6CB F287 776E E9A9 AF47 9914 3582 633D

GPG public key available at: http://www.anitian.com/corp/keys.htm

---------------------------------------------------------------------------
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

Protect your network with the comprehensive security solution that integratessix applications for ease of use and lower TCO.


Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.

Download 30-day evaluation at:
http://www.securityfocus.com/sponsor/Astaro_focus-ids_040219
---------------------------------------------------------------------------


--
Josh Tolley
Raintree Systems, Inc.
http://www.raintreeinc.com
760 509 9000

---------------------------------------------------------------------------
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

Protect your network with the comprehensive security solution that integratessix applications for ease of use and lower TCO.


Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.

Download 30-day evaluation at:
http://www.securityfocus.com/sponsor/Astaro_focus-ids_040219
---------------------------------------------------------------------------

Current thread:

Is IDS/IPS worthless? Andrew Plato (Feb 20)
- Re: Is IDS/IPS worthless? Mike Lyman (Feb 23)
  - RE: Is IDS/IPS worthless? Fergus Brooks (Feb 23)
  - Re: Is IDS/IPS worthless? Stefano Zanero (Feb 26)
- Re: Is IDS/IPS worthless? Josh Tolley (Feb 23)
- Re: Is IDS/IPS worthless? Konrad Rieck (Feb 23)
- RE: Is IDS/IPS worthless? Brian Taylor (Feb 23)
  - RE: Is IDS/IPS worthless? Fergus Brooks (Feb 23)
    - RE: Is IDS/IPS worthless? Duston Sickler (Feb 24)
- RE: Is IDS/IPS worthless? Omar Herrera (Feb 23)
- Re: Is IDS/IPS worthless? Michael Stone (Feb 23)
- Re: Is IDS/IPS worthless? Andy Cuff (Feb 23)
  - Re: Is IDS/IPS worthless? Mike Hoskins (Feb 23)
- Re: Is IDS/IPS worthless? Olaf Gellert (Feb 23)
  - Re: Is IDS/IPS worthless? SecurIT Informatique Inc. (Feb 23)

(Thread continues...)