IDS mailing list archives
Re: Is IDS/IPS worthless?
From: "Webb Wang CS" <webb.wang () cybershieldnetworks com>
Date: Mon, 23 Feb 2004 11:53:25 -0500
Here is my 2 cents on this topic. Clearly those people, who think IDS/IPS is a "worthless waste of IT resources", either having no clue of how to run a successful business, or just being way behind the date on information technology. Nowadays, business is operating at a lighting speed with the help of information technology and information super highway (a.k.a. internet). To consistently possessing business intelligence becomes so critical to a business to ensure a continuous competitive advantage over the marketplace and a complete up-to-the-second clear vision over what's happening to their business assets (and digital IT assets are part of it). Quoted from Sun Zu's "Art of War", "... knowing your enemy 100% of the time, you will win your battle 100% of the time, knowing your enemy 50% of the time, you will win your battle 50% of the time, but not knowing your enemy, you are destined to fail 100% of the time ...". IPS/IDS systems are some of those tools helping a business to maintaining a level of intelligence about your business assets in your hand, your competitors out there on the market, and your adversaries (or would-be enemies / hackers). I could not imagine surviving a business without obtaining such business intelligence. IMHO, Webb Wang CSO CyberShield Networks, Inc. network security is all about intelligence gathering ... www.cybershieldnetworks.com Andrew and all, It's funny. This has been an age-old argument in security--both in physical and information security. For the few American football fans out there, I describe it as the job of an offensive lineman. He protects the quarterback hundreds of times a game, but generally, you only get to recognize his value when he gets beat for a sack. Unfortunately, that is not how we would like to justify IDS/IPS. Good security should be transparent, invisible and should not disrupt the core business. However, like Andrew said in his post, business performance is usually measured in terms of revenue. Sales organizations generates revenue and attains new customers. Development and engineering create the products that are used to generate revenue. Hell, even Technical Support has a business case about customer retention and satisfaction. You can see an actual product which is tied to sale. IT makes sure that the daily operations are able to happen. Security sits there silently. Doing everything on the inside, but outwardly appearing to do nothing. It is very hard to measure how this positively affects revenue until something bad happens. And IMHO, a catastrophic incident should NEVER be used as a primary business case except as a last resort. Still, it is tempting to say "let's remove the IDS/IPS for a year and see what happens"... :-) When Code Red and Nimda dropped, it was good to be able to say "we did not lose a single day or productivity, nor was our business disrupted". Other companies could not say that. But again, who publicizes such a thing? I was at an Infragard meeting and heard the worst-cases from other security pros as well as CIOs CISOs, etc... However, how often do you really get to hear things like this on a daily basis. I remember in the warehouse days, there were safety programs initiated (after several costly accidents by the employees there). There instituted these safety awareness programs and had several prominently displayed signs that said something to the order of "45 days without an accident". This was updated daily. Did it prove that the safety program worked? Maybe. Was it some sort of way of justifying the costs and effectiveness of the program? I believe so. But we go back to the problem. Safety awareness wasn't an concern until the company lost revenue due to lost wages, workman's comp, etc. It was very easy to justify the costs of the program after something bad happened. If I had the answer to this question, I probably wouldn't be sitting here bemoaning the fact that I forgot to play the lottery last night!! But I think we all have to agree that this is probably the biggest challenge that we face as security professionals. How do we show and justify the benefits of IDS/IPS when good security should be transparent? Great post, Andrew. I simply wish I had a better answer to it.... --BT -----Original Message----- From: Andrew Plato [mailto:aplato () anitian com] Sent: Friday, February 20, 2004 11:32 AM To: focus-ids () securityfocus com Subject: Is IDS/IPS worthless? I've noticed something lately and I wonder if anybody else has experienced this. At a meeting recently, I was told by a number of people that IDS/IPS is a "worthless waste of IT resources" and "providing no real value to an organization." The speaker at this particular meeting challenged me to say "what business goals did the implementation of an IDS/IPS achieve?" I responded that an IDS gives insight to what is happening on a network and provides critical data to more effectively focus resources on real problems. An IPS builds a level of trust and protection from intrusions as well as insight into the function and behavior of a network. (Okay, it was a vanilla answer, I admit.) So this speaker then challenged me to come up with verifiable metrics. I replied that he would have to define what metrics he wants? What does he consider a "viable metric" for performance. He said "did they sell more products, make more money?" I replied "why is that the only metric that businesses can understand? A lot of complex things go into 'making money' and IT operations is a small part of that. Marketing, strategic vision, and many other factors have a much more profound impact on 'making money' than a single IT security solution. However, insight into operations and security is a critical component of IT. How do you know you have been broken into if you don't have any mechanisms to detect those intrusions? There is clear value in investment in locks and security cameras, why not have similar investments into the digital equivalents." This shut him up, for a while, but it highlighted a growing trend I am noticing. It seems like there are a lot of people with an agenda right now to shoot down the value of IPS/IDS technologies. IPS in particular seems to be painted as a "marketing ploy." I also hear the story "they bought and IDS and it just sat in a rack and did nothing" a lot (usually from people who don't even know what an IDS does.) What is happening here? Anybody have any idea why there is a growing "anti-IDS" attitude. Is it the failure of IDS to produce value in an organization? Is the Gartner "IDS is dead" report having THAT much affect on the industry? Are the IDS vendors victims of their own over-marketing? Am I a paranoid moron? I am curious to hear other people's ideas on and strategies for dealing with these objections. ___________________________________ Andrew Plato, CISSP President/Principal Consultant ANITIAN ENTERPRISE SECURITY 3800 SW Cedar Hills Blvd, Suite 298 Beaverton, OR 97005 503-644-5656 Office 503-214-8069 Fax 503-201-0821 Mobile www.anitian.com ___________________________________ GPG fingerprint: 16E6 C5B0 B6CB F287 776E E9A9 AF47 9914 3582 633D GPG public key available at: http://www.anitian.com/corp/keys.htm ------------------------------------------------------------------------ --- Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection Protect your network with the comprehensive security solution that integrates six applications for ease of use and lower TCO. Firewall - Virus protection - Spam protection - URL blocking - VPN - Wireless security. Download 30-day evaluation at: http://www.securityfocus.com/sponsor/Astaro_focus-ids_040219 ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection Protect your network with the comprehensive security solution that integrates six applications for ease of use and lower TCO. Firewall - Virus protection - Spam protection - URL blocking - VPN - Wireless security. Download 30-day evaluation at: http://www.securityfocus.com/sponsor/Astaro_focus-ids_040219 --------------------------------------------------------------------------- --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.588 / Virus Database: 372 - Release Date: 2/13/2004 --------------------------------------------------------------------------- Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection Protect your network with the comprehensive security solution that integrates six applications for ease of use and lower TCO. Firewall - Virus protection - Spam protection - URL blocking - VPN - Wireless security. Download 30-day evaluation at: http://www.securityfocus.com/sponsor/Astaro_focus-ids_040219 ---------------------------------------------------------------------------
Current thread:
- RE: Is IDS/IPS worthless?, (continued)
- RE: Is IDS/IPS worthless? Wolfpaw - Dale Corse (Feb 23)
- Re: Is IDS/IPS worthless? SecurIT Informatique Inc. (Feb 23)
- RE: Is IDS/IPS worthless? Martin (Feb 23)
- RE: Is IDS/IPS worthless? Oscar Kooijman (Feb 24)
- RE: Is IDS/IPS worthless? Bob Walder (Feb 23)
- RE: Is IDS/IPS worthless? BĂ©noni MARTIN (Feb 23)
- RE: Is IDS/IPS worthless? Jeff McLaughlin (Feb 23)
- RE: Is IDS/IPS worthless? Matthew L. McGuirl (Feb 23)
- RE: Is IDS/IPS worthless? Robert Jackson (Feb 23)
- RE: Is IDS/IPS worthless? Cure, Samuel J (Feb 23)
- Re: Is IDS/IPS worthless? Webb Wang CS (Feb 23)
- RE: Is IDS/IPS worthless? DeGennaro, Gregory (Feb 23)
- RE: Is IDS/IPS worthless? Matthew L. McGuirl (Feb 23)
- RE: Is IDS/IPS worthless? Bell, Gregory (ISS Atlanta) (Feb 23)
- IDS/IPS Value Chuck Jenson (Feb 25)
- RE: Is IDS/IPS worthless? Bob Walder (Feb 24)
- RE: Is IDS/IPS worthless? Andrew Plato (Feb 25)
- RE: Is IDS/IPS worthless? Bob Walder (Feb 26)