IDS mailing list archives
Re: ROI on IDS/IPS products
From: Jeremy Bennett <jeremyfb () mac com>
Date: Mon, 02 Mar 2009 12:09:24 -0800
On Mar 2, 2009, at 11:21 AM, Stefano Zanero wrote:
Jeremy Bennett wrote:This is a problem with the products, not the customers. The problem being that there is still too much IDS thinking inside the IPS.Funny, since an IPS is nothing more than an IDS that can drop traffic ;-)
This is true of the technology. My point is that too many IPS vendors think that just because they are using IDS technology means they need to deliver an IDS that can block.
Yes, I'm being humorous here, but really there is not that muchdifference in the two things, except for the marketing and the extremelydifferent defensive posture: an IDS hunts for higher detection rates even at the cost of some false positives, whereas IPS aim at extremely low false positive rates. However:So, I *should* be able to purchase an IPS, read the manual, configure itaccording to my own risk profile, and then leave it alone. High-risk activity should be blocked. Benign traffic should be let through.And then villains should be brought over to justice, and the greater good should prevail.
An IPS can be more than an IDS with a cape and tights, yes.
However, getting back to the real world, doesn't work. You cannotconfigure "your risk profile" because there's no way on Earth to expressthat sensibly in a single clicky and yummy web interface. You can configure the system, activating and deactivating specific signatures, and - sorry - you WILL need to know damn well what you are doing.It is not just a problem with the products (and boy they are faulty), itIS a problem with the customers. A huge one.
Ah, reality, ok. Think for a minute about the problem and the tacit assumptions that have already been made here.
By purchasing an IPS from a vendor and enabling even *some* of the signatures for blocking I have established that I trust my vendor and I trust the signature authors to write signatures that are good enough to block an exploit or an attempt to exploit a vulnerability. Today, as you say, I make the decision to enable a signature on a signature-by-signature basis. I read the metadata in whatever form the vendor provides it; text descriptions, risk ratings, reliability ratings, categories, etc. Except in the cases of products like snort where I can go read the signature myself, I'm trusting that the metadata are correct. I'm trusting my vendor.
So, why do you consider it so far fetched that I might configure an IPS not on a signature-by-signature basis but an application, resource, and risk basis? Clearly, this is a VERY different experience than current IPS configurations. In addition, it puts a LOT of trust into the vendor's signature authors to correctly categorize and rate their signatures based on the risk of the threat and the potential for a false positive on that particular signature. However, as I've said, this, trust already exists.
What's required for my version of a IPS?1. A vendor you can trust to reliably deliver signatures and rate them by risk and chance of false positive. (some vendors are trying this today but they tend to suck at it in one or more of these dimensions) 2. A product UI that would allow signatures to be applied on a resource and application basis. For example, block everything suspicious to my web far except for web traffic. For web traffic block anything with a very low rate of false positive and alert on anything with a medium and log for anything with a high chance of FP. Again, some vendors have tried this but tend to miss the overall point. 3. A process on the device to regularly download the latest signature updates and apply them based on the configured policy. I think all vendors have gotten some sort of automated download and signature update process going by now. The AV vendors drove them to it.
You assert that the customer 'WILL need to know damn well what they are doing.' I assert that if the customer knew what they were doing to the degree that you imply they'd be writing their own snort rules. Sourcefire has a good product based on this and it has its place in organizations that can run it. There are many customers that will never have that expertise. They have no choice but to trust their vendor to have the expertise necessary to write signatures and clearly communicate the efficacy of those signatures. This is the bulk of the potential IPS market, those people that want something better than a firewall but can't afford to digest 100,000 events per day.
-J
Attachment:
smime.p7s
Description:
Current thread:
- Re: ROI on IDS/IPS products Ray (Mar 02)
- RE: Re: ROI on IDS/IPS products Brandon Louder (Mar 02)
- Re: Re: ROI on IDS/IPS products Ray (Mar 03)
- <Possible follow-ups>
- Re: ROI on IDS/IPS products Frank Knobbe (Mar 02)
- Re: ROI on IDS/IPS products Jeremy Bennett (Mar 02)
- Re: ROI on IDS/IPS products Stefano Zanero (Mar 02)
- Re: ROI on IDS/IPS products Jeremy Bennett (Mar 02)
- Message not available
- Re: ROI on IDS/IPS products Jeremy Bennett (Mar 03)
- Re: ROI on IDS/IPS products Scott (Mar 03)
- Re: ROI on IDS/IPS products Stefano Zanero (Mar 06)
- Re: ROI on IDS/IPS products Jeremy Bennett (Mar 02)
- Re: ROI on IDS/IPS products Webmaster 003 (Mar 03)
- Re: ROI on IDS/IPS products Joel M Snyder (Mar 03)
- Re: ROI on IDS/IPS products Joel Jaeggli (Mar 05)
- Re: ROI on IDS/IPS products Webmaster 003 (Mar 05)
- Re: ROI on IDS/IPS products Joel M Snyder (Mar 05)
- Re: ROI on IDS/IPS products Ravi Chunduru (Mar 06)
- Re: ROI on IDS/IPS products Joel Jaeggli (Mar 06)
- RE: Re: ROI on IDS/IPS products Brandon Louder (Mar 02)