RE: IDS is out of context--was-->IDS is dead, etc

["Arian J. Evans" <arian.evans () bigfoot com>]

Scott and Bennet (et al),

First--sorry for bounces; Bigfoot killed my account again for some
unknown reason, so if you reply please leave my work address on
the cc: line. My $0.01 USD (deprecated to reflect market value):

I think we're leaving certain contexts out. As in:

# world.  The number of systems that are backdoored -- today, and the
# number of non-public vulnerabilities and exploits is slightly disturbing.

There's a definite value for IDS there at a high level. Though they don't
want to be called NIDS, Securify, Lancope, Mazu, Arbor, and probably
some others provide definite answers here. Profile and policy your network,
monitor for non-compliance (yes, I'm very aware of all the "ifs", "ands",
and "buts" in accurately profiling your network, but it is very do-able).

If the malicious activity (backdoor, etc) is low and slow, or running
through
allowed channels (e.g.-covert channel runs across public infrastructure
sourced HTTP and all public HTTP is allowed to and from that asset by
your defined policy...) then obviously you won't catch it. But there's good
odds it's not normal and some deep protocol inspection will catch it.

# Perhaps the most disturbing is that the bar is really only raised for
# the script kiddies; they never posed a substantial risk anyway.

Depends on who you are and with whom you are referring to. Take
smaller, less security savvy organizations that do not have sound
backup procedures. Script Kiddie + remote root + rm = substantial
impact. That sort of stuff happens all the time.

In those contexts, the risk is high and so is the impact. We have
customers who still need help properly configuring a firewall, and
NIDS/HIDS/SEMs are mostly shelfware for.

You can find the same conceptual issue in large <=F500 corporations
where fw and NIDS are run by different groups, and a third is responsible
for patch management/OS, etc. IDS in that context becomes (a) a
way of keeping score, and (b) a way of detecting when incidents occur
b/c some other group didn't do their job properly.

# I really like your description of NIDS as AV scanners for the network.
# That's classic.  Although, some will argue that the more behavioral
# oriented NIDS have moved past that point.

That's a common (and apt) comparison. Actually, if you think about
the evolution AV went through in the early VX days, and why AV vendors
came up with heuristic engines (read up on the Russian VX lists back
around '97 or so, regarding techniques they were using to evade virus
scanners; dynamic memory offsets and such). The signature + behavior
AV approach is exactly (IMO) what is going on w/NIDS.

# A good NIDS is an invaluable tool for network managers.

Actually, if you want trending and analysis, pretty reports for CYA and
budget justification, etc. (which is what I think you meant here) then
the myriad of SEMs are probably more useful; they can build a wider
picture. (e.g.-netForensics, Arcsight, Guarded.net, eSecurity, NI, etc.etc.)

But I see and agree. There's a more systemic issue here, which I'm
going to discuss later in a response to Marty's email.

# But, a NIDS is not the security "solution" that they are marketed as.

Hmmm, I have got to disagree. Back to context. If we were talking about
my home network, for instance, I'd have to agree. Every host is hardened
(except the bastion ;). I've got Snort piping data into a SQL2k database,
and all it's useful for is learning. (anyone know of a good open source tool
for sucking snort data out of SQL 2000 and charting it? I'm too lazy to
write my own queries and html or excel it....)

If I based my thoughts on NIDS off of my home network, or work network,
or networks that likely you have built and maintained, that would be a
biased sample, b/c we already *get it*. (err, I hope...)

There's still plenty of people who don't get it, that need an alarm system
to help counter the mistakes they make. They don't realize they left the
door unlocked, so they need to know when someone wanders in their
back door after midnight...even though it's a well-known attack. (sorry,
best I could come up with).

Or, again, that situation of distributed responsibility and we all know
in certain excessively political and bureaucratic organizations, groups
don't always communicate and/or work together effectively. IDS are
part audit tool and part genuine incident detector in those environments.

I could give you tons of specific examples, but I'm trying to avoid the
"email of anecdotal evidence" approach.

Thanks for all the stimulating dialogue, Cheers,

Arian J. Evans


---------------------------------------------------------------------------
Captus Networks - Integrated Intrusion Prevention and Traffic Shaping  
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Ensure Reliable Performance of Mission Critical Applications
Precisely Define and Implement Network Security and Performance Policies
**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
Visit us at: http://www.captusnetworks.com/ads/31.htm
---------------------------------------------------------------------------