Gartner comments (was Re: Rather funny; looks like page defacement to me)

[Randy Taylor <gnu () charm net>]

At 11:29 AM 6/13/2003 -0400, Anton Chuvakin wrote:
> All,
>
> This link posted on the snort site. I figured I'd send it to the list,
> since its a fascinating read.
>
> http://www.gartner.com/5_about/press_releases/pr11june2003c.jsp

<snipped>

My two cents or less, depending on your point of view. ;)

I'll stick with the Gartner web page text.

"False positives and negatives"

All IDS systems produce falses. In fact, all network security
devices can false, not just IDS. I've seen many AV falses while it
monitors my inbox.

"An increased burden on the IS organization by requiring full-time monitoring
(24 hours a day, seven days a week, 365 days a year)"

This requirement isn't restricted to IDS. It also applies to firewalls.
All of the enterprise-level customers I work with had 24x7x365
firewall monitoring long before they deployed their first IDS. Sorry
Gartner, you really missed the boat on this one.

"A taxing incident-response process"

Reading into this somewhat, it sounds like Gartner is angling
toward the "set and forget", or "zero-admin" pitch. Ain't gonna
happen - ever. Nor should it. Humans must always be in the
security process loop. There are numerous guides out there
for developing and/or improving incident response processes.
And again, IR applies to all security devices, not just IDS.
How much IR had to be done as the result of the "I love you"
stuff? And that was AV IR, not IDS. And because humans
must be in the loop, they must be trained and trained well.
Sorry business - cough up the bucks and get it done. If there's
any lesson from 9/11 it's that one can't afford not to protect
anything - from the parking lot to the network head-end. I
would like to think no company in its right mind would rely on
totally automated physical security. Think of the risks there.
Network security is no different.

"An inability to monitor traffic at transmission rates greater than 600
megabits per second"

True right now for IDS that operates purely as software relying on generic
hardware platforms and a supporting third-party OS. False right now for
IDS that are embedded in hardware/firmware. One has to wonder
if Gartner looked at OSEC testing results on the Neohapsis
site ?
One also has to ask how much of a market is there for speeds
above OC-48? In a conversation with a friend of mine a couple
of weeks ago, I offered the enterprise-side position of "we have
to monitor an OC-192 pipe" as a baseline. My friend countered
with the position that there's a lot more 100Base-TX lines out
there than fiber. My friend was right. Installed base as a market
driver trumps "faster is better" every time.
One also has to look at what's going to happen to a fat fiber pipe
when it hits the head-end. It gets split into smaller pipes - heh -
just like copper pipes. So that OC-192 gets stepped down to
several OC-18's or OC-12's. How far away from 600 Mbps is
an OC-12? 22.080 MHz. By the time you strip out the overhead
rate, OC-12 payload rate is 601.344 MHz.
Will pure software IDS always be unable to operate above
600 Mbps? No. Is embedded IDS better simply because of it's
ability to handle higher speeds? No. It's a cost/benefit analysis,
a features/performance analysis, etc.
Will everyone have fiber to the desktop by '05? Your guess
is as good as mine, but I would be willing to bet software IDS
will be able to handle OC-18 or OC-24 by then.

"Gartner recommends that enterprises redirect the money they
would have spent on IDS toward defense applications such as those
offered by thought-leading firewall vendors that offer both network-level
and application-level firewall capabilities in an integrated product.
Intrusion detection systems are a market failure, and vendors are now
hyping intrusion prevention systems, which have also stalled," said Richard
Stiennon, research vice president for Gartner. "Functionality is moving into
firewalls, which will perform deep packet inspection for content and malicious
traffic blocking, as well as antivirus activities."

Here I think Gartner is on the correct path, at least in part. Quoting
Bill Royds in an earlier post, "...an IPS is really a firewall with 
dynamically
generated rule set." Unfortunately, the supporting evidence for Gartner's
statement that IPS has stalled is missing. Wanting to call
IPS an integration of IDS into a firewall or an integration of a firewall
into an IDS is so much semantics and depends on the vendor doing
the market spin. For instance, Checkpoint might call it an integration
of IDS into its firewall, while IntruVert might call it an integration
of firewall capabilities into its IDS. It sounds to me like the message spun
by firewall vendors stuck with Gartner while the message spun by
IPS vendors didn't.

IDS is no longer in its infancy - late adolescence perhaps - but neither
infancy nor adulthood. Firewalls have been around for a longer period
of time, so perhaps they are perceived by Gartner as more mature.
But firewalls are relatively simple systems compared to IDS. In my
opinion, IPS - whether firewall+IDS or IDS+firewall, is a worthwhile path
going forward. The trick to success will be the capability to very
accurately detect an incident. Do that with a very low false rate
and reliable response is possible. But I'd be willing to bet the
device making those decisions will require tuning and trained staff
to monitor it, maintain it, and respond to incidents. ;)

Finally, Gartner itself is a vendor, selling its product, too. Because
of that, it is itself a hype machine and should include itself in its
own "Information Security Hype Cycle". And to get to the meat
of their "Hype Cycle" papers, guess what? You gotta pay for it.

All in all, Gartner's text is just another case of a vendor "hollering
the loud, funny words". "..sound and fury, signifying nothing" may
also apply here as well, but the really sad part is that a lot of
companies treat Gartner as gospel.

Best regards,

Randy

-----
"Nor does it do anything to make lemons bigger or encourage owls to explode."
  --- MartinG on /. ---





-------------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
-------------------------------------------------------------------------------