IDS mailing list archives
Re: Recent anti-NIDS Gartner article
From: "Stephen P. Berry" <spb () meshuggeneh net>
Date: Tue, 17 Jun 2003 17:16:16 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ron Gula writes:
Gartner has the basic point right, that NIDS are time-consuming and don't automatically stop attacks, but their facts and conclusions are all wrong. - Most large organizations dont even look at their firewall logs - if NIDS have failed us, then Gartner should have lumped in the ESM/SIM guys which are primarily NIDS correlation tools - the article will cause NIDS vendors to quickly rename their products as 'NIPS' or 'Defensive' systems which will confuse the less sophisticated buying public Bottom line: I think the article will have an acceleration on the demise of the CSO role and the idea of a separated 'security' staff. Firewalls used to be run by the security guys, now it is the network engineering folks. Virus was run by security as well until it went to IT. Now if the FW guys can do something close to IDS, why have an expensive group of security analysts around.
I think this will probably be true for the short to intermediate term[0]. After that.... Well, back when I was active on the SAGE Certification Policy Committee, people used to ask me why I was working on a certification project, seeing as I don't hold any (IT/IS) certifcations myself. I'd explain that there are two futures I can see for the IT professions. One is that we generally get better at self-regulating, setting our own guidelines for best practises and minimum standards. Professional organisations (like, for example SAGE) become leaders in promulgating such guidelines[1], and everything gets slowly better. This is the Mom 'n Apple Pie scenario. The other outcome is the Gritty, Post-Apocalyptic scenario. We, as an industry, don't learn from our mistakes and experiences, and things continue to slide down the slope of increasing risk, responsibility, and dependance with no corresponding increase of oversight, professionalism, and tradecraft. Then something Really Bad happens. A Fortune n company falls over because of some unintentional disclosure/data tampering incident. A power grid gets owned. A stock exchange goes offline for 72 hours. Then the TLAs step in to clean things up. And never leave. You can't sell a cheeseburger or repair a transmission without a permission slip from the government, and pretty soon you can't operate a keyboard or pull a disk without appropriate sanction. Whenever I see someone (like the Gartner Group) encouraging the industry to hold its ground by burying its collective head in it, I think of the apocalyptic scenario. Thing is, I can't really fault many of the posits of the report; just the conclusions[2]. The thing that I find surprising (from a strictly factual, rather than political, standpoint) is what's missing. If the fact that current NIDS products don't offer much ROI to the average consumer is a revelation, how about: -The fact that firewalls have had an effect on recent large-scale infosec incidents that approaches zero -The fact that antivirus software[3] has had an effect on recent large-scale infosec incidents that approaches zero -The fact that increasing numbers of Cisco-, MicroSoft-, and SANS-certified quote professionals unquote have had an effect on recent large-scale infosec incidents that approaches zero To say nothing of the fact that, for example, CNN has been better at reporting developing infosec events (like the spread of a new worm) than resources ostensibly devoted to such news[4]. In other words, although I agree that current NIDS technology isn't the Holy Grail that some vendors are pandering it as, falling back to a reliance of firewalls (and more of 'em) doesn't look plausible as the next sangreal du jour. The fact that Gartner holds it up as one suggests a far greater GCE than their (fairly accurate) criticism of NIDS technologies. And the suggestion that -exisiting- technologies rather than developing ones are where we should be looking for improvements in network and information security is pernicious nonsense whose credibility the entire history of modern information security impeaches. - -spb - ----- 0 Mod events more than three sigma outside the mean. 1 But not necessarily -defining- them; see, for example, the SAGE job descriptions, which are just that: descriptive rather than proscriptive. 2 Which, frankly, aren't that surprising considering who Gartner's audience is (and therefore where their money comes from). 3 And the underlying model of relying on a central oracle to discover bad things and tell you how to discover them -after- they start affecting other people but (hopefully) -before- they affect you. 4 Bugtraq continues to be one of the best places to hear about new exploits and trends, of course; odd that the SecurityFocus news page is not. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (OpenBSD) iD8DBQE+766fG3kIaxeRZl8RAhXhAJ9o48A0szxpJ5aLS6izY5p5llwdvACgo4Qt kiz9Tqb4j6yGktzZQ/3/Nhk= =nhsO -----END PGP SIGNATURE----- ------------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com -------------------------------------------------------------------------------
Current thread:
- Recent anti-NIDS Gartner article Ron Gula (Jun 17)
- RE: Recent anti-NIDS Gartner article Mike Blomgren (Jun 17)
- Re: Recent anti-NIDS Gartner article Stephen Samuel (Jun 18)
- Re: Recent anti-NIDS Gartner article nyec (Jun 17)
- Re: Recent anti-NIDS Gartner article Stephen P. Berry (Jun 18)
- <Possible follow-ups>
- RE: Recent anti-NIDS Gartner article Reverman, Peter C (Jun 17)
- RE: Recent anti-NIDS Gartner article - BruteForce Security Robert J. Mehler (Jun 17)
- Recent anti-NIDS Gartner article Srinivasa Rao Addepalli (Jun 18)
- RE: Recent anti-NIDS Gartner article Jim Butterworth (Jun 18)
- Re: Recent anti-NIDS Gartner article Michael Sierchio (Jun 18)
- RE: Recent anti-NIDS Gartner article - BruteForce Security Robert J. Mehler (Jun 17)
- Re: Recent anti-NIDS Gartner article Srinivasa Rao Addepalli (Jun 18)
- Re: Recent anti-NIDS Gartner article Stephen Samuel (Jun 19)
- Re: Recent anti-NIDS Gartner article Srinivasa Rao Addepalli (Jun 22)
- RE: Recent anti-NIDS Gartner article Jim Butterworth (Jun 19)
- Re: Recent anti-NIDS Gartner article Stephen Samuel (Jun 19)
- RE: Recent anti-NIDS Gartner article Hall, Andrew (DPRS) (Jun 19)
(Thread continues...)
- RE: Recent anti-NIDS Gartner article Mike Blomgren (Jun 17)