Re: Recent anti-NIDS Gartner article

["Stephen P. Berry" <spb () meshuggeneh net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Ron Gula writes:

> Gartner has the basic point right, that NIDS are time-consuming and
> don't automatically stop attacks, but their facts and conclusions
> are all wrong.
> - Most large organizations dont even look at their firewall logs
> - if NIDS have failed us, then Gartner should have lumped in the
>   ESM/SIM guys which are primarily NIDS correlation tools
> - the article will cause NIDS vendors to quickly rename their
>   products as 'NIPS' or 'Defensive' systems which will confuse
>   the less sophisticated buying public
> Bottom line: I think the article will have an acceleration on the
> demise of the CSO role and the idea of a separated 'security'
> staff. Firewalls used to be run by the security guys, now it is
> the network engineering folks. Virus was run by security as well
> until it went to IT. Now if the FW guys can do something close
> to IDS, why have an expensive group of security analysts around.

I think this will probably be true for the short to intermediate
term[0].  After that....

Well, back when I was active on the SAGE Certification Policy Committee,
people used to ask me why I was working on a certification project, seeing
as I don't hold any (IT/IS) certifcations myself.  I'd explain that
there are two futures I can see for the IT professions.
One is that we generally get better at self-regulating, setting our
own guidelines for best practises and minimum standards.  Professional
organisations (like, for example SAGE) become leaders in promulgating
such guidelines[1], and everything gets slowly better.  This is the Mom 'n
Apple Pie scenario.

The other outcome is the Gritty, Post-Apocalyptic scenario.  We, as an
industry, don't learn from our mistakes and experiences, and things
continue to slide down the slope of increasing risk, responsibility, and
dependance with no corresponding increase of oversight, professionalism,
and tradecraft.  Then something Really Bad happens.  A Fortune n
company falls over because of some unintentional disclosure/data tampering
incident.  A power grid gets owned.  A stock exchange goes offline for 72
hours.  Then the TLAs step in to clean things up.  And never leave.  You
can't sell a cheeseburger or repair a transmission without a permission
slip from the government, and pretty soon you can't operate a keyboard
or pull a disk without appropriate sanction.

Whenever I see someone (like the Gartner Group) encouraging the industry
to hold its ground by burying its collective head in it, I think of the
apocalyptic scenario.  Thing is, I can't really fault many of the
posits of the report;  just the conclusions[2].  The thing that I
find surprising (from a strictly factual, rather than political,
standpoint) is what's missing.  If the fact that current NIDS products
don't offer much ROI to the average consumer is a revelation, how about:

        -The fact that firewalls have had an effect on recent large-scale
         infosec incidents that approaches zero
        -The fact that antivirus software[3] has had an effect on recent
         large-scale infosec incidents that approaches zero
        -The fact that increasing numbers of Cisco-, MicroSoft-, and
         SANS-certified quote professionals unquote have had an effect on
         recent large-scale infosec incidents that approaches zero

To say nothing of the fact that, for example, CNN has been better at
reporting developing infosec events (like the spread of a new worm) than
resources ostensibly devoted to such news[4].

In other words, although I agree that current NIDS technology isn't
the Holy Grail that some vendors are pandering it as, falling back to
a reliance of firewalls (and more of 'em) doesn't look plausible as
the next sangreal du jour.  The fact that Gartner holds it up as one
suggests a far greater GCE than their (fairly accurate) criticism of
NIDS technologies.  And the suggestion that -exisiting- technologies
rather than developing ones are where we should be looking for improvements
in network and information security is pernicious nonsense whose
credibility the entire history of modern information security impeaches.







- -spb

- -----
0       Mod events more than three sigma outside the mean.
1       But not necessarily -defining- them;  see, for example, the
        SAGE job descriptions, which are just that:  descriptive rather
        than proscriptive.
2       Which, frankly, aren't that surprising considering who Gartner's
        audience is (and therefore where their money comes from).
3       And the underlying model of relying on a central oracle to
        discover bad things and tell you how to discover them -after-
        they start affecting other people but (hopefully) -before- they
        affect you.
4       Bugtraq continues to be one of the best places to hear about
        new exploits and trends, of course;  odd that the SecurityFocus
        news page is not.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (OpenBSD)

iD8DBQE+766fG3kIaxeRZl8RAhXhAJ9o48A0szxpJ5aLS6izY5p5llwdvACgo4Qt
kiz9Tqb4j6yGktzZQ/3/Nhk=
=nhsO
-----END PGP SIGNATURE-----

-------------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
-------------------------------------------------------------------------------