RE: Recent anti-NIDS Gartner article

["Hall, Andrew (DPRS)" <AndrewR.hall () aph gov au>]

Question - how may SOHO or SME clients have the money to purchase both a
suitable inline IDS and pay to have a suitable admin set it up and
maintain it?  They are either going to end up with an very open sig set
which is really adding little functionality or a sig set which will
block heaps of legitimate traffic.

I argue that a traditional IDS gives you three main things ... Trending,
forensics and event notification ... All of which an SME/SOHO client
will not be able to take advantage of.  They probably will not look at
the events/logs themselves, or understand them for that matter.  Again,
they will not spend the $$ to have someone else come in and interpret
the logs either.  Chances are as well that they will not event keep
their logs so there is little forensic and post event analysis possible.

IDS vendors need to target those markets which will spend the time and
money to do IDS properly ... And I do not believe that the SOHO/SME
market is a suitable market for this.  

If the SOHO/SME market truly want IDS then they should look to the
managed security provider.  I argue that the future for IDS is with MSPs
/ large gateways who have the economy of scale in deployment,
monitoring, skill sets and vendor relationships.  It is in these MSP /
large gateway environments that sniff and tap IDSs will still be of use
for gathering data used for trending and forensic purposes - and who
have the power to analyse and produce something useful from these tools.

Overall, I argue that the technology is still a fair way off until you
could safely drop an inline IDS into a relatively unmanaged network and
expect it would work with little money and little administration costs.

Andrew


-----Original Message-----
From: Srinivasa Rao Addepalli [mailto:srao () intotoinc com] 
Sent: Thursday, 19 June 2003 4:05 AM
To: Srinivasa Rao Addepalli; focus-ids () securityfocus com
Subject: Re: Recent anti-NIDS Gartner article


After seeing this article, I got several requests on what I think about
this article (press release) and applicability of IDSes in different 
market segments. So, I thought I would expand on my previous email.

IDSes which sniff or tap of the network, have several disadvantages
- They might miss detection of exploits/attacks/intrusions.
- They are too many ways to bypass Detection.
-  Need expensive hardware for good performance and detection rate. Due
to this, these might not survive in SOHO and SME market segments.

But, I feel Inline IDS are good bet for SOHO and SME segments and since
all the traffic passes through this, there is no issue of missing 
packets or data.  I also think that when enhanced with protection
(dropping packets or connection ) capability, they are more attractive
to this market segment. Today, IDSes can be configured to inform
Firewall, but I don't think anybody seriously thinks that this solves
all the problems. Having protection capability within the IDS provides
more control or accurate protection.

My opinion is that 'tap or sniff IDSes' may not survive longer (except 
in some minor market segment) and they are probably will be replaced
with Inline IDSes OR Inline IDS/IPSes.

Srini
Intoto Inc. 
Enabling Security Infrastructure
3160, De La Cruz Blvd #100
Santa Clara, CA 95054
www.intotoinc.com
----- Original Message ----- 
From: "Srinivasa Rao Addepalli" <srao () intotoinc com>
To: <focus-ids () securityfocus com>
Sent: Tuesday, June 17, 2003 8:32 PM
Subject: Recent anti-NIDS Gartner article


> One of the primary goals of IDSes (inline or otherwise) is to detect 
> the intention of intrusions. Yes, it is true that Firewall with 
> application intelligence protect the servers and infrastructure and 
> they are needed as part of comprehensive security solution.
>
> I understand from the report that, more resources in IS department are

> required to analyze the attacks. It is also true that today IDSes 
> generate too many logs which turn out to be either false positives OR 
> logs that are not applicable for that environment. Unless these 
> problems are fixed, IDSes will demise over the time.
>
> IDS technology is greatly improved in recent times with more and more 
> IDS products coming out with application intelligence. These reduce 
> the false positives. But, other problem that need to be fixed is 
> specific to the deployment environment. IDSes should be flexible to be

> tunable by the users such as deletion of un-wanted signature rules, 
> modification of signature rules, setting up typical characteristics of

> traffic etc.. This might sound like need for IT resources, but in the 
> effort it takes to analyze unwanted logs is significantly higher.
>
>
> Thank you for your time.
> Srini
>
>
>
> Intoto Inc.
> Enabling Security Infrastructure
> 3160, De La Cruz Blvd #100
> Santa Clara, CA 95054
> www.intotoinc.com

------------------------------------------------------------------------
-------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas,
the 
world's premier technical IT security event! 10 tracks, 15 training
sessions, 
1,800 delegates from 30 nations including all of the top experts, from
CSO's to 
"underground" security specialists.  See for yourself what the buzz is
about!  
Early-bird registration ends July 3.  This event will sell out.
www.blackhat.com
------------------------------------------------------------------------
-------


-------------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
world's premier technical IT security event! 10 tracks, 15 training sessions,
1,800 delegates from 30 nations including all of the top experts, from CSO's to
"underground" security specialists.  See for yourself what the buzz is about!
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
-------------------------------------------------------------------------------