RE: IDS is dead, etc

["Roger A. Grimes" <rogerg () cox net>]

Excellent points.

What perplexes me more is how firewalls solve #1 or #2 even better than
IDSs?  Most firewall logs are just as tough to decipher as IDSs.

(Note:  If you're a firewall administrator and your logs are only full of
real threats, let me know so I can get you on InfoSec's version of Oprah.)

Automated security analytics is a tough animal I don't care what the system.
Even honeypots, which are often touted because "any traffic to the honeypot
is malicious", can suffer from false positives, albeit not as much.  Note
that many of existing and forthcoming log analyzing softwares interact with
firewalls and IDSs, not just IDSs.

Roger

***************************************************************************
*Roger A. Grimes, Computer Security Consultant
*CPA, MCSE (NT/2000), CNE (3/4), A+
*email: rogerg () cox net
*cell: 757-615-3355
*Author of Malicious Mobile Code:  Virus Protection for Windows by O'Reilly
*http://www.oreilly.com/catalog/malmobcode/
***************************************************************************


-----Original Message-----
From: Martin Roesch [mailto:roesch () sourcefire com]
Sent: Thursday, June 19, 2003 11:57 AM
To: focus-ids () securityfocus com
Subject: IDS is dead, etc


Just to throw my hat into the ring on this topic in this particular
forum, I thought I'd comment. (like I don't get enough email as it
is...)

Boiling the Gartner report down, here are my take aways:

1) IDSes produce too many false positives (i.e. the quality of the
information they produce is low)

2) IDSes produce too much data (i.e. the quantity of information they
produce is high)

3) There is no solution to these problems, therefore IDS is dead and we
should all buy in-line IPS, er, "deep content inspection firewalls"!

So, is there any way to make the quality of data coming out of the IDS
higher while at the same time diminishing the amount of information
generated?  We've been talking about this exact topic on this list since
1999 on and off and I think all the IDS vendors have ideas how to
achieve this goal by integrating network maps and host/service
identification into the IDS's world view.  If those ideas should
actually make their way to market, would that make the systems more
useful?  I believe so.  (At this point I usually pitch Sourcefire, but
I'll spare you all.)

IDS is all about giving people awareness of what's happening on their
networks independent of the network management picture or the other
security infrastructure.  Deploying security infrastructure without
having a mechanism to monitor that infrastructure's behavior and
efficacy is like rolling out a spacecraft with all of the telemetry
systems removed, it may be doing its job but when something goes wrong
(and it will) you will be relying on data coming out of failed/bypassed
systems to try to effect repairs.

The whole "ASICs will save us all" part of the argument is where I
really start scratching my head.  How do ASICs, which tend to exchange
flexibility for performance, suddenly become these hyperintelligent
application layer analysis devices with enough flexibility to evolve
with the relatively rapid changes in the application protocols?  NPUs I
can see, but ASICs really don't seem like an appropriate solution here.
I believe wishful thinking might be driving this line of argument...

Finally, we have the "if you can detect the attacks, why don't you just
prevent them?!?!?" argument.  What happens if I can't be 100% certain
about the attack?  Blocking attacks is an all-or-nothing proposition, if
you're wrong you're 100% wrong and you just DoSed yourself, what are the
chances that large enterprise networks are going to trust their critical
infrastructure to that kind of system?

Anyway, I hope that wasn't too much of a rehash of other people's
thoughts and you guys found it somewhat insightful.  Obviously I think
Gartner is being inflammatory and creating their own hype cycle, but
I've got a vested interest in this technological field.  I believe that
noisy, inaccurate IDS is definitely dying due to a number of factors,
but it's the vendors/developers themselves that are killing it.


     -Marty

--
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Snort-based Enterprise Intrusion Detection Infrastructure
roesch () sourcefire com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org



----------------------------------------------------------------------------
---
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
world's premier technical IT security event! 10 tracks, 15 training
sessions,
1,800 delegates from 30 nations including all of the top experts, from CSO's
to
"underground" security specialists.  See for yourself what the buzz is
about!
Early-bird registration ends July 3.  This event will sell out.
www.blackhat.com
----------------------------------------------------------------------------
---


-------------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
-------------------------------------------------------------------------------