RE: Recent Gartner IDS/IPS report

["Andre Yee" <ayee () nfr com>]

As an IDS/IPS vendor, the problem we have with Gartner's report is
threefold.

First, it is an example of gross over-simplificiation to say if "you can
detect it, why not prevent it".  There some types of attacks that can be
stopped on the fly such as a known virus/worm attachments over SMTP but
stealth insider attacks are typically not detected with sufficient fidelity
so as to prevent it on the fly..which leads to my next point, there's still
value in knowing that suspicious and possibly malicious activity is taking
place. Gartner has chosen to ignore the value of security monitoring and
auditing which is part of any well-formed security strategy

Finally, leading IDS vendors, including NFR are actually providing
facilities to lower false positives by offering both passive and active
mapping features that result in a "smarter" IDS.  If Gartner would keep an
open mind, they would view this as significant progress.

Of course, I have a prediction of my own -

How about.the demise of current generation industry analysts by 2005.
Reason?  Excessive false positives and lack of corporate value.  They will
be supplanted next-gen analysts who will deliver outrages claims with no
loss of performance.   After all, if you can make stuff up, why bother with
thoughtful analysis. :-)
 
Andre Yee
NFR Security, Inc. 


-----Original Message-----
From: Avi Chesla [mailto:avic () V-Secure com] 
Sent: Thursday, June 19, 2003 4:07 AM
To: focus-ids () securityfocus com
Subject: RE: Recent Gartner IDS/IPS report

Hi,

I agree with Gartner's statement, that the next generation of security
products will integrate automatic prevention capabilities into their
systems. This is already happening (IPS - Intrusion Prevention Systems) and
my opinion is that this reflects the market's needs currently and in the
future.

Why is that?

The increasing value of the Internet have raised the demands for faster
security solutions and, most importantly, automatic active devices that can
provide proper countermeasures to the attacks.  Due to the speed and
frequency of attack methods, these devices must also be able to execute
defensive actions without human intervention in minimum time. The majority
of Internet connected organizations do not have the necessary time or
resources to properly analyze security reports, implement necessary
countermeasures and execute them.   If the organization's Internet
infrastructure and applications aren't easily accessible or are difficult to
use, the customers who expect to get fast and reliable online services will
simply find another available service (usually from a competing
organization). 
Human decisions and actions take time and, in a world dominated by fast
hardware and communication lines, some of the decisions and countermeasures
will have to be done automatically by the security devices in order to avoid
losing customers.

It is not clear however, what Gartner means by saying that firewalls (with
more security functionalities - network and applications protections) will
replace the IDS products. Intrusion analysis is an entirely different
technology than the technology which is associated with current firewalls
products. Integrating both technologies in the same product is possible and
it seems that this is what Gartner was intending to explain, unsuccessfully.

      
Although it might upset some vendors, if automatic prevention is what the
market wants, it is a fact that the current IDS products which are
associated with an excessive amount of false positives, will not be able to
provide.  

Avi Chesla



----------------------------------------------------------------------------
---
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training
sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's
to 
"underground" security specialists.  See for yourself what the buzz is
about!  
Early-bird registration ends July 3.  This event will sell out.
www.blackhat.com
----------------------------------------------------------------------------
---



-------------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
world's premier technical IT security event! 10 tracks, 15 training sessions,
1,800 delegates from 30 nations including all of the top experts, from CSO's to
"underground" security specialists.  See for yourself what the buzz is about!
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
-------------------------------------------------------------------------------