IDS mailing list archives
Re: IDS thoughts
From: "Stephen P. Berry" <spb () meshuggeneh net>
Date: Tue, 13 May 2003 16:22:48 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Randy Taylor writes:
There's really not a whole lot else to be done in the IDS market except product improvements (code refinement,etc), signature maintenance, and keeping up with data rates. Oh, and press releases.
I couldn't agree less. For the past year or so, I've been consulting (and interviewing) in and around Silicon Valley. This has involved a lot of discussion about IDS strategies with a fair number of the large (surviving) tech firms (both internet-specific and otherwise). One of the things I've gotten out of the exercise is this: Nobody with more than a low integer multiple of T1s has any meaningful IDS strategy. Most aren't doing anything at all (mod checking application logs and suchlike). Clearly my experience doesn't constitute a statistically significant sample. And there are probably some factors biasing the result---i.e., companies looking for security consultants/are hiring new infosec goons probably have a different frequency of exisitng IDS deployments than companies in general. That being said, the breakdown (in my admittedly limited experince) seems to be: -Organisations with a couple of T1s worth of bandwidth, an internal network full of unsecured desktops, and a DMZ with web. mail, and DNS servers (one each) are in the market for IDS products -Organisations with more than a couple hundred MB inbound aren't interested/have had bad experiences with IDS products/don't believe an IDS can be adapted to their situation Now, from a strictly mercenary standpoint one could argue that the latter group just needs to be talked into buying one of the exisiting IDS products and so this is just a marketing problem. But I don't buy it. IDS vendors like to -think- they've gotten to a point where they have stable technology that Does The Right Thing, and that's what all the marketing flacks say. But from the standpoint of what IDSes are actually doing and how they're doing it, things don't look that different from when most of us were doing things with tcpdump---and snort, NFR and ISS didn't even exist yet. I.e., we tend to do an awful lot of staring at and identifying funny characteristics of individual packets or (sometimes) small groups of packets; we're still either swamped with false positives or have tuned all the alert thresholds so high a meteor landing in the datacenter has just about even odds of generating an entry in the audit trail; and we're heavily dependent on keeping our set of Known Bad Things up to date to avoid blindly staring past the exploit du jour. The interface might be cleaner, the code might be faster, and the web pages might be prettier, but the technology is still pretty much the same. If we've gotten to the point were IDSes are in the `commodity space', it's the same commodity space occupied by the guys with armfuls of watches selling Rollexen on the streetcorners in Juarez, not the commodity space occupied by Swiss watchmakers. - -spb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (OpenBSD) iD8DBQE+wX4RG3kIaxeRZl8RAoOYAKCcHeg23ix4vI666PhoPmQg0ft2IQCdG3kO CBam9LVppcxkRnYiMxbrb/w= =VSw1 -----END PGP SIGNATURE----- ------------------------------------------------------------------------------- INTRUSION PREVENTION: READY FOR PRIME TIME? IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities - including intrusion identification, relevancy, direction, impact and analysis - enabling a path to prevention. Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: http://www.securityfocus.com/IntruVert-focus-ids2 -------------------------------------------------------------------------------
Current thread:
- IDS thoughts Randy Taylor (May 13)
- Re: IDS thoughts Stephen P. Berry (May 14)
- Re: IDS thoughts Stefano Zanero (May 20)
- Re: IDS thoughts Mike Frantzen (May 20)
- Re: IDS thoughts Thomas H . Ptacek (May 20)
- Re: IDS thoughts Mike Frantzen (May 20)
- Re: IDS thoughts Thomas H . Ptacek (May 20)
- Re: IDS thoughts Ramani Yellapragada (May 20)
- Re: IDS thoughts Lance Spitzner (May 21)
- Re: IDS thoughts Stefano Zanero (May 27)
- Re: IDS thoughts Bill Royds (May 21)
- Re: IDS thoughts Mike Frantzen (May 20)
- Re: IDS thoughts Roger A. Grimes (May 21)