Re: IDS thoughts

["Stephen P. Berry" <spb () meshuggeneh net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Randy Taylor writes:

> There's really not a whole lot else to be done in the IDS market except
> product improvements (code refinement,etc), signature maintenance, and
> keeping up with data rates. Oh, and press releases.

I couldn't agree less.

For the past year or so, I've been consulting (and interviewing) in
and around Silicon Valley.  This has involved a lot of discussion
about IDS strategies with a fair number of the large (surviving) tech
firms (both internet-specific and otherwise).  One of the things
I've gotten out of the exercise is this:  Nobody with more than a
low integer multiple of T1s has any meaningful IDS strategy.  Most aren't
doing anything at all (mod checking application logs and suchlike).

Clearly my experience doesn't constitute a statistically significant
sample.  And there are probably some factors biasing the result---i.e.,
companies looking for security consultants/are hiring new infosec goons
probably have a different frequency of exisitng IDS deployments than
companies in general.

That being said, the breakdown (in my admittedly limited experince)
seems to be:

        -Organisations with a couple of T1s worth of bandwidth, an
         internal network full of unsecured desktops, and a DMZ
         with web. mail, and DNS servers (one each) are in the market
         for IDS products
        -Organisations with more than a couple hundred MB inbound
         aren't interested/have had bad experiences with IDS products/don't
         believe an IDS can be adapted to their situation

Now, from a strictly mercenary standpoint one could argue that the latter
group just needs to be talked into buying one of the exisiting IDS
products and so this is just a marketing problem.  But I don't buy it.

IDS vendors like to -think- they've gotten to a point where they have
stable technology that Does The Right Thing, and that's what all the
marketing flacks say.  But from the standpoint of what IDSes are actually
doing and how they're doing it, things don't look that different from
when most of us were doing things with tcpdump---and snort, NFR and ISS
didn't even exist yet.  I.e., we tend to do an awful lot of staring at
and identifying funny characteristics of individual packets or (sometimes)
small groups of packets;  we're still either swamped with false positives
or have tuned all the alert thresholds so high a meteor landing in
the datacenter has just about even odds of generating an entry in the
audit trail; and we're heavily dependent on keeping our set of Known Bad
Things up to date to avoid blindly staring past the exploit du jour.
The interface might be cleaner, the code might be faster, and the web
pages might be prettier, but the technology is still pretty much the
same.

If we've gotten to the point were IDSes are in the `commodity space',
it's the same commodity space occupied by the guys with armfuls of
watches selling Rollexen on the streetcorners in Juarez, not the commodity
space occupied by Swiss watchmakers.






- -spb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (OpenBSD)

iD8DBQE+wX4RG3kIaxeRZl8RAoOYAKCcHeg23ix4vI666PhoPmQg0ft2IQCdG3kO
CBam9LVppcxkRnYiMxbrb/w=
=VSw1
-----END PGP SIGNATURE-----

-------------------------------------------------------------------------------
INTRUSION PREVENTION: READY FOR PRIME TIME?

IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities 
- including intrusion identification, relevancy, direction, impact and analysis 
- enabling a path to prevention.

Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: 
http://www.securityfocus.com/IntruVert-focus-ids2
-------------------------------------------------------------------------------