Re: Low cost HID based IDS system

["George W. Capehart" <gwc () capehassoc com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thursday 22 May 2003 11:27 pm, Sekurity Wizard wrote:
> It's a matter of economics, and yes, a false sense of security is
> worse than a sense of insecurity.  Your customer need to be educated
> that they are NOT covered in a way an MSSP would...but then if
> they're that small they're probably not business-critical in terms of
> their systems.  We need to make clear distinctions here - lest we
> forget that money is still short out there today.  I see budgets cut
> constantly...and security isn't a piece of IT that can show a
> definite "benefit" over a defined period.  You can say to your client
> "you could have been hacked and x, y, and z, could have
> happened"...but then the client will undoubtedly come back to you
> with..."sure, but we haven't had IDS for years...we've had problems
> but we've always dealt with them - so no business-ending
> loss"....make sure you understand the proper way to rebut that.
>
> We keep arguing the same points over and over - and some of you folks
> miss the point entirely.  Snort is great, and I love that it's out
> there - but it'll only catch what you configure it to look
> for...simple.  You need to have an onion, folks. 
> Firewall-->"IDS/IPS"-->network is how it should always go...at very
> least.  And last but certainly not least - think about this point for
> a second... Everything is broken down to acceptable risk - what's
> your client willing to accept in a cash vs. results bargain?

IMHO, these are two very important points.  Defense in depth is a 
cornerstone of a good security architecture.  For those who would like 
to have information to which they can point when they talk about it to 
their customers, Google has for a good selection of information, some 
of it better than others.  A good reference/intro is at the SANS 
Institute:  http://www.sans.org/rr/securitybasics/defense.php . . .  A 
more in-depth discussion can be found at:  
http://www.dodccrp.org/diwCh15.htm.

As Sekurity Wizard pointed out, the concept is easier to sell once "the 
customer" has gone through a thorough risk assessment and really 
understands the threats to which he/she is exposed and the cost/impact 
of not protecting against them . . .  But then, in my experience, it's 
harder to sell some customers on the risk assessment than it is "point 
solutions."  :->

My $0.02.

/g
- -- 
George W. Capehart

"With sufficient thrust, pigs fly just fine . . ."
 -- RFC 1925

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE+01kUPhMbfSg3fpARAh3pAJ9wFFcXfAspwn+TeCNxVhej+8tEDgCgu2t6
4HEbje9Ow5LVIUWMivv2NDo=
=e73J
-----END PGP SIGNATURE-----

-------------------------------------------------------------------------------
INTRUSION PREVENTION: READY FOR PRIME TIME?

IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities 
- including intrusion identification, relevancy, direction, impact and analysis 
- enabling a path to prevention.

Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: 
http://www.securityfocus.com/IntruVert-focus-ids2
-------------------------------------------------------------------------------