IDS mailing list archives
RE: Low cost HID based IDS system
From: "Zach Forsyth" <Zach.Forsyth () kiandra com>
Date: Wed, 28 May 2003 09:54:22 +1000
-----Original Message----- From: Sekurity Wizard [mailto:s.wizard () boundariez com] Sent: Friday, 23 May 2003 13:28 PM Cc: Focus-Ids Subject: RE: Low cost HID based IDS system It's a matter of economics, and yes, a false sense of security is worse
than a sense of insecurity. Your customer need to be educated that they are NOT covered in a way an MSSP would...but then >if they're that small they're probably not business-critical in terms of their systems. We need to make clear distinctions here - lest we forget that money is still short out there today.
I see budgets cut constantly...and security isn't a piece of IT that
can show a definite "benefit" over a defined period. You can say to your client "you could have been hacked and x, y, and z, >could have happened"...but then the client will undoubtedly come back to you with..."sure, but we haven't had IDS for years...we've had problems but we've always dealt with them - so no
business-ending loss"....make sure you understand the proper way to
rebut that. I agree a false sense of security is worse - but a lot of our work is all about educating the client on exactly what they need and subsequently get for their money Even small companies lose a lot of money if they suffer a break in, and the theory of if it hasn't happened yet it won't happen is not a great one. That's the same as people saying "my office hasn't burnt down yet in the last five years, therefore I don't need insurance or off site backups" I think it is safe to say no matter how small your business is, if someone hacks you and wipes out your customer/critical data you are in real trouble. A lot of it is about educating your clients - off site backups being a prime example. Small companies didn't bother with them until someone came along and advised them they need it.
We keep arguing the same points over and over - and some of you folks
miss the point entirely. Snort is great, and I love that it's out there
- but it'll only catch what you configure it to look for...simple. You
need to have an onion, folks. Firewall-->"IDS/IPS"-->network is how it should always go...at very least.
And last but certainly not least - think about this point for a
second... Everything is broken down to acceptable risk - what's your client willing to accept in a cash vs. results bargain? And enterasys will only catch what you configure it for, and netscreen will only catch what you configure it for, etc, etc. I don't think anyone on this list is not actively providing defense in depth and no one is missing that point. I would suggest anyone with a slight clue about security is doing that. I know if I was a small business and someone offered me a managed security model that didn't have 24x7x365 monitoring I would still go for it. Problem is I can see the risks very easily, now I just need to be able to edcuate all of my clients about that same risk. Most of them are getting the message. Assuming of course the costs were reasonable, and that is what it all comes down to. Cash v's acceptable risk like you mentioned. Seems to be hard to get across the point that we are talking about small companies and economies of scale. For $1000+ per month you can have managed 24x7x365 firewall and IDS. That cost is a lot more than small companies can afford. There are thousands of offices out there that only connect with a modem/isdn line and have connection costs less than $100 per month. For lets say $250 a month you can have full monitoring during business hours (critical alerts and response after hours), Firewall and IDS. Enterprise level shared firewall that is configured to only allow certain ports into your corporate network. Enterprise level shared IDS. Secured mail router so that your company mail is never delivered direct to your server. Etc. Or for $80 a month you can have a DSL connection or whatever that is completely open and unfirewalled. I believe I am now leaning more towards an IPS solution for clients at this point. This will provide greater value for money as it is "always on" and pro-active rather than re-active and doesn't loose any functionality when not being monitored. Anyways, lots of can's of worms opening up in these discussions and it looks like a lot of people are split on the issues at hand. If I was an educated business looking for more security than a DSL connection with zonealarm, I would jump at the chance to pay $250 a month for a cut down MSSP service. But that's just me.....I honestly believe there is a big market there for this sort of product. I would like to thank everyone for the repsonses to my email, it has been very useful to me. Cheers z ------------------------------------------------------------------------------- INTRUSION PREVENTION: READY FOR PRIME TIME? IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities - including intrusion identification, relevancy, direction, impact and analysis - enabling a path to prevention. Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: http://www.securityfocus.com/IntruVert-focus-ids2 -------------------------------------------------------------------------------
Current thread:
- Re: Low cost HID based IDS system, (continued)
- Re: Low cost HID based IDS system Krzysztof Zaraska (May 16)
- RE: Low cost HID based IDS system Zach Forsyth (May 20)
- RE: Low cost HID based IDS system Paul Schmehl (May 20)
- Re: Low cost HID based IDS system Dick Li (eBits Limited) (May 22)
- RE: Low cost HID based IDS system Paul Schmehl (May 20)
- Re: Low cost HID based IDS system Andrew Plato (May 20)
- Re: Low cost HID based IDS system SecurIT Informatique Inc. (May 20)
- RE: Low cost HID based IDS system Alan Shimel (May 20)
- RE: Low cost HID based IDS system Schmehl, Paul L (May 20)
- RE: Low cost HID based IDS system Sekurity Wizard (May 26)
- Re: Low cost HID based IDS system George W. Capehart (May 27)
- RE: Low cost HID based IDS system Zach Forsyth (May 27)