RE: Low cost HID based IDS system

["Zach Forsyth" <Zach.Forsyth () kiandra com>]

> -----Original Message-----
> From: Sekurity Wizard [mailto:s.wizard () boundariez com] 
> Sent: Friday, 23 May 2003 13:28 PM
> Cc: Focus-Ids
> Subject: RE: Low cost HID based IDS system
>
>
> It's a matter of economics, and yes, a false sense of security is worse
than a sense of insecurity.  Your customer need to be educated that they
are NOT covered in a way an MSSP would...but then >if they're that small
they're probably not business-critical in terms of their systems.  We
need to make clear distinctions here - lest we forget that money is
still short out there today.  
> I see budgets cut constantly...and security isn't a piece of IT that
can show a definite "benefit" over a defined period.  You can say to
your client "you could have been hacked and x, y, and z, >could have
happened"...but then the client will undoubtedly come back to you
with..."sure, but we haven't had IDS for years...we've had problems but
we've always dealt with them - so no 
> business-ending loss"....make sure you understand the proper way to
rebut that.

I agree a false sense of security is worse - but a lot of our work is
all about educating the client on exactly what they need and
subsequently get for their money
Even small companies lose a lot of money if they suffer a break in, and
the theory of if it hasn't happened yet it won't happen is not a great
one.
That's the same as people saying "my office hasn't burnt down yet in the
last five years, therefore I don't need insurance or off site backups"

I think it is safe to say no matter how small your business is, if
someone hacks you and wipes out your customer/critical data you are in
real trouble.
A lot of it is about educating your clients - off site backups being a
prime example. Small companies didn't bother with them until someone
came along and advised them they need it.

> We keep arguing the same points over and over - and some of you folks
miss the point entirely.  Snort is great, and I love that it's out there
> - but it'll only catch what you configure it to look for...simple.  You
need to have an onion, folks.  Firewall-->"IDS/IPS"-->network is how it
should always go...at very least.  
> And last but certainly not least - think about this point for a
second... Everything is broken down to acceptable risk - what's your
client willing to accept in a cash vs. results bargain?

And enterasys will only catch what you configure it for, and netscreen
will only catch what you configure it for, etc, etc.
I don't think anyone on this list is not actively providing defense in
depth and no one is missing that point. I would suggest anyone with a
slight clue about security is doing that.

I know if I was a small business and someone offered me a managed
security model that didn't have 24x7x365 monitoring I would still go for
it.
Problem is I can see the risks very easily, now I just need to be able
to edcuate all of my clients about that same risk. Most of them are
getting the message.

Assuming of course the costs were reasonable, and that is what it all
comes down to. Cash v's acceptable risk like you mentioned.

Seems to be hard to get across the point that we are talking about small
companies and economies of scale.

For $1000+ per month you can have managed 24x7x365 firewall and IDS. 
That cost is a lot more than small companies can afford. There are
thousands of offices out there that only connect with a modem/isdn line
and have connection costs less than $100 per month.

For lets say $250 a month you can have full monitoring during business
hours (critical alerts and response after hours), Firewall and IDS.
Enterprise level shared firewall that is configured to only allow
certain ports into your corporate network.
Enterprise level shared IDS.
Secured mail router so that your company mail is never delivered direct
to your server.
Etc.

Or for $80 a month you can have a DSL connection or whatever that is
completely open and unfirewalled.

I believe I am now leaning more towards an IPS solution for clients at
this point.
This will provide greater value for money as it is "always on" and
pro-active rather than re-active and doesn't loose any functionality
when not being monitored.

Anyways, lots of can's of worms opening up in these discussions and it
looks like a lot of people are split on the issues at hand.
If I was an educated business looking for more security than a DSL
connection with zonealarm, I would jump at the chance to pay $250 a
month for a cut down MSSP service.
But that's just me.....I honestly believe there is a big market there
for this sort of product.

I would like to thank everyone for the repsonses to my email, it has
been very useful to me.

Cheers

z



-------------------------------------------------------------------------------
INTRUSION PREVENTION: READY FOR PRIME TIME?

IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities
- including intrusion identification, relevancy, direction, impact and analysis
- enabling a path to prevention.

Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at:
http://www.securityfocus.com/IntruVert-focus-ids2
-------------------------------------------------------------------------------