RE: Is IDS/IPS worthless?

["Matthew L. McGuirl" <mmcguirl () lucidsecurity com>]

 Andrew posed a very interesting and vital question last Friday. The
problems he referred to, the sometimes doubtful value of having an IDS
and the common misunderstanding of what IDS are supposed to do, is one
caused by marketing and buyer education programs that did not properly
educate the people who are now questioning the value of these
technologies. Most IDS buyers did not sufficiently appreciate the amount
of resources, both human and technological, one needs to devote to an
IDS to derive any value from them. After all, what good is a mountain of
event data (much of it resource-draining false positives) if there is no
easy and inexpensive way to extract meaningful data that the
organization's IT staff can act on? 

The fact that most IDS customers need additional tools to find the very
few events per day that they care about from the thousands or millions
their IDS generates is an indicator that IDS is not a tool most
companies actually want. My experience in helping to bring ipANGEL to
the market over the past 2 years has taught me that what most people
interested in IDS want is a tool that only tells them about relevant
attacks against vulnerable hosts. While the industry is bringing to
market tools that come close to meeting this need, mainstream IDS tools
do not do that. Similarly, I've found that IPS buyers want the same
things but are looking for a tool that intercepts legitimate, relevant
attacks before the attack can succeed.

It's been said that the definition of security is a non-event. However,
preventing successful attacks against vulnerable applications &
operating systems delivers very meaningful financial results each and
every time it happens. The critics of IDS/IPS seldom are aware of the
value of the assets their security staff is charged with protecting.
Even in cases where the prospect I'm dealing with is ignorant of these
critical metrics, I've found that when you explain that each relevant
attack that gets blocked translates directly into IT assets that are
continuously available and secure. Preventing a scenario like Blaster
will save the average enterprise loads of money and even non-technical
managers know that by now.

Matt

Matt McGuirl                                
Lucid Security Corporation            
Email: mmcguirl at lucidsecurity.com
Voice: 215-371-3300 ext. 371


---------------------------------------------------------------------------
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

Protect your network with the comprehensive security solution that integrates
six applications for ease of use and lower TCO.

Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.

Download 30-day evaluation at:
http://www.securityfocus.com/sponsor/Astaro_focus-ids_040219
---------------------------------------------------------------------------