RE: Is IDS/IPS worthless?

["Duston Sickler" <dustons () charter net>]

Don't think you need an IDS/IPS solution?  Have a pen test done and then try
to put a cost on the data they retrieve from your network.  Better yet after
they penetrate your network have your IT team try to go back and detect the
break in.

Most businesses the have any customer data or financial data need IDS/IPS if
for nothing else then to not have to watch the news to find out if they have
had a breach or get a phone call from a hacker who wants money not to go to
the press/investors. 


Duston Sickler
CompTIA A+ Certified
"Cedo Nilli"

-----Original Message-----
From: Fergus Brooks [mailto:fergusb () evolve-online com] 
Sent: Monday, February 23, 2004 8:06 PM
To: 'Brian Taylor'; 'Andrew Plato'; focus-ids () securityfocus com
Subject: RE: Is IDS/IPS worthless?


Also...

Andrew I think you will find that most investment banks and companies whose
primary business is theirs, and other people's money, calculate technology
risk in very real terms.

They would consider an argument that a device, or series of devices, needs
to "make more money" is a simplistic and downright incorrect view of the
role and costing of technology in a business.

Different businesses have different teams that look into the value of risk
minimisation and mitigation, these are typically not the IT departments and
for most banks do not even fall under the responsibility of the CEO, CIO or
CTO. Even better they can wield a big stick when it comes to IT and what the
IT team are doing to minimise risk. They will consider any device which
limits the risk has an actual money-saving value and calculate the cost of
the solution against this value.

This is business - the enterprise way - and if your client still wants to
operate with a lemonade-stall mindest then I suggest you try this:

  - Speak to Risk & Compliance - they are always willing to hear comments on
risk.
  - Speak to Internal or External Audit - they are always interested too

Most banks now have IT security savvy staff within their audit teams - I
even know a few with fully-blown network & security consultants that have a
mandate to make things as secure as possible from the highest levels of the
business. Tell *them* that IDS needs to "make money" to be necessary. I'd
like to see the reaction.

All the best - regards...


-----Original Message-----
From: Brian Taylor [mailto:drak3 () attbi com]
Sent: Saturday, 21 February 2004 11:13 PM
To: 'Andrew Plato'; focus-ids () securityfocus com
Subject: RE: Is IDS/IPS worthless?

Andrew and all,

It's funny.  This has been an age-old argument in security--both in physical
and information security.  For the few American football fans out there, I
describe it as the job of an offensive lineman. He protects the quarterback
hundreds of times a game, but generally, you only get to recognize his value
when he gets beat for a sack.  Unfortunately, that is not how we would like
to justify IDS/IPS.  Good security should be transparent, invisible and
should not disrupt the core business.  

However, like Andrew said in his post, business performance is usually
measured in terms of revenue.  Sales organizations generates revenue and
attains new customers. Development and engineering create the products that
are used to generate revenue.  Hell, even Technical Support has a business
case about customer retention and satisfaction.  You can see an actual
product which is tied to sale.  IT makes sure that the daily operations are
able to happen.  Security sits there silently.  Doing everything on the
inside, but outwardly appearing to do nothing.  It is very hard to measure
how this positively affects revenue until something bad happens.  And IMHO,
a catastrophic incident should NEVER be used as a primary business case
except as a last resort.  Still, it is tempting to say "let's remove the
IDS/IPS for a year and see what happens"...
:-)

When Code Red and Nimda dropped, it was good to be able to say "we did not
lose a single day or productivity, nor was our business disrupted".
Other companies could not say that.  But again, who publicizes such a thing?
I was at an Infragard meeting and heard the worst-cases from other security
pros as well as CIOs CISOs, etc...  However, how often do you really get to
hear things like this on a daily basis.

I remember in the warehouse days, there were safety programs initiated
(after several costly accidents by the employees there).  There instituted
these safety awareness programs and had several prominently displayed signs
that said something to the order of "45 days without an accident".  This was
updated daily.  Did it prove that the safety program worked?  Maybe.  Was it
some sort of way of justifying the costs and effectiveness of the program?
I believe so. But we go back to the problem.  Safety awareness wasn't an
concern until the company lost revenue due to lost wages, workman's comp,
etc.  It was very easy to justify the costs of the program after something
bad happened.  

If I had the answer to this question, I probably wouldn't be sitting here
bemoaning the fact that I forgot to play the lottery last night!!
But I think we all have to agree that this is probably the biggest challenge
that we face as security professionals.  How do we show and justify the
benefits of IDS/IPS when good security should be transparent?  

Great post, Andrew.  I simply wish I had a better answer to it....

--BT

-----Original Message-----
From: Andrew Plato [mailto:aplato () anitian com]
Sent: Friday, February 20, 2004 11:32 AM
To: focus-ids () securityfocus com
Subject: Is IDS/IPS worthless? 



I've noticed something lately and I wonder if anybody else has experienced
this. At a meeting recently, I was told by a number of people that IDS/IPS
is a "worthless waste of IT resources" and "providing no real value to an
organization."  The speaker at this particular meeting challenged me to say
"what business goals did the implementation of an IDS/IPS achieve?"  I
responded that an IDS gives insight to what is happening on a network and
provides critical data to more effectively focus resources on real problems.
An IPS builds a level of trust and protection from intrusions as well as
insight into the function and behavior of a network. (Okay, it was a vanilla
answer, I
admit.)
 
So this speaker then challenged me to come up with verifiable metrics. I
replied that he would have to define what metrics he wants? What does he
consider a "viable metric" for performance.  He said "did they sell more
products, make more money?"  I replied "why is that the only metric that
businesses can understand?  A lot of complex things go into 'making money'
and IT operations is a small part of that. Marketing, strategic vision, and
many other factors have a much more profound impact on 'making money' than a
single IT security solution. However, insight into operations and security
is a critical component of IT. How do you know you have been broken into if
you don't have any mechanisms to detect those intrusions? There is clear
value in investment in locks and security cameras, why not have similar
investments into the digital equivalents."  
 
This shut him up, for a while, but it highlighted a growing trend I am
noticing. It seems like there are a lot of people with an agenda right now
to shoot down the value of IPS/IDS technologies. IPS in particular seems to
be painted as a "marketing ploy."  I also hear the story "they bought and
IDS and it just sat in a rack and did nothing"  a lot (usually from people
who don't even know what an IDS does.) 
 
What is happening here?  Anybody have any idea why there is a growing
"anti-IDS" attitude. Is it the failure of IDS to produce value in an
organization? Is the Gartner "IDS is dead" report having THAT much affect on
the industry?  Are the IDS vendors victims of their own over-marketing?  Am
I a paranoid moron? 
 
I am curious to hear other people's ideas on and strategies for dealing with
these objections. 
 
 
___________________________________
Andrew Plato, CISSP
President/Principal Consultant
ANITIAN  ENTERPRISE  SECURITY

3800 SW Cedar Hills Blvd, Suite 298
Beaverton, OR 97005
503-644-5656 Office
503-214-8069 Fax
503-201-0821 Mobile
www.anitian.com
___________________________________

GPG fingerprint: 16E6 C5B0 B6CB F287 776E E9A9 AF47 9914 3582 633D GPG
public key available at: http://www.anitian.com/corp/keys.htm 

------------------------------------------------------------------------
---
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

Protect your network with the comprehensive security solution that
integrates six applications for ease of use and lower TCO.

Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.

Download 30-day evaluation at:
http://www.securityfocus.com/sponsor/Astaro_focus-ids_040219
------------------------------------------------------------------------
---


---------------------------------------------------------------------------
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

Protect your network with the comprehensive security solution that
integrates six applications for ease of use and lower TCO.

Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.

Download 30-day evaluation at:
http://www.securityfocus.com/sponsor/Astaro_focus-ids_040219
---------------------------------------------------------------------------

--
This message has been scanned by AVMail


---------------------------------------------------------------------------
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

Protect your network with the comprehensive security solution that
integrates six applications for ease of use and lower TCO.

Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.

Download 30-day evaluation at:
http://www.securityfocus.com/sponsor/Astaro_focus-ids_040219
---------------------------------------------------------------------------


---------------------------------------------------------------------------
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

Protect your network with the comprehensive security solution that integrates 
six applications for ease of use and lower TCO.

Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.

Download 30-day evaluation at:
http://www.securityfocus.com/sponsor/Astaro_focus-ids_040219
---------------------------------------------------------------------------