Re: ROI on IDS/IPS products

[Jeremy Bennett <jeremyfb () mac com>]

On Mar 2, 2009, at 11:21 AM, Stefano Zanero wrote:

> Jeremy Bennett wrote:
>
> > This is a problem with the products, not the customers. The problem
> > being that there is still too much IDS thinking inside the IPS.
>
> Funny, since an IPS is nothing more than an IDS that can drop  
> traffic ;-)

This is true of the technology. My point is that too many IPS vendors  
think that just because they are using IDS technology means they need  
to deliver an IDS that can block.
> Yes, I'm being humorous here, but really there is not that much
> difference in the two things, except for the marketing and the  
> extremely
> different defensive posture: an IDS hunts for higher detection rates
> even at the cost of some false positives, whereas IPS aim at extremely
> low false positive rates.
>
> However:
>
> > So, I *should* be able to purchase an IPS, read the manual,  
> > configure it
> > according to my own risk profile, and then leave it alone. High-risk
> > activity should be blocked. Benign traffic should be let through.
>
> And then villains should be brought over to justice, and the greater
> good should prevail.

An IPS can be more than an IDS with a cape and tights, yes.
> However, getting back to the real world, doesn't work. You cannot
> configure "your risk profile" because there's no way on Earth to  
> express
> that sensibly in a single clicky and yummy web interface. You can
> configure the system, activating and deactivating specific signatures,
> and - sorry - you WILL need to know damn well what you are doing.
>
> It is not just a problem with the products (and boy they are  
> faulty), it
> IS a problem with the customers. A huge one.

Ah, reality, ok. Think for a minute about the problem and the tacit  
assumptions that have already been made here.

By purchasing an IPS from a vendor and enabling even *some* of the  
signatures for blocking I have established that I trust my vendor and  
I trust the signature authors to write signatures that are good enough  
to block an exploit or an attempt to exploit a vulnerability.
Today, as you say, I make the decision to enable a signature on a  
signature-by-signature basis. I read the metadata in whatever form the  
vendor provides it; text descriptions, risk ratings, reliability  
ratings, categories, etc. Except in the cases of products like snort  
where I can go read the signature myself, I'm trusting that the  
metadata are correct. I'm trusting my vendor.

So, why do you consider it so far fetched that I might configure an  
IPS not on a signature-by-signature basis but an application,  
resource, and risk basis? Clearly, this is a VERY different experience  
than current IPS configurations. In addition, it puts a LOT of trust  
into the vendor's signature authors to correctly categorize and rate  
their signatures based on the risk of the threat and the potential for  
a false positive on that particular signature. However, as I've said,  
this, trust already exists.

What's required for my version of a IPS?
1. A vendor you can trust to reliably deliver signatures and rate them  
by risk and chance of false positive. (some vendors are trying this  
today but they tend to suck at it in one or more of these dimensions)
2. A product UI that would allow signatures to be applied on a  
resource and application basis. For example, block everything  
suspicious to my web far except for web traffic. For web traffic block  
anything with a very low rate of false positive and alert on anything  
with a medium and log for anything with a high chance of FP. Again,  
some vendors have tried this but tend to miss the overall point.
3. A process on the device to regularly download the latest signature  
updates and apply them based on the configured policy. I think all  
vendors have gotten some sort of automated download and signature  
update process going by now. The AV vendors drove them to it.

You assert that the customer 'WILL need to know damn well what they  
are doing.' I assert that if the customer knew what they were doing to  
the degree that you imply they'd be writing their own snort rules.  
Sourcefire has a good product based on this and it has its place in  
organizations that can run it.
There are many customers that will never have that expertise. They  
have no choice but to trust their vendor to have the expertise  
necessary to write signatures and clearly communicate the efficacy of  
those signatures. This is the bulk of the potential IPS market, those  
people that want something better than a firewall but can't afford to  
digest 100,000 events per day.

-J

Attachment: smime.p7s
Description: