-
Website
http://www.matasano.com/log -
Original page
http://www.matasano.com/log/570/richard-bejtlich-stick-up-for-ids-i-retaliate/ -
Subscribe
All Comments -
Community
-
-
Top Commenters
-
Popular Threads
All Comments
IDS/IPS are TOOLS like so many others in security they are not the end all be all, holy grail, save my bacon, white knight, take it home to mama applications and appliances that vendors would love for you to believe. They ARE part of what I can generally call a "general detection / protection mesh".
I personally fail Thomas' challenge to describe an instance where I can safely say, "If I didn't have snort(or X IPS/IDS) product in place, my company may not still be around" . Does this mean that they are not effective? NO. They have a place in the security world, if they are properly maintained they can be invaluable in providing detection for such things as "X apache module is vulnerable to DOS using XXXX payload" detection of this payload and quick response, either by an IPS or by a human in the case of an IDS could in fact, save the day.
The very things you chide IDS/IPS for in statement 3 are things that security personnel SHOULD be worried about. Botnets, infections, spyware, et al. Downplaying their importance is not helpful to community. Are they the "end of the world" aspects that you concern yourself most with? Obviously not.
As far as statement 4 and 5 are concerned, I have to agree with you for the most part. Innovation is lacking in the IDS/IPS arena, the same ole same ole gets rehashed in every new application or appliance. Firewalls are arguably the most important security innovation of all time. However I believe it unfair to use the success of Firewalls to downplay the need or effectiveness of IDS/IPS. Not every product or idea will be as grand as its predecessors, but they still have their place.
ps: Im sure that the comments that follow will be weighted heavily towards one side of the aisle or the other. IDS/IPS is a very polarizing issue in the security community, I stress the need for everyone to keep an open mind to arguments made on both sides, and draw your own conclusions. What it comes down to is the importance you place on specific countermeasures for your environment, you are in the end responsible for your own actions.
...FWs/IPS (host and network) would prevent 100% of any attack on against the enterprise. No one would need to patch applications or operating systems. Instant Protection Systems rock, monitoring the network would be a waste.
In a perfect world...
...effective patch management and vunlerability scanning would thwart 100% of the vulnerabilities within an OS or application. Exploits would never happen and the term zero-day would be wiped from wikipedia. Monitoring the network would be a waste.
In a perfect world...
...$SOMETHING would prevent 100% of $EVERYTHING. And it'd be an appliance that would cost under $5000 so I could expense it. Or better yet, it'd be open source and could be installed by blinking.
Unfortuneately, I live in the real world and shit happens (I have the t-shirt to prove it). I don't think anyone is going to argue that FWs and patch management aren't a necessity. I also doubt that anyone will garauntee (backed by dollars) that your network cannot be compromised with them in place (without a laundry list of perfect world outs).
I personally cringe whenever I hear the term IDS. Vendors have commoditized IDS into an underachiving wannabe wiz-bang appliance. IDS should be part of a monitorying solution. I hear there is a book that does a good job of outlining this thing called Network Security Monitoring.
As far as someone telling you about how IDS saved their bacon, the first rule of the Fight Club is not to talk about the Fight Club ;). If you honestly want to hear a story about how NSM saved some bacon (with IDS as part of the process), then please feel free to contact me directly. I'll even give you my phone number. My only requirement is that you keep an open mind. Yes, there are thousands of different ways that the incident(s) I'll tell you about could of been prevented and there are just as many ways the attacker could of avoided detection. But that's not the point, I live/work in the real world. And shit happens.
Bammkkkk
A. $30K and a few flashing lights.
I think this zero-sum game has been fueled by a pervasive lack of humbleness (or abundance of arrongace) from the security community 'superstars' on both sides of the fence. Daily Dave and other 'offensive'-biased forums demonstrate the telltale signs of that view: "I'm too good for any defensive stuff, I can break anything and everything and therefore nothing really works and its all useles crap". Defensive 'superstar' Marcus Ranum's lively diatribes against the role of offensive security people are a good example of the counterbalancing force in this 'debate'. And guess what?... nobody cares! Most end user organizations are looking for ways to solve their real world problems not for the definite proof of what's The Right Security Philosophy
On top of that, there's also a ridiculous search for silver bullets that inevitably lead to failure in the real world. Sadly, it is more convenient for everybody (security vendors, customers, 'analysts' and the expert community) to think that you're building, buying or selling a silver bullet than to allow yourself to think that there are no silver bullets and that all security solutions are partial and flawed and you *have to* do your homework to find the right mix for your environment.
The "death of the IDS" has been greatly exagerated but that doesnt necesarilly mean that IDS/IPS technologies are inmortal.
Tom: Regarding point #5, yes it is unimaginable for a large company to be connected to the Internet without firewalls, but what does that prove? That firewalls are intrisinc networking technology? Or perhaps, that large companies lack the imagination to envision a different network security paradigm? The former would lead me to think that the network security field is possed for evolutionary change only, the later leaves room for a revolutionary change... somewhere, sometime.
http://www.stillsecureafteralltheseyears.com/as...
I think you're asking the wrong question in looking for an existence proof for "IDS works". You can use a ziplock baggy as a condom and sometimes you won't get pregnant. The question isn't whether IDS ever works, but whether it's worth the $500 million that gets spent every year and the $billion+ to deploy and manage it.
It isn't.
Also, you need to distinguish between IDS and IPS since we _need_ to monitor and that's what IDS gives us, whereas IPS is utter shite and a boil on the ass of the toad that is marketing in infosec products.
IDS may suck, tell me what we do instead. I know IDS has serious issues, I quote your papers and all recent work on evading and breaking and compromising IDS frequently. That doesn't mean we get to _not_ monitor the network.
Encrypt it all for good security reasons, then exclaim "This damn IDS can't read encrypted packets!" and throw it away. It's a win/win!
At the end of the day, IDS is good at plucking low-hanging fruit out of the noise and recording it. That's useful.
"I am waiting for someone to tell me the story about how an IDS saved their bacon. I’m not interested in the story about how it found the guy with the spyware infection..."
Why these have to be two seperate things is beyond me. If an IDS caught a screen-scraper trying to send logins and private information back to some .ru site and blocked it, that's rescued pork, no question. The associated regulatory fines alone would be 2x-3x what the average company spent to clean up MS-Blaster. Keeping all the servers in the DMZ from getting owned shouldn't be the bar by which we judge the value of a technology, because if we did:
"There’s a difference: firewalls are hugely successful, perhaps the single most important piece of security technology enterprises buy."
...then firewalls, suck, too.
Btw, you don't really need to be "inline" to accomplish the above... i know, it sounds like blasfemy to the protocol police but just think about it for a few minutes...insertion, evasion & dos need not be just offensive techniques. Possibly not "the right thing" or the most elegant but... what if it actually works? Doesn't RNA do any of this?! There.. Mr Roesch, if you do it is will be expecting some complementary stock from that upcoming IPO :) Hey, why not? redhat did it!@#
So Marty should smile. And Dave should keep on hating. No doubt someone will hate all over him when Immunity gets bought or goes public.
But I can see how Dave has a hard time seeing the value in NIDS as a technology because he has developed effective methods for evading NIDS products.
It's akin to an expert car thief* who can't understand why people still buy car alarms because he has no trouble getting around them. But people buy them because they work some of the time, and that's better than none of the time.
* For the record, I'm not comparing Dave Aitel or anyone else to a criminal of any sort.