Andrew Plato wrote:
> >> Which is exactly why Anitian started an on-site managed security
> >> service. Most firms cannot afford a full-time analyst, so one of ours
> >> can come in once a week (or once a month) and review all the logs and
> >> look for trouble.
>
> >That's hilarious. So an attacker could have 0wned you 3 weeks ago, and
> >then the Anitian service tells you about it. Oh good :)
>
> No, the IDS and/or firewall settings we established tell you about it
> right away. We merely provide the on-going maintenance, support,
> and analysis of issues to detect and track more subtle intrusions and
> help the customer make the most out of their security investments.
>
> For example, one thing we do is scan through firewall logs looking for
> tell-tale signs of reconnaissance or odd-late-night behavior. Might be
> nothing, might be a hack - but at least *somebody* is keeping an
> eye on this stuff.
>
So the end-user is monitoring the IDS?
The point being that *someone* had better be monitoring the IDS in real
time, or else it is not worth having.
> >Why bother paying for IDS at all if you're only going to look at it
> >weekly or monthly? That's absurd. The amount of potential damage that
> >can occur in a week or a month is huge; of what use is such a service?
>
> I wouldn't expect this service to appeal to somebody like you, Crispin.
>
> Many small to medium-sized organizations do not have the resources or
> the experience to analyze the logs and output of IDSs, OSs, or firewalls
> produce on a regular basis.
>
Agreed.
> Our service was designed to offer these places
> expert help and peace of mind. To make sure everything is running and
> working at optimal efficiency and capability.
>
Here's the problem:
* If you are providing real-time 24/7 monitoring (as many outsourced
security monitoring companies do) then you are providing effective
IDS value to a customer that lacks the expertise to have in-house
analysts.
* But if you are only doing the outsourced monitoring every week or
so, then either the unskilled end-user is monitoring the IDS, or
(worse) no one is monitoring the IDS. In this case, both the
service and the IDS are of NO VALUE. They are a pure feel-good
decoration.
> There is a lot of peace of mind and value having experts on-site
> regularly
> to give all the systems a "check up."
>
Exactly: all this does is generate peace of mind, without any actual
security value.
To be clear, I'm not just bashing IDS as useless. Just pointing out that
IDS is useless unless it is accompanied by human 24x7 monitoring, which
you can either do your self, or outsource.
Now-and-then monitoring of IDS is not useful, because the attacker can
do a great deal of damage before you notice it. Including change the IDS
logs.
Crispin
--
Crispin Cowan, Ph.D.
Chief Scientist, WireX http://wirex.com/~crispin/
Security Hardened Linux Distribution: http://immunix.org
Available for purchase: http://wirex.com/Products/Immunix/purchase.html
This archive was generated by hypermail 2b30 : Thu Aug 29 2002 - 16:34:05 PDT