>So the end-user is monitoring the IDS? >The point being that *someone* had better be monitoring the IDS in real >time, or else it is not worth having. Nobody can monitor an IDS in real-time. Not even a 24/7/365 shop. They just have some guy sitting in a data-center somewhere. He watches a console. When a red light comes on, he sends you a page. He doesn't reach into your network and fix the machine. He doesn't do anything but TELL you there is a problem after it has happened. And most of the 24/7/365 shops I have looked into, don't even provide analytical support. They just read off the information from the IDSs vendor's help file. Our service isn't designed to be real-time. Its a regular maintenance and management of the information. Its also can include a lot of services 24/7/365 shops cannot do, like vulnerability scanning, on-site forensics, system patching, etc. Stuff that does not require 24/7/365 coverage. Our service also focuses intensely on analysis. Reviewing the data and making decisions based on what we see. > > Our service was designed to offer these places > > expert help and peace of mind. To make sure everything is running and > > working at optimal efficiency and capability. > > > Here's the problem: > * If you are providing real-time 24/7 monitoring (as many outsourced > security monitoring companies do) then you are providing effective > IDS value to a customer that lacks the expertise to have in-house > analysts. > * But if you are only doing the outsourced monitoring every week or > so, then either the unskilled end-user is monitoring the IDS, or > (worse) no one is monitoring the IDS. In this case, both the > service and the IDS are of NO VALUE. They are a pure feel-good > decoration. The purpose of an IDS is not to give you instantaneous recovery from an intrusion. The purpose of an IDS is to give insight and information about what is happening on a network. While in a perfect world, these systems would be constantly monitored by a trained person - that is simply beyond what many organizations can afford. Monitoring and collecting information about network activities has value provided it is analyzed and fed back into some kind of decision matrix. An IDS has no value when it is not monitored AT ALL. But regular monitoring and analysis is what gives it value. And most 24/7/365 shops do no analysis at all. They just alert. We are providing the expert analysis that can arm IT admins with the facts they need to make intelligent decisions about their network's security. > Exactly: all this does is generate peace of mind, without any actual > security value. Wrong. We can catch subtle attacks and issues before they become a problem. We can spot strange behavior that would go totally unnoticed to an untrained IT admin and then arm them with the information to make a decision about how to handle that. They can then make an informed decision about how to better secure their network based on FACTS not obnoxious rantings and ravings from security gurus. By my definition, that is security value. > To be clear, I'm not just bashing IDS as useless. Just pointing out that > IDS is useless unless it is accompanied by human 24x7 monitoring, which > you can either do your self, or outsource. > Now-and-then monitoring of IDS is not useful, because the attacker can > do a great deal of damage before you notice it. Including change the IDS > logs. Very few firms have the resources to do 24/7/365 monitoring. Its simply too expensive. An now-and-then analysis is better than none at all. At least the systems are being watched regularly. Besides, we do a lot more than merely monitor. There is IDS tuning, optimization, signature updating, and general analysis to insure the system is running optimally and spitting out relevant information and not just gobs of false positives. I think there is value in this, my customers find it valuable, and I don't expect you would find it valuable, because its not intended for you. ----------------------------------- Andrew Plato, CISSP President / Principal Consultant Anitian Corporation (503) 644-5656 office (503) 201-0821 cell http://www.anitian.com <http://www.anitian.com/> ------------------------------------
This archive was generated by hypermail 2b30 : Thu Aug 29 2002 - 19:06:59 PDT