RE: CRIME IDS is dead says Gartner

From: R Esser (r.esser@private)
Date: Mon Jun 23 2003 - 19:45:01 PDT

  • Next message: Karol Kulaga: "RE: CRIME IDS is dead says Gartner"

    I think another critical point here is that most "analysis" of this type is
    usually "sponsored." In my former life at a big software company, I'd heard
    from an insider that you can get any verdict on any topic you wished for a
    couple $mil...
    
    Anyone know who sponsored this piece? I'd be surprised if the (probably)
    vendor didn't have a marketing effort that coincides with "IDS dying."
    
    Randy Esser, MSIS, CISSP
    H: 503 846 9908
    C: 971 226 4319
    randy@private 
    
    -----Original Message-----
    From: owner-crime@private [mailto:owner-crime@private]On Behalf Of
    Andrew Plato
    Sent: Monday, June 23, 2003 6:35 PM
    To: crime@private
    Subject: CRIME IDS is dead says Gartner
    
    
    Some of you have probably seen this. Its been all over the news and
    elsewhere.
    
    http://www.informationweek.com/shared/printableArticle.jhtml?articleID=1
    0300918
    
    ------------
    
    EXCERPT from article
    
    Intrusion-detection systems-software that attempts to spot and report
    attacks against information systems-will no longer be a defense in the
    information security pro's arsenal by 2005. That's the prediction coming
    out of research firm Gartner. 
    
    "IDS as a security technology is going to disappear," says Richard
    Stiennon, a Gartner research director. 
    
    Stiennon contends that organizations are going to so successfully harden
    their internal systems that the "burglar-alarm" service
    intrusion-detection systems provide will no longer be necessary.
    "Imagine a world where there are no intrusions," he says
    
    ------------
    
    This is another example of some of the mis-information that is getting
    out there about IDS/IPS technologies. Hardening systems and using IPS
    are a great way to stop attacks. But without some kind of monitoring,
    you simply cannot be sure. This is like removing the camera from a bank
    because the bank buys a really nice vault and puts great locks on the
    front doors. While I would like to imagine a world where there are no
    intrusions, I don't think that world is coming any time soon.
    
    However, I am certain, that without monitoring, you'd never know if
    there WAS an intrusion. Hence, there is a certain absurdist logic here:
    "We have no IDS, our systems work, so we must be safe." Riiiiight. 
    
    Personally, I think Gartner's report is more a product of poor IDS
    implementation and management. In the rush to get an IDS, many
    organizations do not take the time or effort to properly integrate,
    tune, and manage the system. As such, the system produces a ton alerts,
    which quickly get ignored. 
    
    Also, IPS has a place and I am a big advocate for it, the idea that IDS
    will disappear is absurd. Any decent "defense in depth" strategy must
    consider multiple points of monitoring and response. IDS is merely one
    piece of the puzzle. A valuable piece (when its used properly.)  
    
    Anyway, Anitian published a response on our web site: 
    
    http://www.anitian.com/corp/papers/Gartner%20Response.pdf
    
    Curious to hear other reactions. 
    ___________________________________
    Andrew Plato, CISSP
    President / Principal Consultant
    Anitian Corporation
    
    Enterprise Security &
    Infrastructure Solutions
     
    503-644-5656 Office
    503-644-8574 Fax
    503-201-0821 Mobile
    www.anitian.com 
    ___________________________________
    
    
    
    



    This archive was generated by hypermail 2b30 : Mon Jun 23 2003 - 19:58:04 PDT