RE: CRIME IDS is dead says Gartner

From: Justin Kurynny (justink@private)
Date: Tue Jun 24 2003 - 10:53:20 PDT

  • Next message: tlmacgi@private: "RE: CRIME IDS is dead says Gartner"

    i haven't read the article, but i'll make a general comment anyway.
    there is a difference between IDS and IPS. if Gartner is only talking
    about IDS, i agree with the hypothesis that IDS is likely to go extinct.
    however, IPS apparently has value because it's actually doing something
    to actively fend off the attack in real time. [anyone feel free to jump
    in here if this statement exaggerates reality.]
    
    i know this list has been through the IDS pro/con discussion already, so
    we don't need to re-hash it, but i think we should clarify the
    differences between IDS and IPS.
    
    justin
    
    justin kurynny
    manager of network engineering
    waggener edstrom, inc.
    
    *
    
    -----Original Message-----
    From: Andrew Plato [mailto:aplato@private] 
    Sent: Monday, June 23, 2003 6:35 PM
    To: crime@private
    
    Some of you have probably seen this. Its been all over the news and
    elsewhere.
    
    http://www.informationweek.com/shared/printableArticle.jhtml?articleID=1
    0300918
    
    ------------
    
    EXCERPT from article
    
    Intrusion-detection systems-software that attempts to spot and report
    attacks against information systems-will no longer be a defense in the
    information security pro's arsenal by 2005. That's the prediction coming
    out of research firm Gartner. 
    
    "IDS as a security technology is going to disappear," says Richard
    Stiennon, a Gartner research director. 
    
    Stiennon contends that organizations are going to so successfully harden
    their internal systems that the "burglar-alarm" service
    intrusion-detection systems provide will no longer be necessary.
    "Imagine a world where there are no intrusions," he says
    
    ------------
    
    This is another example of some of the mis-information that is getting
    out there about IDS/IPS technologies. Hardening systems and using IPS
    are a great way to stop attacks. But without some kind of monitoring,
    you simply cannot be sure. This is like removing the camera from a bank
    because the bank buys a really nice vault and puts great locks on the
    front doors. While I would like to imagine a world where there are no
    intrusions, I don't think that world is coming any time soon.
    
    However, I am certain, that without monitoring, you'd never know if
    there WAS an intrusion. Hence, there is a certain absurdist logic here:
    "We have no IDS, our systems work, so we must be safe." Riiiiight. 
    
    Personally, I think Gartner's report is more a product of poor IDS
    implementation and management. In the rush to get an IDS, many
    organizations do not take the time or effort to properly integrate,
    tune, and manage the system. As such, the system produces a ton alerts,
    which quickly get ignored. 
    
    Also, IPS has a place and I am a big advocate for it, the idea that IDS
    will disappear is absurd. Any decent "defense in depth" strategy must
    consider multiple points of monitoring and response. IDS is merely one
    piece of the puzzle. A valuable piece (when its used properly.)  
    
    Anyway, Anitian published a response on our web site: 
    
    http://www.anitian.com/corp/papers/Gartner%20Response.pdf
    
    Curious to hear other reactions. 
    ___________________________________
    Andrew Plato, CISSP
    President / Principal Consultant
    Anitian Corporation
    
    Enterprise Security &
    Infrastructure Solutions
     
    503-644-5656 Office
    503-644-8574 Fax
    503-201-0821 Mobile
    www.anitian.com
    ___________________________________
    



    This archive was generated by hypermail 2b30 : Tue Jun 24 2003 - 11:06:18 PDT