i haven't read the article, but i'll make a general comment anyway. there is a difference between IDS and IPS. if Gartner is only talking about IDS, i agree with the hypothesis that IDS is likely to go extinct. however, IPS apparently has value because it's actually doing something to actively fend off the attack in real time. [anyone feel free to jump in here if this statement exaggerates reality.] i know this list has been through the IDS pro/con discussion already, so we don't need to re-hash it, but i think we should clarify the differences between IDS and IPS. justin justin kurynny manager of network engineering waggener edstrom, inc. * -----Original Message----- From: Andrew Plato [mailto:aplato@private] Sent: Monday, June 23, 2003 6:35 PM To: crime@private Some of you have probably seen this. Its been all over the news and elsewhere. http://www.informationweek.com/shared/printableArticle.jhtml?articleID=1 0300918 ------------ EXCERPT from article Intrusion-detection systems-software that attempts to spot and report attacks against information systems-will no longer be a defense in the information security pro's arsenal by 2005. That's the prediction coming out of research firm Gartner. "IDS as a security technology is going to disappear," says Richard Stiennon, a Gartner research director. Stiennon contends that organizations are going to so successfully harden their internal systems that the "burglar-alarm" service intrusion-detection systems provide will no longer be necessary. "Imagine a world where there are no intrusions," he says ------------ This is another example of some of the mis-information that is getting out there about IDS/IPS technologies. Hardening systems and using IPS are a great way to stop attacks. But without some kind of monitoring, you simply cannot be sure. This is like removing the camera from a bank because the bank buys a really nice vault and puts great locks on the front doors. While I would like to imagine a world where there are no intrusions, I don't think that world is coming any time soon. However, I am certain, that without monitoring, you'd never know if there WAS an intrusion. Hence, there is a certain absurdist logic here: "We have no IDS, our systems work, so we must be safe." Riiiiight. Personally, I think Gartner's report is more a product of poor IDS implementation and management. In the rush to get an IDS, many organizations do not take the time or effort to properly integrate, tune, and manage the system. As such, the system produces a ton alerts, which quickly get ignored. Also, IPS has a place and I am a big advocate for it, the idea that IDS will disappear is absurd. Any decent "defense in depth" strategy must consider multiple points of monitoring and response. IDS is merely one piece of the puzzle. A valuable piece (when its used properly.) Anyway, Anitian published a response on our web site: http://www.anitian.com/corp/papers/Gartner%20Response.pdf Curious to hear other reactions. ___________________________________ Andrew Plato, CISSP President / Principal Consultant Anitian Corporation Enterprise Security & Infrastructure Solutions 503-644-5656 Office 503-644-8574 Fax 503-201-0821 Mobile www.anitian.com ___________________________________
This archive was generated by hypermail 2b30 : Tue Jun 24 2003 - 11:06:18 PDT