Don't dis' my IDS

By Ellen Messmer, NetworkWorld.com, 06/16/03

Intrusion-detection systems vendors are angrily responding to the recent claim by Gartner that IDS is pretty much a waste and enterprise customers should spend their money on better things, such as firewalls.

Gartner says IDS "doesn't add an additional layer of security promised by vendors" and in fact impose problems on IT organizations by generating "false positives and negatives" and requiring an increased burden "by requiring full-time monitoring."

Gartner analyst Richard Stiennon is counseling customers to forget IDS and buy firewalls that are gaining increased functionality in content inspection and blocking malicious traffic as well as supporting anti-virus.

Those remarks set off alarms at the IDS vendors that clearly sensed an incoming threat. Read what Martin Roesch, Founder & CTO, Sourcefire and Chris Hovis, VP of Marketing and Business Development, Lancope say. What do you think? Let me know at emessmer@nww.com, or join our Gartner and IDS forum to discuss.

IDS dead? ... Not So Fast!
By Martin Roesch, Founder & CTO, Sourcefire

In a recent report, Gartner stated that companies should completely abandon their network security audit initiatives (IDS) and instead focus only on the access control function (firewalls). While I certainly appreciate the importance of effective access control, I find the logic behind their conclusions significantly flawed and their recommendations incomprehensible.

They actually believe that better access control will completely remove the need for auditing? Auditing is a fundamental part of providing defense in depth in any security environment. Let's face it, the Pentagon is pretty secure but they still deploy video cameras everywhere.

Perhaps Gartner really believes that layers of more intelligent firewalls will be able to defeat every attack against a network and never be wrong. Unfortunately, the reality is that even the best access control technology will never provide complete protection in a world where new vulnerabilities and new exploits are introduced every day.

To be fair, Gartner's concerns with IDS have some basis in fact - intrusion detection systems generate false positives, the amounts of data they produce can be prodigious and they require skilled operators in order for them to be truly effective. Undoubtedly, IDS must continue to evolve in order to fully realize its potential.

Fortunately, the industry is responding to these concerns and intrusion detection is improving dramatically. In fact, recently announced advances address the Gartner issues directly. Once fully realized, inherent false positives will be eliminated, threat alerts will be limited to those necessitating action, and the burden of tuning and administration will be largely addressed through automated processes. I predict these innovations herald a renaissance for intrusion detection, not its demise.

In my opinion, the Gartner report not only harms an industry dedicated to protecting computer networks, it also has the potential to harm those with insufficient technical grounding to understand why their conclusions are so clearly wrong.

Gartner's position contradictory
By Chris Hovis, VP of Marketing and Business Development, Lancope

Lancope agrees with Gartner's statements that traditional IDS systems generate false positive overload, are unable to detect unknown threats, are challenged in operating in high-speed environments and are difficult in the continuous management of signature-based solutions.

However, Gartner's statement about redirecting IDS dollars toward firewalls is contradictory to their own recent statements and overlooks the performance challenges associated with application-layer firewalls as well as the impracticality of deploying firewalls throughout the internal network.

For example, Gartner December 2002 report stated that "firewalls cannot defend against data attacks, social engineering, malicious insiders and many denial-of-service attacks. Also, the firewall inspects the headers but not the contents of the data packets. For examining the contents, other products would be needed."

Gartner obviously fails to see the value created by a new breed of IDS systems that integrate behavior-based threat detection, policy enforcement and network intelligence. It is Lancope's opinion that IDS systems will evolve into next generation solutions, like StealthWatch, that serve as a critical layer of the defense-in-depth strategy and offer an integrated approach to securing and managing the network and its assets.

Back to Security Notes

Comments

Obviously this is a high stakes game for all parties involved. But fear not - IDS is not dead and it will not solve all security problems any more than firewalls will. Rational positions by knowledgeable people resolve such issues, but the media attention to outrageous positions sure sells newspapers.

Posted by: Fred Cohen on June 16, 2003 06:13 PM

I think Gartner is accurate in their statements, that IDS is dead. In my opinion, I am trusting that they did not complete their thoughts and discuss how companies like Netscreen Technologies is changing the playing field with Intrusion Detection and Prevention products. And the vision of Netscreen to integrate IDP and FW/VPN all into one device.
To provide true security, we need to be able to restrict access to authorized users only, but no firewall is capable of addressing all of security risks out there to date. At least not until IDP is integrated into Firewall devices. Even then, the signature base will be limited and will require external protection.
It is like securing your car. You can alarm, club, OnStar, etc to your car, but nothing is completely secure from the truly "talented" theif. It is all about providing different layers of security. Nothing is 100% but it can all help.

Posted by: Ryan Whipp on June 16, 2003 09:57 PM

It seems to me that the models of physical security and military tactics/strategy will continue to predicate models of cyber security. As regards IDS, the analogy in the physical world is the surveillance camera. Regardless of physical protection (locked doors, access tokens, biometrics, etc.,) I sincerely doubt that anyone who is bent on securing their premises will say, "Video surveillance is obsolete because no one can get in the door..." Anyone, that is, except Gartner...

Posted by: N.R. Kist on June 17, 2003 09:46 AM

I am concerned by these "visionaries" in the industry. Gartner and others are forgetting the most basic principal of security there is no silver bullet..we all know a layered often multivendor approach just makes sense. I feel like firewalls will try to incorporate these features and overcome the challenges that they have in the future..its a great idea. Will that be the only way to go in 2003...dream on Gartner. But will we implement a 50K netscreen box on every network segment in the network? My CFO will answer that one for you. I fear our industry is paralleling the financial industy where the investment "advisors" have lead people towards sensationalistic investments instead of using thier heads and investing in real companies with real products. Hey cmon dogfood.com was a great idea....lmfao. I'm sticking with a layered approach and taking my email off of gartners dist list. Good luck out there.

Posted by: Security Focus on June 17, 2003 09:56 AM

Gartner’s report doesn’t address the fact that to mitigate malicious attacks, organizations are also now deploying a multi-tiered network defense strategy comprised of a variety of additional network security components layered at the perimeter and to internal network machines and devices.

Such network security components include antivirus, firewall, scanners, and network and host based intrusion detection systems (IDS), and intrusion prevention systems (IPS).

Each of these systems is based on specific signatures, rules, or anomalies of each attack and their variants, and do not identify and remediate the specific network vulnerabilities the attack is targeting. So each attack, and its variants, must be identified and analyzed, a signature prepared, then finally deployed to each point product on each customer’s network.

This process is uncoordinated among multiple disparate systems, and creates an ever-increasing number of signatures producing more and more attack alerts requiring immediate attention – many of which are erroneous or benign.

Specifically, conventional IDS/IPS may be able to identify malicious code by CVE ID or other identifier, and targeted machines by IP address, but they generally do not have the intelligence to determine if the any of the machines on the network are susceptible to that attack, or with finer granularity, if any machine has a specific vulnerability to that specific attack, or if the targeted vulnerability has already been patched.

For example, if the malicious code has been written as a Windows based attack targeting a Windows vulnerability, is the Destination IP actually running Windows, or a UNIX variant? And, if Windows, is it vulnerable to the attack, or has it already been patched? IDS do not have the intelligence to answer these questions, and incident alerts are generated indiscriminately. Lastly, even if the targeted machine is vulnerable - it remains unremediated – an IDS does not have the capability to remediate it.

Further compounding the burden on administrators, best practice and government compliance directives now require higher standards of network security and integrity to protect consumer privacy, and they must be documented with change tracking and audit trail reports.

Therefore, it is increasingly difficult and costly to effectively mitigate new threats and manage numerous systems — particularly in an environment of rising security standards and policy compliance requirements.

Thus, there is a need to integrate systems, share information intelligently to better defend against blended threats, reduce management and cost requirements, and automate IDS/IPS configuration and tuning, and vulnerability identification and remediation functionalities.

There is new technology for IDS/IPS to minimize false positives — the first technology to meet market requirements. A standard distribution of Snort is integrated with the Anti-Vulnerability platform via the Anti-Vulnerability SDK.

Posted by: Brett Oliphant, CTO, SecurityProfiling, Inc on June 17, 2003 03:37 PM

Gartner is right if all your eggs are in the IDS basket. Relying on IDS only is akin to relying ONLY on antivirus software to protect your workstation or relying ONLY on patches to protect your server. IDS plays an important part in baselining your network and identifying intrusion attempts. Even more, a well designed IDS can profile the intrusion or compromise and add information to key evidence in the case an intrusion has occured. You can also use a well designed IDS to "track" the activities during an event.

Someone else commented that IDS is only one of the several layers of defense. You may have the best battleship in the fleet, but radar still gives you the edge.

Posted by: Sean M. Lynch on June 20, 2003 12:19 PM

Post a comment

Name:


E-mail address:


URL:


Comments:


Remember info?