I remember when intrusion detection systems (IDS) were young. I was impressed with and evangelized the "idea" of IDS, and in theory, it seems as great now as it did then. The thought that these systems would be vigilant on the network, protecting the systems and data from assaults seemed noble. Unfortunately, the modern incarnation of these tools is far from our visions in those days.

Part of the problem is that attacks were not the same as what we experience today. New exploits come so fast that entire teams of IDS signature creators are busy fighting off the latest version of some arcane PHP weakness or another. IDS became the clearinghouse of network defense. Anti-virus signatures were added. Basic protocol analyses were developed. Anti-spyware and spam filtering were included. Before we knew it, the IDS was so bloated and difficult to manage that it began to lose efficiency. Keeping the IDS relevant became a matter of tuning and managing updates, while protocols, network applications and user mechanisms became more and more complex.

Then, intrusion detection somehow turned into intrusion prevention (IPS). There was a lot of hype and marketing for integrating IDS functions with firewalls and other security tools. But, still the situation of relevance became more difficult. Some vendors worked with ways to try and auto-tune the sensors based on vulnerability scanning and other processes. Attempts were made to move away from signatures completely, and to begin to profile "normal" network traffic and look for anomalies. All of this is very difficult and arcane at best. Little of it became the promise that we made back in the 90s -- great security with little effort.

Bottom line is that security is just plain hard work, and IDS/IPS is an immense task. There are so many threats and so many vulnerabilities that even basic security mechanisms become cumbersome. Users do so much online these days, there is much traffic and noise on the 'net that quantifying and qualifying it is a huge task. Knowing threat from normal behavior is nearly impossible.

I talked recently to several infosec groups who use IDS as a simple forensic tool. They only look at the data (I mean really look at it -- analyze it, not just report about it) when an incident is under investigation. Matter of fact, many security folks have said that they simply get so many thousands of alerts each day that they just ignore the alerts and only react when an incident occurs. More than one of these groups told me that when they do act upon IDS data, more often than not, it turns out to be a false positive or network glitch.

Now before every IDS/IPS vendor on the planet sends me an email about how they have solved this problem if I only would buy or sell their XYZ IDS/IPS product and/or service, forget about it. I'm not the one you must convince. In fact, I'm one of the guilty parties who made promises, and who let IDS technology fail. Instead, we must convince the thousands of security admins to whom we sold the IDS dream that we'll fix the problem - that we'll get the technologies to begin to live up to the promises we made when we brought IDS to the marketplace, and restore the balance of usability to the ideals that we evangelized.

ITworld.com

• Email
• Print
• Share
  • Slashdot
  • Digg
  • Stumble
  • Reddit
  • Newsvine