Friday, May 16, 2008

Snort Report 15 Posted

My 15th Snort Report titled Justifying Snort has been posted. I really like this post. The staff (Crystal Ferraro) at SearchSecurity did a great job editing my original submission, cutting the text but enhancing it too. Prospective book authors should judge their publishers by the quality of the editing and copyediting/proofing staffs. From the article:

Service provider takeaway: Service providers will learn how to communicate the value of Snort to customers.

There's a good chance that as a value-added reseller (VAR) or security service provider, you believe Snort and similar tools are valuable. However, there are plenty of technical folks that believe Snort is a waste of time. The goal of this Snort Report is to help you communicate the value of Snort to those customers whose IT departments are resistant to the open source tool. Although I focus on the value of Snort, you can apply this approach to any similar product.

IDS vs. IPS

I believe the majority of objections to the value of Snort stem from the fact that it's called an intrusion detection system (IDS). Looking closely at that label, we should assume that an IDS is a "system" that "detects" "intrusions." The ultimate IDS would be 100% accurate in its ability to perform that role. A simple question flows naturally from the perception that an IDS is supposed to detect intrusions: "If you can detect intrusions, why can't you prevent them?" At first glance this question makes sense. We should prevent activity that has been 100% identified as being an intrusion.


For more please read the article. It will take 5 mins or less. Debate here is welcome.

2 comments:

firewalz said...

ARE there any good SNORT books someone could recommend? The ones I have come across are either dated or have bad reviews.

chalco said...

I agree with the article, and NSM in general.

My disconnect is that I operate in smaller environments that don't have or could fund security teams, or even one security person. At work (small organization, around 300 users) we have a IPS and other security measures. I believe that what is in place is adequate.

Of course, more is always better, and I would like to implement NSM. I can't see my boss going for the idea though. I have mentioned NSM to him in the past, and he feels it is overkill. Maybe I didn't explain well enough, or perhaps he is right. Maybe I am just ranting. :)

In any case, it is hard to apply NSM to a smaller organization who is well served by current security measures and/or lack resource. Perhaps NSM wasn't meant for those organizations.