Thursday, August 18, 2011

Expect to Hear "IDS Is Dead" (Again)

Do you remember when IDS was dead, and supposed to be replaced by "thought-leading firewalls" by 2005?

Well, that prediction died pretty quickly. However, I expect to hear it again after reading DIB cybersecurity pilot has stopped 'hundreds' of intrusions, says Lynn:

About 20 companies participate in the Defense Department's 90-day pilot for an active network defense capability for the defense industrial base analogous to the Homeland Security Department's Einstein 3 effort, said Deputy Defense Secretary William Lynn.

During an address to the 2011 DISA Customer and Industry Forum in Baltimore, Md., Lynn said the sharing of malicious code signatures gathered through intelligence efforts to pilot participants has already stopped "hundreds of intrusions."

Lynn also laid blame for intrusions into military and defense industrial base networks on "foreign intelligence services," stating that they have stolen military plans, weapons system designs, source code and other intellectual property.

"This kind of cyber exploitation does not have the dramatic impact of a conventional military attack," Lynn said. "But over the long term, it has a deeply corrosive effect. It blunts our edge in military technology and saps our competitiveness in the global economy."

Foreign intruders have extracted terabytes of data from defense companies, he added.


This sort of story is likely to lead to the same arguments I heard eight years ago regarding "Intrusion Detection Systems" vs "Intrusion Prevention Systems," namely:

If you can detect it, why can't you prevent it?

This is a broad topic, so rather than try to answer everything here and now, I'll likely work on it over the coming weeks in individual posts.

7 comments:

Raj said...

Looking forward to see for upcoming posts, though i support IDS's / IPS's in every manner as it could be!!

May come up with good arguments.. indeed! :)

The Ubiquitous Mr. Lovegroove said...

I have a problem with "'hundreds' of intrusions". Notably, what is intrusion.

At any given time a box with ssh on will be under attack from at least 1 brute-force root attack every hour.
Almost any probing like portscan, Nikto scan, nessus scan, skipfish, SQL injection bots etc. can be considered an intrusion. I consider this to be simply annoying noise on the line.

I am interested in detecting the "real" intrusions.

Any suggestions for better naming?

Alex said...

Couple of thoughts on that. The 100's of intrusions that Lynn talks about are probably from millions of alerts and 1000's of false positives. If inline IPS is enforced, those false positive's could be angry phone calls to Desktop support. We need to consider the validity of a 3rd party signature as well as our IDS's interpretation of the signature before turning on IPS.

Martin Roesch said...

So they have a sig sharing group and they're catching (preventing!) things with the sigs their writing? Where's the news here?

How are they doing against the stuff they don't have signatures for?

Matt said...

Been doing IDS for 8 years. Can count on zero fingers how many intrusions it has detected. True, it has been useful for NSM related activities (mostly packet capture), and for detecting policy violations, but I still struggle with the value proposition. Now we have IPS with the firewall. Do we try to take advantage of that, or have separate IDS. So, I'm looking forward to your thoughts. I don't have an unlimited budget, and to senior management IPS = IDS+1. In many respects, I believe that is a reasonable expectation. "What, you expect us to buy BOTH?". Now I'm throwing "infection detection" solutions in their face (e.g. Damballa, FireEye). I don't understand the distinctions we make about what these solutions do, or ought to do.

z said...

Is it not an axiom in infosec that prevention eventually fails? After all, info sec boils down to one thing: risk management. Not risk elimination. If risk could be reduced to 0%, there would be no need for the prevention / detection / response countermeasure triad. We would only have prevention.

Detection is not part of incident prevention - it is part of incident response. Detection's real value comes in when prevention fails. The bad guys are looking for the chinks in your armor - that's where detection comes in. That's the hacker mindset - tinkering with things in unforeseen and unpredictable ways. That's what infosec professionals do - we are looking for how those vulnerabilities can be used against us.

In monitoring events you are also validating the effectiveness of preventative countermeasures. You're not just looking for attacks, you're looking at your own performance too. Best case scenario, your detection validates that your preventative measures are working. Because if you aren't performing detection, how would you know? How do you know your firewall is dropping the right traffic? Do you validate that your tools are behaving as expected? Unexpected behavior is the cornerstone of exploitation.

The whole argument against detection is just whistling through the graveyard. If you want feel-good infosec, get a snuggie. There's no such thing as an information security blanket.

Richard Bejtlich said...

"Is it not an axiom in infosec that prevention eventually fails?"

Yes, I invented it, in writing, in 2004. :)