Expect to Hear "IDS Is Dead" (Again)

Do you remember when IDS was dead, and supposed to be replaced by "thought-leading firewalls" by 2005?

Well, that prediction died pretty quickly. However, I expect to hear it again after reading DIB cybersecurity pilot has stopped 'hundreds' of intrusions, says Lynn:

About 20 companies participate in the Defense Department's 90-day pilot for an active network defense capability for the defense industrial base analogous to the Homeland Security Department's Einstein 3 effort, said Deputy Defense Secretary William Lynn.

During an address to the 2011 DISA Customer and Industry Forum in Baltimore, Md., Lynn said the sharing of malicious code signatures gathered through intelligence efforts to pilot participants has already stopped "hundreds of intrusions."

Lynn also laid blame for intrusions into military and defense industrial base networks on "foreign intelligence services," stating that they have stolen military plans, weapons system designs, source code and other intellectual property.

"This kind of cyber exploitation does not have the dramatic impact of a conventional military attack," Lynn said. "But over the long term, it has a deeply corrosive effect. It blunts our edge in military technology and saps our competitiveness in the global economy."

Foreign intruders have extracted terabytes of data from defense companies, he added.

This sort of story is likely to lead to the same arguments I heard eight years ago regarding "Intrusion Detection Systems" vs "Intrusion Prevention Systems," namely:

If you can detect it, why can't you prevent it?

This is a broad topic, so rather than try to answer everything here and now, I'll likely work on it over the coming weeks in individual posts.

Comments

Raj said…
Looking forward to see for upcoming posts, though i support IDS's / IPS's in every manner as it could be!!

May come up with good arguments.. indeed! :)
3:25 AM
The Ubiquitous Mr. Lovegroove said…
I have a problem with "'hundreds' of intrusions". Notably, what is intrusion.

At any given time a box with ssh on will be under attack from at least 1 brute-force root attack every hour.
Almost any probing like portscan, Nikto scan, nessus scan, skipfish, SQL injection bots etc. can be considered an intrusion. I consider this to be simply annoying noise on the line.

I am interested in detecting the "real" intrusions.

Any suggestions for better naming?
6:54 AM
Alex said…
Couple of thoughts on that. The 100's of intrusions that Lynn talks about are probably from millions of alerts and 1000's of false positives. If inline IPS is enforced, those false positive's could be angry phone calls to Desktop support. We need to consider the validity of a 3rd party signature as well as our IDS's interpretation of the signature before turning on IPS.
9:17 AM
Martin Roesch said…
So they have a sig sharing group and they're catching (preventing!) things with the sigs their writing? Where's the news here?

How are they doing against the stuff they don't have signatures for?
10:49 AM
Matt said…
Been doing IDS for 8 years. Can count on zero fingers how many intrusions it has detected. True, it has been useful for NSM related activities (mostly packet capture), and for detecting policy violations, but I still struggle with the value proposition. Now we have IPS with the firewall. Do we try to take advantage of that, or have separate IDS. So, I'm looking forward to your thoughts. I don't have an unlimited budget, and to senior management IPS = IDS+1. In many respects, I believe that is a reasonable expectation. "What, you expect us to buy BOTH?". Now I'm throwing "infection detection" solutions in their face (e.g. Damballa, FireEye). I don't understand the distinctions we make about what these solutions do, or ought to do.
11:05 AM
z said…
Is it not an axiom in infosec that prevention eventually fails? After all, info sec boils down to one thing: risk management. Not risk elimination. If risk could be reduced to 0%, there would be no need for the prevention / detection / response countermeasure triad. We would only have prevention.

Detection is not part of incident prevention - it is part of incident response. Detection's real value comes in when prevention fails. The bad guys are looking for the chinks in your armor - that's where detection comes in. That's the hacker mindset - tinkering with things in unforeseen and unpredictable ways. That's what infosec professionals do - we are looking for how those vulnerabilities can be used against us.

In monitoring events you are also validating the effectiveness of preventative countermeasures. You're not just looking for attacks, you're looking at your own performance too. Best case scenario, your detection validates that your preventative measures are working. Because if you aren't performing detection, how would you know? How do you know your firewall is dropping the right traffic? Do you validate that your tools are behaving as expected? Unexpected behavior is the cornerstone of exploitation.

The whole argument against detection is just whistling through the graveyard. If you want feel-good infosec, get a snuggie. There's no such thing as an information security blanket.
2:41 PM
Richard Bejtlich said…
"Is it not an axiom in infosec that prevention eventually fails?"

Yes, I invented it, in writing, in 2004. :)
7:23 AM
Post a Comment

Popular posts from this blog

Zeek in Action Videos

Image
This is a quick note to point blog readers to my Zeek in Action YouTube video series for the Zeek network security monitoring project .  Each video addresses a topic that I think might be of interest to people trying to understand their network using Zeek and adjacent tools and approaches, like Suricata, Wireshark, and so on.  I am especially pleased with Video 6 on monitoring wireless networks . It took me several weeks to research material for this video. I had to buy new hardware and experiment with a Linux distro that I had not used before -- Parrot .  Please like and subscribe, and let me know if there is a topic you think might make a good video.
Read more

MITRE ATT&CK Tactics Are Not Tactics

Image
Just what are "tactics"? Introduction MITRE ATT&CK  is a great resource, but something about it has bothered me since I first heard about it several years ago. It's a minor point, but I wanted to document it in case it confuses anyone else. The MITRE ATT&CK Design and Philosophy document from March 2020 says the following: At a high-level, ATT&CK is a behavioral model that consists of the following core components: • Tactics, denoting short-term, tactical adversary goals during an attack; • Techniques, describing the means by which adversaries achieve tactical goals; • Sub-techniques, describing more specific means by which adversaries achieve tactical goals at a lower level than techniques; and • Documented adversary usage of techniques, their procedures, and other metadata. My concern is with MITRE's definition of "tactics" as "short-term, tactical adversary goals during an attack," which is oddly recursive. The key word in the tacti
Read more

New Book! The Best of TaoSecurity Blog, Volume 4

Image
  I've completed the TaoSecurity Blog book series . The new book is  The Best of TaoSecurity Blog, Volume 4: Beyond the Blog with Articles, Testimony, and Scholarship .  It's available now for Kindle , and I'm working on the print edition.  I'm running a 50% off promo on Volumes 1-3 on Kindle through midnight 20 April. Take advantage before the prices go back up. I described the new title thus: Go beyond TaoSecurity Blog with this new volume from author Richard Bejtlich. In the first three volumes of the series, Mr. Bejtlich selected and republished the very best entries from 18 years of writing and over 18 million blog views, along with commentaries and additional material.  In this title, Mr. Bejtlich collects material that has not been published elsewhere, including articles that are no longer available or are stored in assorted digital or physical archives. Volume 4 offers early white papers that Mr. Bejtlich wrote as a network defender, either for technical or pol
Read more