Intrusion Detection is a function, a process, it is not a product

Richard from Taosecurity (here) and Ptacek from Matasano (here) are apparently blog-debating the value of IDS, a discussion that spawned from the daily dave list. I normally do not get into the middle of a debate, but I was a little surprised we are discussing the advantages/disadvantages of IDS in 2006. So I am tossing in my 21 pesos.

An IDS is like a home burglar alarm with 3 major differences. 1. It does not scare the intruder away, 2. It is plagued by false-positives and 3. It doesn’t call the police who can stop the intruder from stealing my stuff. Basically is neither deters or stops an intrusion, it rarely (if ever) is timely enough to prevent the theft of data, and the signal/noise ratio is way too high. Can you imagine if your home burglar alarm went off every time the neighborhood kids walked into your yard to pick some apples or a bird landed on your window or a cat walked on your roof?

The reality is that IDS has not lived up to the expectations. I think most will agree that IDS suffers from the following issues; false-positives, false-negatives, difficult to manage in large enterprise, blind to encrypted traffic, dependent on deployment techniques – especially in highly segmented/VLAN’d environments, susceptible to evasion, susceptible to DoS attacks, high signal/noise ratio, no environmental context, dropped packets due to inability to run at true wire-speeds, exploit facing IDS requiring constant signature updates and/or reconfiguration (note: behavioral/anomaly detection methods have proven less than adequate on their own), they offer limited, if any, value without an effective incident response program – that is they require process to be effective, etc.

One major issue with IDS is false-positives, they have no context about the elements they are protecting and so they alert on any attack regardless of whether or not it would be/is successful. If a Solaris attack is launched against a BSD box the IDS jumps up and down and screams bloody murder – but the attack would not be successful. Being awoken at 3 in the morning to a non-event is pretty distracting and inefficient way to handle network security. This signal/noise issue spawned an entire industry in SIEM btw. Some argue that they want to see this data to perhaps prepare themselves for some impending attack; the argument goes that they can somehow determine that a successful attack is coming if they see a series of port scans or something. The problem is these “non-events” happen far too frequently to be meaningful – networks are under constant attack, probing, poking, rattling, shaking, and inspection, most of this results in non-events though. Some have tried to address the false-positive issues through integrating end-point intelligence with the IDS. This is done either pre-incident, that is end-point intelligence is used to dynamically reconfigure security defenses, or post-incident, that is end-point data is used to drive more intelligent reporting. nCircle would forward VA data to their IDS and the IDS would dynamically reconfigure what it was looking for based on this context – it was a “target aware IDS”. Sourcefire does this through RNA and there are others as well.  This limits the false-positive problem, but the other issues still remain, and this is all so 2003 anyway…it does hold promise in driving more effectiveness of security defenses in general, but only as much as the organizational process for tuning and maintaining the various components allows…

IDS is good at detecting known bad-stuff (just like AV is good at detecting known viruses) that is it can tell you that there is blaster-worm traffic on your network for example, and in some cases it is OK at detecting known good stuff. If you see known bad stuff on your network, regardless of the environmental variables, it should be dropped so the market moved these passive IDS devices in-line and IPS was born to automatically drop the known bad stuff.  The problem is that most traffic is grey (here come all the posts about white-listing) and most, if not all, only use IPS to block known-bad stuff and log the other stuff. There are organizations that have experienced a worm outbreak, network being consumed and the ability to identify and resolve all the infected end-points a logistical nightmare – they drop in an IPS, kill the offending worm traffic and can get on with their lives and their business. So if I was looking at an IDS or IPS which would I deploy?

Some argue that they use IDS for forensics, that is they capture the data for the purpose of understanding, post-incident, what occurred and how. OK, I will admit that IDS may have some limited capabilities here, but most are also fighting constrained security budgets, and significant resource limitations. The value of IDS for forensics is determined by the sophistication of the organization performing the analysis, the resources that can be dedicated to the analysis, and the drivers for the analysis. Again, process trumps technology here, no process and the technology capabilities do not matter.

So where am I going with all this?

First and foremost organizations really need to do more to improve their security before an incident occurs, not just focus on reacting to them. Second, I like to make the blanket statement that applies to most security technologies, technology usually fails in an organization as a result of poor process, inadequate planning, and mismanaged expectations, not because the technology itself is flawed. However in the case of IDS it suffers from significant technology challenges that are not overcome by process alone. IDS is not a product, it is a process or function within the organization that requires multiple technologies, cooperation between different groups, (such as security and network operations, desktop/server support) and a clear understanding of the organizations internal security posture, the external threat environment and the importance to the business of the assets being protected.

Gone are the days of drop in a box and let it run, without process and cooperation, workflow and integration with other management systems, continuous updating and tuning, most technology will struggle, fail or die.


6 thoughts on “Intrusion Detection is a function, a process, it is not a product

  1. I changed the title to Intrusion detection from IDS, so that someone doesn’t have to post to tell me that’s what I really meant – just being proactive.

  2. Pingback: The Units of Risk and Learning how to Measure Them! at

  3. Amrit:

    Heartily agree. IMHO sigs were once great for catching kids seeking fame. Today’s threats are motivated by profit (versus famne) and have become much more sophisticated. That suggests more and more operational burdens shifting to security teams.

  4. Pingback: .:Computer Defense:. » Agnitum provides “research” into Vista Firewall.

  5. Pingback: Around the Security Blogosphere in 30 seconds! « Observations of a digitally enlightened mind

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s