Analisi Gartner sul futuro degli IDS

Ecco cosa vede la sfera magica del Gartner :-)

- il FW lascia passare il linea di massima la porta 80
- mi fido dell'hardening fatto sui miei server
- metto degli IDS che mi dicono che c'e' un pericolo (e chi guarda gli
alert?)
- metto degli IPS che mi bloccano attacchi noti (e quelli non noti?)
- uso un application firewall?

al gartner l'ardua sentenza!!

---------------------------------------------
SPECIAL SECTION: IS IDS DEAD?
 --Gartner IDS Report Evokes Strong Response
(11/13 June 2003)
A recent Gartner report calls intrusion detection systems (IDS) "a
market failure" and recommends that IT managers instead focus their
spending on firewalls.  Gartner maintains that IDS will be obsolete by
2005 due to their expense and lack of effectiveness.  Cited problems
with IDS include false positives and negatives and the need for
full-time monitoring.  Vendors disagree with the report's assertions.
http://www.eweek.com/print_article/0,3668,a=43256,00.asp
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=10300
918
http://www3.gartner.com/5_about/press_releases/pr11june2003c.jsp
Several NewsBites editors certainly took exception, so we set aside a
special section for this discussion:

(Grefer): Distributed IDS with all their sensors can provide a wealth
of information not readily available from the intrusion prevention
systems he is touting.  The audit function of an IDS should not be
eliminated from an information security in depth strategy without
spending considerable thought on the ramifications of such a decision.

(Schultz): The Gartner Group has done it again--made yet another wild
prediction from its "ivy tower" in the complete absence of hands-on
experience or having to live with the consequences of its prescriptions.
Part of what Gartner has said, namely that intrusion detection involves
a high financial cost, is true, but writing off intrusion detection
altogether, as Gartner has done, is completely irresponsible.
 
(Ranum): In private communications with Stiennon (the Gartner analyst),
he offered the shocking fact that - for all that they are hyping IPS -
the team at Gartner "doesn't know anyone who is using an IPS in inline
mode."  That runs utterly contrary to the perception they are trying to
create that IPS is the "wave of the future"  It just shows that P.T.
Barnum underestimated severely when he made his famous assessment of
Gartner's customer base. "There's a Gartner Customer born every minute."

(Northcutt): HYPE ALERT, they aren't actually saying ditch IDS, they
are really saying use a firewall with IDS capability instead, the so
called intrusion protection approach.  This is an ancient discussion;
is an all in one plastic stereo like the one you had in your college
dorm room better than a carefully selected set of devices.  It comes
down to the level of investment an organization wants to make, is the
increase in quality worth the price from an organization's perspective?
Since well over 50% of most organization's value is intellectual
property, the answer is probably a resounding yes; it is worth having
monitoring systems and people trained to analyze what they detect.  An
intrusion detection system with trained analysts provides a means of
seeing the attacks and adjusting your defenses. IPS does not.

Here's what other smart people say about the value of IDS:
Arrigo Trizulli - Phd. & IDS Designer, Geneva 
The reason IDS has been ineffective is that it has been badly deployed
and nobody bothered to train the analysts.  An initial, guaranteed, road
to failure in any security model is to deploy monitoring systems and
then never look at the screens.  Then you can complete the failure by
mis-configuring the monitoring systems:  CCTV cameras pointing at the
sky have rarely caught burglars coming through the front door.

Jamie French IDS Analyst, Ottawa
Winn Schwartau's concept of time based security is key here.  You need
the ability to detect malicious network activity.  Until you detect,
you can't prevent or react!

Ben Bower Lead Author Windows 2000 Professional - The Gold Standard,
Canberra
Prevention is nice, Detection is a must. Until prevention is 100% we
will always require detection. Detection is the last line of defense
that many organizations possess.

Mark Cooper - Author Intrusion Signatures and Analysis 3rd edition.
Manchester UK
IDS systems are the (NSA/CIA/FBI/MI5/whatever) of the IT world. They
give you a real-time picture of who's trying to do what to your
business, so you can head the bad guys off at the pass


________________________________________________________
http://www.sikurezza.org - Italian Security Mailing List