Discussion on LinkedIn Group: What is the best IDS system?

LinkedIn Security Leaders GroupThat was the question recently asked by a fellow security professional on the LinkedIn Security Leaders Group.

I’m not usually very excited about posting on LinkedIn Discussion Groups. On top of that, I don’t even have the time to blog anything on my own site. However, I could not resist to write a comment on that discussion about what the best IDS system is. Not when I read the following comment:

Actually the idea of an IDS system has been obsolete for a few years now. Given the latest events in the security area, there are plenty of traffic anomalies far more advanced than relatively-simple signatures out there to deal with.

The best approach nowadays is the IPS (Intrusion Prevention Systems) which would not only detect and inform IT management of the attack events but will also apply the necessary countermeasures to them. Most important of all, this must happen at wire-speed with ASIC-based systems.

Ok, I understand that IPS vendors and resellers have the right to claim what they want, but saying that “the idea of an IDS system has been obsolete for a few years now” is simply too much for me.

Just in case you are not registered with LinkedIn, the following is the comment I’ve just added to that discussion:

I respect everyone’s comments and views, but obviously some of the above are clearly biased. It’s not the first time we hear comments like “actually the idea of an IDS system has been obsolete for a few years now”.

Back in 2003, Gartner analyst Richard Stiennon stated, “IDSs have failed to provide value relative to its costs and will be obsolete by 2005″. Well, although I understand that claim (keep reading), many security analysts will tell you that IDS is very much alive and recent findings like those covered in the “Verizon Business 2008 Data Breach Investigations Report” support this (see http://securityblog.verizonbusiness.com/2008/06/10/2008-data-breach-investigations-report).

First thing to know is that IPS and IDS are different things and that they fit in different layers of the Defense In-Depth strategy and in different phases of the well known Assessment-Prevention-Detection-Reaction loop. IPS devices are meant for intrusion prevention and always run “inline”, very much like firewalls, whilst IDSs (whether network or host based) are passive solutions obviously designed for intrusion detection. Both technologies are complementary and should be part of a holistic security strategy. In many scenarios you will not be able to prevent and stop all attacks with a 100% accuracy. Thus, when prevention fails, what else is left? Detection and then reaction.

However, an IDS is not that different to an IPS from a technology point of view. Take Snort as an example, which is the most widely deployed intrusion detection solution in the world and actively used by large organisations like DARPA, GSA, NIST, NSA as well as the US Armed Forces. Get Snort running in inline-mode with active-response enabled and you have an IPS. Same product but different configuration sitting in a different place on your network. So take and IDS, put it inline and get a third party to manage it and there you have your IPS. Now you understand why most vendors will tell you that IDS is dead.

However, I can understand why many people still claim that IDS is dead. Many fail to understand that an IDS is not a “Plug and Play” device. The state of the art of IDS has not yet evolved to a point where they can be plugged and work accurately right out of the box, and it won’t be for a while. It is imperative to have a trained and competent analyst (or team of analysts) tunning, updating, examining and investigating the output from the IDS. Do you have the resources to do that? Well, that should be part of the cost analysis of implementing any IDS/IPS solution. Now, with many IPS devices a big chunk of that work can be externalised on a third-party, namely Managed Security Services Providers (MSSP).

As far as what solution is right for your site, it is a decision that depends on your site configuration, your team skills, your network bandwidth, your budget, organisation’s risk appetite, just to name a few. I would suggest to combine both IPS and IDS solutions, implementing them in different parts of your network as part of a comprehensive Defense in Depth strategy.

Finally, I recommend you have a look at open-source solutions like Snort, Bro (not all IDS are signature-based only) or even more advanced NSM solutions like Sguil (I really like this one), Hex, etc… See if you have the necessary skills and resources to implement and maintain them, as it won’t be easy. Otherwise hire a specialist to help you out with the implementation if you decide to go down that route.

As of commercial IPS solutions I have a very good feedback from Juniper devices. Also check with your firewall vendor, as integrating firewall and IPS management under the same console makes sense.

Feel free to flame me if I’m wrong.

Published by

Ismael Valenzuela

Global Director, Foundstone Consulting Services at Intel Security, GSE #132 & SANS Instructor for Digital Forensics & Cyberdefense tracks

4 thoughts on “Discussion on LinkedIn Group: What is the best IDS system?”

  1. You are absolutely right. And this “IDS is dead” argument is actually what has been obsolete for the past few years. If it weren’t the case, we wouldn’t be seeing the growth we are (in my case, an IDS/VA solution provider). It all comes down to what you already describe – the customer’s needs.

  2. Nice post Ismael. In my area, online Credit Card payments IDS can be obligated by a security auditor. Some say you will need it some say host based intrusion dection is enough.
    I believe that if you use it, you should watch it 24/7 365. Otherwise it’s a waste of money/time. In that aspect I would suggest a MSSP like BT INS with the http://bt.counterpane.com/ Counterpane solution. Or having your own team of tech support watching. But they need to be trained properly.

  3. Interesting post. Actually, I tend to coincide with both views.
    On the one hand I believe that IDSs as they are today are obsolete and will not be useful to cope with the needs of the next wave of highly distributed systems.
    On the other hand, I also believe that the concept will always be valid, as we must assume that we can not build perfectly secure systems. But the new IDSs will have to evolve a lot in order to adapt to the future computing models. In particular, I believe that the way to go is to create micro-IDSs. These IDSs (call them transparency and monitoring capabilities if you want) will have to be integrated in every security-relevant component of the system and they will have to interoperate with the IDSs of other components. The reason for this approach is to maintain the right degree of trust in every component. Transparency in this context means that components expose some of the monitoring results to the rest of the system. In this way an application based for instance on web services can establish a general IDS based on the components’ exposed information.

    Best regards and btw happy 2009 to all,
    Antonio.

Leave a Reply

Your email address will not be published. Required fields are marked *