[Dailydave] lots of monkeys staring at a screen....security?

Gadi Evron ge at linuxbox.org
Sat Oct 28 05:56:32 Local tim 2006 

On Fri, 27 Oct 2006, liquidfish wrote:
> There is another value that IDS can afford a business which has not yet been
> discussed in this thread. I agree 100% with the previous comments on the
> worth (or lack thereof) of an IDS in catching and responding to attacks in
> progress.
> 
> However, there is value in trending from the alerts of an IDS. By monitoring
> and trending what types of attacks your network sees the most of, and which
> parts of the network have the higher number of attacks, you can begin to
> understand where your focus for future security projects should be and help
> decide what types of things should be budgeted for. I will agree that in
> many cases these things should already be obvious and you shouldn't need an
> IDS to tell you them, but there are cases where many admins are surprised
> when they start paying attention and see what is really going on, as opposed
> to what they assumed was going on. Additionally, generating pretty graphs
> from IDS alert trending to present to upper management can often help them
> understand the need to budget for things you already know need to be taken
> care of. See a lot of web application attacks? Show management the numbers
> and finally get that budget set aside to send the web developers to some
> secure programming training etc.
> 
> IDS can provide value, peoples (more often than not, managements)
> expectations of what that value is just needs to catch up with reality.

This is somewhat close to heart here now, as, for example, Mcafee is the
first (among many to come) trying to re-brand IPS or other products as
save-all solutions for botnets, now a buzzword.

So, let us list what I[DP]S does right:
1. Policy enforcement.
2. Board-room budget meeting graphs and statistics generation.
3. ...?

Only place I had use for an IDS was when I ran security for the Israeli
Gov't Internet Security Operations. I cared about "everything".

That does not apply to nearly any organization out there.

	Gadi.

More information about the Dailydave mailing list