Hosting Provided By

RE: Low cost HID based IDS system

From: Sekurity Wizard <s.wizard(at)boundariez.com>
Date: Thu May 22 2003 - 23:27:32 EDT

It's a matter of economics, and yes, a false sense of security is worse than a sense of insecurity. Your customer need to be educated that they are NOT covered in a way an MSSP would...but then if they're that small they're probably not business-critical in terms of their systems. We need to make clear distinctions here - lest we forget that money is still short out there today. I see budgets cut constantly...and security isn't a piece of IT that can show a definite "benefit" over a defined period. You can say to your client "you could have been hacked and x, y, and z, could have happened"...but then the client will undoubtedly come back to you with..."sure, but we haven't had IDS for years...we've had problems but we've always dealt with them - so no business-ending loss"....make sure you understand the proper way to rebut that.

We keep arguing the same points over and over - and some of you folks miss the point entirely. Snort is great, and I love that it's out there - but it'll only catch what you configure it to look for...simple. You need to have an onion, folks. Firewall-->"IDS/IPS"-->network is how it should always go...at very least. And last but certainly not least - think about this point for a second... Everything is broken down to acceptable risk - what's your client willing to accept in a cash vs. results bargain?

Cheers - it's getting late.

Wizard

-----Original Message-----
From: Dick Li (eBits Limited) [mailto:dli@ebits.com.hk] Sent: Thursday, May 22, 2003 5:16 AM
To: Zach Forsyth
Cc: Focus-Ids
Subject: Re: Low cost HID based IDS system

Hi Zach,

as a MSSP in my city, our company serves groups of customer using open source HID (e.g. tripwire) and NIDs (snort is my favour). (we aslo use commerical tools but they are not our major sources) I can say the "business model" definitely work. Our staff provide technical service and the clients pay the montly bill. Many customers, those small & medium, are lack of resources either buying a "branded" ids or delicating IT staff to handle difficult security works. However, they are willing and capable of spending service fee on monthly/quarterly basis for services like we provide. In certain sense they are not much care whether the tools we use are either commercial or open source. In fact, more and more customers undestand of the merit of using open source, not only "cheap" but quality and reliability.....

Dick Li
Consultant
eBits Limited

Do you need help?

Paul Schmehl wrote:

> I'm a big believer in open source. I use snort, nessus, nmap, etc.

> that the cost of a service isn't *just* the equipment or software you

> I *do* have to sleep from time to time, and when I'm sleeping the bad
> guys are not.
>
> You're absolutely right that something is better than nothing. I'm
> just trying to warn you to not get your customers' hopes up too high.
> Unless you can monitor 24/7/365 you *will* miss attacks. They need to
> know that. They need to understand that the *best* model is one where
> they get 24/7/365 coverage. What you're thinking about offering them
> is *useful*, but it needs to be taken in context.
>
> I am *not* saying that what you're thinking about doing is a bad idea.

> I *am* saying that you need to be realistic regarding your and your

INTRUSION PREVENTION: READY FOR PRIME TIME? IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities
- including intrusion identification, relevancy, direction, impact and analysis
- enabling a path to prevention.

Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at:
http://www.securityfocus.com/IntruVert-focus-ids2

INTRUSION PREVENTION: READY FOR PRIME TIME? IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities - including intrusion identification, relevancy, direction, impact and analysis - enabling a path to prevention.

Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: http://www.securityfocus.com/IntruVert-focus-ids2

Received on Mon May 26 20:01:15 2003

This message: [ Message body ]
Next message: Kostas G. Anagnostakis: "RE: how to test IDS performance?"
Previous message: shawnmer: "Heuristic and/or behavior test tools?"
Maybe in reply to: Zach Forsyth: "Low cost HID based IDS system"
In reply to Paul Schmehl: "RE: Low cost HID based IDS system"
Next in thread: George W. Capehart: "Re: Low cost HID based IDS system"
Reply: George W. Capehart: "Re: Low cost HID based IDS system"
Reply: Zach Forsyth: "RE: Low cost HID based IDS system"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:12 EDT

Do you need more help?