Re: IDS is dead, etc

From: <broyds(at)rogers.com>
Date: Thu Jun 19 2003 - 13:49:54 EDT

What I think is dead is a standalone IDS as a product to be run on client network independent of other security/networking systems on the LAN and independent of other IDS systems run at other places. Putting up a $50K IDS infrastructure on a LAN without paying 3 or 4 $50K/year experts is not useful. If your assets are only worth $100K/year to you, it is better not to waste your money.

  To mangle Bruce Schneier "IDS is not a product, IDS is a process". To properly use an IDS, one needs to correlate output with other systems, both internal to a particular enterprise network and to systems on the Internet as a whole, which is often better done by buying a service rather than a product.   I see that IDS will evolve more and more into part of the managed security field so that the detailed configuration of an IDS is done by experts who can also monitor your network and re-configure it as exploits and vulnerabilities become available, correlate your detection with others that they are monitoring and give you value added in describing options on any incident.   IDS will become the data monitoring part of security management, not a separate system on its own.

>
> From: Martin Roesch <roesch@sourcefire.com>
> Date: 2003/06/19 Thu AM 11:57:13 EDT
> To: focus-ids@securityfocus.com

---

Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com

---

Received on Sun Jun 22 23:15:10 2003