[Discussion] Why IDS sucks

• Previous message (by thread): [Discussion] Where to start
• Next message (by thread): [Discussion] Why IDS sucks
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

So lets take a look at why IDS in its current form sucks.

1.  Signature matching has its use but can not be an end all for 
detection of attacks. (easy to bypass, layer 7 hurts,  encryption hurts 
matching, etc)
       a. Signatures infer that you know what the attack looks like, 
this doesnt help much
       b. Signatures can change over time, they require lots of 
administrative overhead and testing before, during, and even after use
2.  Performance and wire speed is always going to be an issue (as it is 
a safe assumption that it will continue to increase over time), this 
becomes a problem with inline (IPS).
3.  Inability of vendors/producers of IDS technology to keep ahead of 
the curve (be it signature awareness, or be it protocol parsers, etc)
4.  Anomaly detection based technologies can be effective but on their 
own they tend to be more of a burden then a help.
   


And the single largest issue IMHO, is the lack of infrastructure to 
properly correlate and analyze data to produce actionable 
intelligence.   This intelligence can then be piped to various types of 
"technical controls" to be used as part of the overall security 
architecture.   Granted this isn't necessarily a weakness in IDS as much 
as it is a weakness in the approach the industry has taken.

Please feel free to add/expand on these thoughts or introduce other 
thoughts to this discussion.   (this thread is of course in response to 
John ives)

Andre Ludwig

• Previous message (by thread): [Discussion] Where to start
• Next message (by thread): [Discussion] Why IDS sucks
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]