IDS mailing list archives

RE: Low cost HID based IDS system

From: "Sekurity Wizard" <s.wizard () boundariez com>
Date: Thu, 22 May 2003 23:27:32 -0400

It's a matter of economics, and yes, a false sense of security is worse
than a sense of insecurity.  Your customer need to be educated that they
are NOT covered in a way an MSSP would...but then if they're that small
they're probably not business-critical in terms of their systems.  We
need to make clear distinctions here - lest we forget that money is
still short out there today.  I see budgets cut constantly...and
security isn't a piece of IT that can show a definite "benefit" over a
defined period.  You can say to your client "you could have been hacked
and x, y, and z, could have happened"...but then the client will
undoubtedly come back to you with..."sure, but we haven't had IDS for
years...we've had problems but we've always dealt with them - so no
business-ending loss"....make sure you understand the proper way to
rebut that.

We keep arguing the same points over and over - and some of you folks
miss the point entirely.  Snort is great, and I love that it's out there
- but it'll only catch what you configure it to look for...simple.  You
need to have an onion, folks.  Firewall-->"IDS/IPS"-->network is how it
should always go...at very least.  And last but certainly not least -
think about this point for a second... Everything is broken down to
acceptable risk - what's your client willing to accept in a cash vs.
results bargain?

Cheers - it's getting late.

Wizard

-----Original Message-----
From: Dick Li (eBits Limited) [mailto:dli () ebits com hk] 
Sent: Thursday, May 22, 2003 5:16 AM
To: Zach Forsyth
Cc: Focus-Ids
Subject: Re: Low cost HID based IDS system


 Hi Zach,

as a MSSP in my city, our company serves groups of customer using open
source HID (e.g. tripwire) and NIDs (snort is my favour). (we aslo use
commerical tools but they are not our major sources) I can say the
"business model" definitely work. Our staff provide technical service
and the clients pay the montly bill. Many customers, those small &
medium, are lack of resources either buying a "branded" ids or
delicating IT staff to handle difficult security works. However, they
are willing and capable of spending service fee on monthly/quarterly
basis for services like we provide. In certain sense they are not much
care whether the tools we use are either commercial or open source. In
fact, more and more customers undestand of the merit of using open
source, not only "cheap" but quality and reliability.....

Dick Li
Consultant
eBits Limited

Paul Schmehl wrote:

I'm a big believer in open source. I use snort, nessus, nmap, etc. 
daily. I run snort on FreeBSD. I'm writing to you on a RedHat box. I 
don't think that I missed your point. I was trying to point out to you

that the cost of a service isn't *just* the equipment or software you 
have to provide. You need to think about that carefully, or you will 
burn yourself out trying to help your customers.

As one who monitors our network I can tell you that while snort is 
free, installing it, configuring it, keeping it up to date and 
*monitoring it* is not. It's nice to have the technology in place, but

I *do* have to sleep from time to time, and when I'm sleeping the bad 
guys are not.

You're absolutely right that something is better than nothing. I'm 
just trying to warn you to not get your customers' hopes up too high. 
Unless you can monitor 24/7/365 you *will* miss attacks. They need to 
know that. They need to understand that the *best* model is one where 
they get 24/7/365 coverage. What you're thinking about offering them 
is *useful*, but it needs to be taken in context.

I am *not* saying that what you're thinking about doing is a bad idea.

I *am* saying that you need to be realistic regarding your and your 
customers' expectations and you need to think about how much putting 
this system together will cost you. I'm sure you don't consider your 
time as free. How much are you willing to "spend" to put together a 
system? And how long will it take you to recover that cost?

--On Monday, May 19, 2003 10:21:01 AM +1000 Zach Forsyth 
<Zach.Forsyth () kiandra com> wrote:

Paul,

You seemed to of missed the point a little.
Why do people bother developing snort when there are so many other 
commercial IDS's out there, it's free so therefore it can't be any 
good. Why do people bother with Nessus Why do people bother with 
<insert free/cheap/open source solutions here>



Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu

----------------------------------------------------------------------
---------

INTRUSION PREVENTION: READY FOR PRIME TIME?

IntruShield now offers unprecedented Intrusion IntelligenceTM 
capabilities - including intrusion identification, relevancy, 
direction, impact and analysis - enabling a path to prevention.

Download the latest white paper "Intrusion Prevention: Myths, 
Challenges, and Requirements" at: 
http://www.securityfocus.com/IntruVert-focus-ids2
----------------------------------------------------------------------
---------




------------------------------------------------------------------------
-------
INTRUSION PREVENTION: READY FOR PRIME TIME?

IntruShield now offers unprecedented Intrusion IntelligenceTM
capabilities 
- including intrusion identification, relevancy, direction, impact and
analysis 
- enabling a path to prevention.

Download the latest white paper "Intrusion Prevention: Myths,
Challenges, and Requirements" at: 
http://www.securityfocus.com/IntruVert-focus-ids2
------------------------------------------------------------------------
-------


-------------------------------------------------------------------------------
INTRUSION PREVENTION: READY FOR PRIME TIME?

IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities
- including intrusion identification, relevancy, direction, impact and analysis
- enabling a path to prevention.

Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at:
http://www.securityfocus.com/IntruVert-focus-ids2
-------------------------------------------------------------------------------

Current thread:

Re: Low cost HID based IDS system, (continued)
- Re: Low cost HID based IDS system Paul Schmehl (May 16)
- Re: Low cost HID based IDS system dreamwvr () dreamwvr com (May 16)
- Re: Low cost HID based IDS system Krzysztof Zaraska (May 16)
- RE: Low cost HID based IDS system Zach Forsyth (May 20)
  - RE: Low cost HID based IDS system Paul Schmehl (May 20)
    - Re: Low cost HID based IDS system Dick Li (eBits Limited) (May 22)
- Re: Low cost HID based IDS system Andrew Plato (May 20)
- Re: Low cost HID based IDS system SecurIT Informatique Inc. (May 20)
- RE: Low cost HID based IDS system Alan Shimel (May 20)
- RE: Low cost HID based IDS system Schmehl, Paul L (May 20)
- RE: Low cost HID based IDS system Sekurity Wizard (May 26)
  - Re: Low cost HID based IDS system George W. Capehart (May 27)
- RE: Low cost HID based IDS system Zach Forsyth (May 27)