Yes, there's an arms race in IDS that's orthogonal to the security arms race in general (Bad Guys try to hack you, and you try not to get hacked): Bad Guys try not to be *seen* while trying to hack you, and you try hard to see them trying. So IDS evasion is a serious issue, and a hard one. Very good point.

My advice is that IDS and IPS should never be an either/or, but rather a this-plus-that, defense-in-depth. You can tune an IDS to be much more sensitive, because a false positive there can be dealt with offline by a human. An IPS typically has to be tuned way down in comparison, because a false positive there is a self-induced denial of service (DoS) attack. Indeed in some sense, an IPS turns your security posture over to the Bad Guys, as they can trigger a failure state (whether fail-closed or fail-open) with their own activities.

Just one analyst's $.02 though...

 

July 13, 2007, 5:46pm

“Great point about ‘either/or.’ Problem is, I have a finite budget and have to choose. Now what?”

Well, budget limitations are a reality. If I *had* to choose, I'd definitely go with IDS initially, most of which can do some amount of active, automated remediation as well anyhow. It's a more mature technology segment as well. Then you can plan towards augmenting by putting IDS in-line (IPS) at critical choke points as budget allows (and risk assessment dictates).

 

July 13, 2007, 7:10pm

“But I hear that IDS is a money and time sink, and that it’s just too hard to do well. Is it really worth the effort (even if our SOX auditors didn’t tell us we had to)?”

From an analyst's perspective, the single biggest challenge is dealing with false positives. I don't care what any salesdroid from whichever company tells you, out of the box, every single network-based IDS is going to throw something around 80% false positives—at best. Sorry Sourcefire, you too.

But with the right tools—and the right training and experience and *effort*, you can tune them to be incredibly useful. I typically shoot for something like a 20% false positive rate. (If you get too close to zero, you're unwittingly tuning *up* your false negative rate, which is potentially a Very Bad Thing.)

There are many more challenges of course, but that's the one my clients pay me the most money to help them with. Vendors will flat give away the architectural advice (sensor placement, device sizing based on throughput, etc.), and will deeply discount training to make the sale. But the hard work of tuning an IDS system to a particular environment is often the most expensive part, though money very well spent, IMHO.

You can do it, and you should. Of course, I can help. ;-)

/jonathan