This article can also be found in the Premium Editorial Download "Information Security magazine: How security pros can benefit from information sharing."
Download it now to read this article plus other related content.
Myth #5: IDS is dead
Like conventional AV, signature-based intrusion detection systems have come under fire for not living up to their promise. This sentiment reached its apex in 2003 when Gartner Group proclaimed, "IDS is dead." And, if Gartner said it, well, of course, it must be true--right?
IDS isn't dead. In a recent survey, Information Security research partner TheInfoPro found that 80 percent of Fortune 1000 enterprises now deploy some form of intrusion detection. And, rather than killing it off, many vendors and enterprises have transformed their IDSes into integral components of attack correlation, perimeter intelligence and forensics.
Network firewalls from vendors such as Check Point Software Technologies, Juniper Networks, Cisco Systems and Secure Computing now have IDS-like functionality for commonly exploited application protocols such as HTTP, FTP, SMTP and XML/SOAP. These devices supplement filtering on IP address, port and network protocols by examining the construction of selected application payloads and pattern-matching against a signature database--just like an IDS.
IDSes are also proving to be effective reconstruction data stores. While they're less effective in real-time threat prevention, IDSes give you a specific data trail on what and when attack packets passed on the network.
"Forensics has become IDSes' greatest value," says CyberTrust's Tippett.
#6: The security guy is accountable for security
It's an age-old maxim that "security is successful when nothing bad happens." So, naturally, when some-thing bad happens, everyone asks, "What happened?"
If security is institutionalized throughout an organization, the security guy should be able to respond, "You tell me." At the end of the day, the security guy isn't accountable for security; he's accountable for making everyone else accountable for security.
"Security is really about gap analysis," says Robert Garigue, CISO of the Bank of Montreal. "The people who are accountable to close those gaps are not the security people; they're the operational people. Firewalls and IDSes should be managed by the network people. Patch management should be done by the server and desktop staff." Instead of doing all those things, Garigue says, "Security should be looking at where the next big risks are coming from."
Garigue puts accountability for security square in the laps of the line-of-business owners. The security/business unit relationship, he says, should resemble that of a dentist/patient. "The patient has the accountability to brush his teeth every day. The dentist has the accountability to do a checkup once a year and fix cavities when required."
CA's Moritz agrees. "Security is moving beyond the infrastructure and users," he says. "Today, we build business processes around people and work. Tomorrow, we will automate business processes and hire people to work around standard processes.
"As this change takes place, the ideas behind what defines security and security products will change dramatically--and so too the expertise required to be a security wonk. The expertise will be in the attribute-based classification of data, business processes and management goals. The security guy will be the head conductor, not someone relegated to the back corner of the orchestra."
This was first published in January 2005