Security people love intrusion detection. IDSes allow us to play multiple roles: amateur detective, omniscient voyeur, would-be superhero. We can watch others, unobserved, as they tinker and tap at our gateways and rattle the doorknobs of other people's virtual offices.
But while seductive, intrusion detection remains an overhyped and misunderstood technology because most companies have no clear idea what to do with it. The entire category of products needs to be reassessed if companies are to improve their security--not just make it more interesting.
Many IDSes are expensive, and licensing and support fees are only a small part of the cost. Intrusion detection is also a costly diversion from real security. Tuning it, watching it and keeping it current are major drains on the time of security administrators and managers. Qualified security people are in very short supply, and their time would be far better spent addressing real and pressing security issues, such as hardening systems and applications or managing their patch process.
Furthermore, the returns on intrusion detection are very small. Recently, an administrator at a California state agency told me a story about an attack on his network. He was running a popular IDS that detected a port scan, which he reported to his ISP. The ISP, in turn, dutifully notified the ISP of the offending host and confirmed the notification via e-mail. And as far as the ISP was concerned, that closed the matter.
OK, so there was no damage and no successful incursion, because the admin's network was buttoned up pretty tight. Nevertheless, he felt let down. Shouldn't there be some sort of investigation? His system was under attack, and he did everything right: His IDS worked perfectly, he was paying attention, he discovered the attack, and he reported it. And what happened? Nothing. Aside from capturing evidence to prosecute if his systems eventually were hacked, all his efforts amounted to nothing.
Many companies envision IDSes as a sort of hands-free monitoring solution. In reality, this mind-set can cause more harm than good. In addition to providing a false sense of security, an undermanaged IDS may lead to corporate liability.
I recently asked a friend at a big corporate law firm about this. What would happen if a company deployed an IDS and collected reams of data from it, yet didn't sufficiently monitor the system or examine the logs? Could the company be held liable if an attack slipped through, or if the company's systems were used to launch an attack on another company?
My lawyer friend said that there's little legal precedent in such cases, but companies nonetheless have all kinds of explicit and implicit responsibilities to their partners and customers. In most of these relationships, there's the expectation of protection. If a customer or partner was hurt because of the attack, and that damage could have been reasonably foreseen and prevented given the data in the IDS logs, then it's quite possible that it could result in claims of negligence.
Now, before you come to the conclusion that I think IDSes are useless, I'd like to stress that they're useful in many situations--for instance, against denial-of-service attacks, for security information archiving and for investigating and prosecuting computer crimes. The problem is that most businesses don't think about IDSes in these terms. They expect their ISP to help with DoS attacks; they can collect log files from firewalls and servers; and they don't think a lot about tracking down criminals.
Intrusion detection is a thriving business for software companies and new appliance vendors. When people are scared of the unknown, they will buy just about anything to makes them feel better.
It's time we do a better job of helping companies make security investments that materially improve their level of protection. More training for security administrators, more general outreach to non-security employees, closer attention to new security issues with the products they already have all of these are cheaper and more effective than intrusion detection.
About the author:
Jack Danahy is a principal with the Danahy Group, a security consultancy. He is a frequent lecturer on IT security and holds several patents on security technologies.