NSM; work and IT @ 12 Jul 2007 02:12 am by ayoi
During image replication process, I had a nice conversation with our client’s Information Security Incident Response Manager. The topics? From about the incident that happened till security implementation at their place. He did mention to me that their plan to abandon their IDS and using IPS instead. He said that it seems that the IDS serve no purpose to their network security. Well that kind of statement did surprise me a bit as it comes from the person who suppose to be well versed in security. Anyway regarding this IPS and IDS thingy, I’ve encountered this kind of question or statement for quite some time.
I think this is similar with HIDS vs NIDS thingy. Security means to maintain the acceptable level of perceived risk. We shud consider the best method to protect our assets within the network. Even though the network is not connected to the internet, but do consider the threat from inside (structured or unstructured). There is no way we can be sure that our network is totally secure. It may be secure now (even that after we do security assessment to our network). But we simply not sure whether the network is secure, not even 5 minutes later. What we can do is to increase the difficulty level for any possible intruders to penetrate our network. How? By understanding that security is definitely not a product. Security is not defined as firewall, or IDS or any other tools. Security is a process which consists of the continuous assessment of the network either via scheduled passive or active network scanning, re-evaluating the security policy, understanding the new technology, the result from the assessment can be used for countermeasure and protection process which will be followed by detection for any new type of attacks on new vulnerabilities (where I believe NSM is the most good practice) and trust me that the network will be penetrated eventually. After responding to incident, assessment will be done again to ensure that the network will not be penetrated by that new method and the new vulnerabilities patched.
Having both NIDS and HIDS for me is the best practice, same as having both IPS and IDS. I told The Information Security Response Manager that even though you have the most advanced IPS, one 0-dayz exploit basically will defeat the prevention system. Intruders are unpredictable and some of them are smarter 
To answer The Information Security Incident Response Manager’s question earlier, I just answer
“The best IDS is the one that has a team of analysts who understand the detection methods, mechanism and the indicators produced by it. IDS only will give indicators on any suspicious or anomalies on the traffic, while analyst will give context to that indicators. Human judgement, intuation and knowledge can never be replaced”
