work and IT @ 31 Jan 2008 02:46 pm by ayoi
Does Monitoring still relevant if they going to implement IPS?
That’s one of the questions posed by my big Boss that really attract my attention to answer ( As usual my Big Boss always give a series of good topics for our discussion which I really appreciate. It makes my brain working and somehow I do feel that I gained something valuables from these type of discussions even thought via emails)
So this is my reply
Interesting question tho. Of cause as one of the believers that Prevention Eventually Fails, I believe that the existence of IPS should never reduce the importance of detection. (Anyway before it can prevent, it has to detect first 
Bejtlich says that Prevention Eventually fails because of the characteristics of the Intruders which are they are unpredictable and some of them are smarter than the defender.
Marcus Ranum says that Security is when people stops doing something stupid and from his thought “tell me what is so “deep” about knowing how to block 31 attacks ?” Even though that article is more on DPI capabilities in firewalls but IMHO it is similar as perimeter security devices that incorporate IPS function.
And this is my thought;
Security is a process of reducing the risk to the acceptable level. This risk reduced by fulfilling the security process which is Assessment, protection, detection and response. Not long ago Organizations used to say that their network is secure when they have firewalls installed, and then when people realized that Firewalls only dealing with layer 2,3 and 4, IDS was introduced as an early warning detection system. And some smart guys think “if we can detect, why not we prevent the attacks as well?” Hence IPS was introduced in the market. IPS is more like giving those perimeter security devices views on what is happening above layer 5. And of cause, IPS like its predecessor IDS relies most of its detection/prevention mechanism on known attacks Signature based rules. Whether the signature is capturing the exploit or vulnerability is another issue.
Totally depending on this perimeter security devices (IPS/Firewalls/Proxy etc) is not a wise idea. Why? How can you prevent any attacks from unpredictable and smarter attackers? How to prevent any attacks that targeted to non-published attacks vector and vulnerabilities?
OK I can hear that some of you arguing that in case of 0-dayz attacks, event IDS will failed to produce alerts. Now lets discuss a lil bit about Detection,
For Detection process, it consists of Collection, Identification, Validation and Escalation. Let me point on Collection process. There are reasons why of having alert data, session data, statistical data and full content data is the most ideal way of collecting network based information to assist analyst in Identification process. Anyway we also must aware that Collecting everything is Ideal but problematic BUT to quote from Taosecurity
“The advantage of collecting as much data as possible is the creation of options. Collecting full content data gives the ultimate set of options, like replaying traffic through an enhanced IDS signature set to discover previously overlooked incidents. Rich data collections provide material for testing people, policies, and products. Network-based data may provide the evidence to put a criminal behind bars.”
and
“NSM’s answer to the data collection issue is to not rely on a single tool to detect and escalate intrusions. While a protocol analyzer like Ethereal is well suited to interpret a dozen individual packets, it’s not the best tool to understand millions of packets. Turning to session data or statistics on the sorts of ports and addresses is a better way to identify suspicious activity.”
Lets imagine 3 scenario
Without IDS
An attacker attacks using 0-dayz exploits exploiting 0-dayz vulnerabilities on a workstation. Bypassed the firewalls, and the attack patterns didn’t match any rules in IPS and no blocking actions. The victim complaints and all we can do is patch and proceed. But we never know what actually happens.
With IDS without proper Collection Process
An attacker attacks using 0-dayz exploits exploiting 0-dayz vulnerabilities on a workstation. Bypassed the firewalls, the attack patterns didn’t match any rules in IPS so no blocking actions, the attack patterns didn’t match any rules in IDS and no alerts triggered. The victim complaints and all we can do is patch and proceed. But we never know what actually happens.
With IDS with proper Collection Process
An attacker attacks using 0-dayz exploits exploiting 0-dayz vulnerabilities on a workstation. Bypassed the firewalls, the attack patterns didn’t match any rules in IPS so no blocking actions and the attack patterns didn’t match any rules in IDS and no alerts triggered. The victim complaints and we can start investigate with the available data. Update the signatures and perhaps feed it to IPS and IDS plus the information gathered can be used for legal purposes
Detection Engine perhaps the main component in IDS. Its alerts will be the main indicators of suspicious events either occurred (compromised), ongoing (exploitation), or will happen (vulnerability scanning) depending on the phases of compromise. For an analyst to perform his Identification process ( whether to categorize the suspicious event into normal or malicious) he needs all available resources or information to help his analysis. The main problem with IDS is the rate of false positives. The only ways to reduce it is by fine tuning our rules to suit our client environment and of cause we require our client inventory lists covering the assets that we monitor. It is easy to defend or monitor something that you know and aware.
I never say that we should abandon IPS nor any preventive measures. Like what I’ve stated before that Security is about reducing the risk of being compromised, we have to incorporate all security measures that perhaps may deter any potential intruders or attackers from launching or continue with his attacks. I dun believe in depending on one security product or only one security measure as for anyone who believe that his network is secured because having such and such products implemented in his network, he only manage his security based on belief and not by facts which in the end will fail spectacularly.
And of cause, Why a building that has biometric enabled access doors, access cards and security guards still needs CCTV?
Quite long eh? Anyway I would be grateful if any of you guys have any other opinions on this matter.
p/s: I’ve censored any sensitive/confidential statement tho
From the point of tech guys like us, for sure monitoring is better than prevention, since we can see what going on with our network real-time.
The interesting part is when your boss ask the question. why ?
In my opinion, there is quite a diff between our view and management, since if we replace IDS with IPS, we will able to cut some costs. IDS implementation is expensive than IPS in term of human factor (you need ppl to monitor IDS 24/7 basis). Commonly with IPS, we just need to update the rules and black/white list. With IDS, you need to monitor/detect/make the signature that match with the attack and update the rules.
From perspective of network, there is a performance issue if we are using SPANNING, and Network Tap is expensive.