coming soon: discussions on ips and siem

Coming soon are a series of blog posts from 2 sources that, at least to me, sound like they may answer similar high-level questions despite focusing on disparate technologies. Securosis will be posting about SIEM replacements and Bejtlich will be posting about IDS/IPS. I’m looking forward to views on both, and I think they may delve into similar sentiments.

Bejtlich basically framed his prologue around a tiny article about a cybersecurity pilot: “During an address to the 2011 DISA Customer and Industry Forum in Baltimore, Md., [Deputy Defense Secretary William] Lynn said the sharing of malicious code signatures gathered through intelligence efforts to pilot participants has already stopped ‘hundreds of intrusions.'”

First of all, duh. Second, this isn’t about IPS technology or any technology at all, really. This gets back to what I feel are three *very* important resources in security: people, time, and information sharing. I’d argue if *any* business had this sort of ability, they’d see value as well and we’d all issue a great big, “duh.” Third, the world Lynn is talking about is definitely different from my day-to-day; the concept of security intelligence efforts in any but the biggest private enterprises is a foreign concept, but I can fantasize at least! 🙂 [Aside: I’d include ‘organizational buy-in to security’ as another valuable resource that defense organizations have a big interest in; but that concept gets pretty abstract and overly broad. Essentially, if security sees a problem, they don’t get trumped by the business…every single time.]

Bejtlich posed the underlying rhetorical question: “If you can detect it, why can’t you prevent it?” Sounds quaint, eh? And it’s a valid question, though the problem is in my years of watching an IPS/IDS, they’re far, far too chatty to feel good about outright blocking all but the absolutely most obvious stuff. But that gets better if you put the magic ingredients of people, time, and info sharing into it (as well as visibility and power over the damned signatures!). Out of the box, no IDS/IPS is going to be a fun experience from any perspective that includes operational availability.

At the end of the day, I still feel like so many discussions come back to whether someone is looking for absolute security or incremental while accepting that our equilibrium will be in a balance between security and insecurity.

I might even entertain the discussion that metrics are actually the *wrong* way to go, since I don’t think there is an answer. And security can’t be nicely modeled without peoplethought and qualitative statements….