Cisco Blogs

Whales and IDS

February 24, 2010 - 0 Comments

Sometimes there is a perceived need to perfectly fix a problem, and that need can be the enemy of incremental steps that can reduce a problem to an acceptable level. Let me illustrate this by making one of those physical-to-virtual analogies that never really seem to translate very well:

Saving the whales is a difficult task that we will probably never completely finish. We won’t turn the entire planet into a playground for whales, nor do we need to. But if we take steps to regulate the hunting of whales and to protect their food and environment, that may be all that is both possible and needed.

Similarly, we won’t ever completely stop online crime. Consider how that impacts the current view of IPS and signature-based detection methods. These methods often develop a bad reputation because they can be poorly implemented and evaded, and they don’t always detect or prevent all criminal activities.

So does that mean that IPS and signature-based detection methods are end-of-life products or that they should be should be seen as the wrong product direction? I think that would be an unfortunate and incorrect view. The security industry demands that vendors deliver scalable and easy-to-use detection products with reproducible results that can be documented. The online crime community benefits from finding new vulnerabilities or new vectors for existing vulnerabilities, and once documented, these known vulnerabilities can be protected against, and their value and effectiveness then drastically diminished. So it’s hard — almost impossible — to predictively analyze every new vulnerability or configuration snafu that will lead to a compromise.

This is an inherent conflict that will always diminish the value of deployed detection methods.  But take for example the case of physical security: just because someone can find a new, possibly undetectable way to rob a bank, that doesn’t for an instant mean we should drop security monitoring for the well-known methods. Likewise, by monitoring and acting on the known vulnerabilities and attack vectors in the virtual world, it is possible that we will reduce the risk to an acceptable level to continue business.

With online crime, if we can effectively detect and reduce the known attack vectors using IPS, that is a worthwhile pursuit (even if we don’t end up with whale Disneyland). For more information on real-world IPS use, look for a follow-up to this post.

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.