IDS systems (was Re: Five Theses on Security Protocols)

Perry E. Metzger perry at piermont.com
Mon Aug 30 12:26:47 EDT 2010


On Mon, 30 Aug 2010 13:49:54 +0100 Ben Laurie <ben at links.org> wrote:
> On 02/08/2010 12:32, Ian G wrote:
> > We are facing Dan Geer's disambiguation problem:
> > 
> >> The design goal for any security system is that the
> >> number of failures is small but non-zero, i.e., N>0.
> >> If the number of failures is zero, there is no way
> >> to disambiguate good luck from spending too much.
> >> Calibration requires differing outcomes.
> > 
> > Maybe money can buy luck ;)
> 
> Late to the party, I realise, but I have to argue with this. This is
> only true if there's no way to distinguish close misses from nothing
> interesting happening at all.
> 
> This may be the first time I've realised why there's any point to an
> IDS: I've always argued that if you can detect the attacks, then you
> should not be vulnerable to them, however, if your goal is to
> justify the money you spent on not being vulnerable, then suddenly
> an IDS makes some kind of sense. However, no-one has ever suggested
> to me that that is their actual purpose...

Perhaps you haven't been in the right kinds of companies. Your
observation is one many have made in the past, and I don't think it
is even much of a secret.

I suspect that many IDS systems have been put in place over the years
largely as a way of showing management how bad the problem the
security team faces is, and why their budget is justified. That is
never the public claim, of course. However, without some sort of
evidence of a continuing threat, there are managers who would see
an ideally performing security team (i.e. one with a perfect record of
defense) and interpret it as a group spending money to no effect
whatsoever. "Why do I need you when no one ever breaks in?" might be
the (foolish) question.

IDS systems generate voluminous reports which may be used, in part,
to justify continuing funding for a security effort. They allow
management to feel that they are getting something concrete for their
money.

Perry
-- 
Perry E. Metzger		perry at piermont.com

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list