Monday, October 30, 2006

Rant: The IDS is Dead, So Lets Throw the Baby Out with the Bathwater!!

Taosecurity is fighting the good fight. I am just shaking my head since I have long given up on the security community as a whole due to short sightedness and egotism. My perceived problem with the security community is that they want some magic “Silver Bullet” that will cure all of their woes so they can kick their feet up on the desk and not have to do any real work. So if one tool doesn’t work, they just want to chuck it to the curb with their old servers.

Taosecurity hits at the nerve of the issue in pointing out the difference between “product” and “system”. The “IDS” is typically seen as things like Snort, which is a product by Rich definition. I prefer the term tool myself, since it gets at the point I always try to make, whether its security, programming, or making a peanut butter and jelly sandwich. You need the “Right tool for the job”. In addressing the problem of security, the IDS is just another tool, and you need a whole bunch of tools to solve a problem of that scope. And just like any other tool, you can improve and modify it, like say combining the firewall and IDS to try to create an IPS, but it is not going to fully replace the two separate tools any more than the Nail Gun has replaced the good ‘ole hammer in the field of carpentry. (Which draws an interesting parallel, why don’t we see carpenters making such bold claims like “The Hammer is dead” while championing the Nail Gun? It’s probably because the hammer is still the appropriate tool for the job in a given set of circumstances.) Every few months someone’s got to go around with claims like “The IDS is DEAD”, or “The Firewall won’t protect you forever”, and silly one size fits all solutions like “Smart Firewalls”, “IPS”, and whatnot and what have you come around. I’ll believe the IDS is dead when claims like C/C++/Java/Whatever dies as well.

That whole “Right Tool for the Job” concept is a hard one for security theorist to grasp, and provides a decent lead in to a rant I’ve wanted to get off my chest. To demonstrate this, I recently had a discussion with someone in the security community the other day about a series of reports I am building in BIRT. The security guy basically tried to make an argument that the same thing could be done in PERL since it is already on the system, and reduce the need to install any further software. His real hidden agenda was to take an undeserved dig at Java as a language, and Java tools. Having developed reports in PERL before, I can easily say yes, it is possible to build these reports in PERL, but the guy is off his rocker if he thinks I am actually going to do so based on his opinion any more than I would be if I had entertained the notion of trying to convince him of my point of view.

From my perspective, it simply is not the appropriate tool for the job for a number of reasons. First, BIRT is a platform dedicated to reporting, PERL is a general purpose scripting language. Second, it is much easier to maintain a reporting system in BIRT than it would be in PERL due to the reduced amount of coding. And Third, it leverages the concept of re-use, so I can apply the combined knowledge of developers who have come before me and built a system of reporting elements in an easy, flexible, and rapid development method without having to rediscover the pitfalls that they discovered. After all, a whole community building a dedicated tool would know a little more than little ‘ole me trying to develop something from the ground up, hence BIRT reason for existence and following by a dedicated developer community. So on the merits of scope, maintenance, re-use, and development time, BIRT was determined to be the appropriate tool for the job.

This is an attitude I encounter all too often. While some would consider it cockiness or outright rudeness, I actually believe it’s more of a reflection of fear. To use an analogy, they would prefer to lock the house in a vault rather than risk it being broken into, regardless of the fact that the airlessness of the vault will kill everyone inside.I could go much deeper, but that touches on another one of my beliefs of the failing of the security community, their lack of perspective in the concept of utility. While I agree that security should not be sacrificed in terms of security, I do not hold the seemingly overwhelming belief in over-securing an environment to the extreme of limiting the utility of a system to the point where it is totally unusable. I have seen this trend prevail all too often, and does not address the real issues of security, or lack there of, in an environment. All it does is limit users while giving security teams a sense of accomplishment, meanwhile the real threats are holding the keys to the kingdom.

Point is, there are proper tools for certain jobs, and tossing out Snort because someone claims IDS is dead is doing to leave you as limited as tossing out the Philips head screwdriver when some nut claims that Torx is the future.

1 comment:

LonerVamp said...

Likewise, I am currently seeing how over-emphasizing security without seeing the big picture is leaving our IT department with so many complexities that easy things cannot get done, or get shot down due to waving the magic "security" card in people's faces.

You can secure an environment so much that it is rigid and locked down like your vault. Or you can end up with something so complicated that only 2 people with 5 years of experience with building it can perform any real work.