The difficulty of performing incident detection… and prevention
A common question when discussing intrusion detection versus intrusion prevention is “why on earth would we want to do only detection?”. The pretty simple reason is (which I have written about tons of times) the inaccuracy of finding and identifying something that is a very small part of the entire set looked at. I think we can learn alot in performing security in the digital world from the analog. For instance, why is it that we have very few systems in the analog world that claims to prevent something once detected? The security cameras in the subway isn’t hooked up with stun guns right? The “X-ray station” at the airport is monitored by real personel, why is that? And why not having a way of automatically stopping a car that is violating the traffic control signs? Because it doesn’t work. Why would the digital world be any different?
I learnt from Schneier of a good example of the difficulty of performing monitoring and incident detection, in the real world. From the article,
The 178 video cameras that keep watch on San Francisco public housing developments have never helped police officers arrest a homicide suspect even though about a quarter of the city’s homicides occur on or near public housing property, city officials say.
Why is that? Could it be because “Nobody monitors the cameras, and the videos are seen only if police specifically request it from San Francisco Housing Authority officials”. No shit.
Another interesting comment:
The cameras have occasionally managed to miss crimes happening in front of them because they were trained in another direction, and footage is particularly grainy at night when most crime occurs, according to police and city officials.
In the digital world we don’t have darkness clouding our detection instruments, but our “cameras” (intrusion detection systems) can be just as grainy and badly positioned. I agree with Schneier when he says that the cameras, who intends to have a scaring affect on criminals, also causes a false sense of security for the inhabitants of San Fransisco. Since we normally don’t disclose that we have “digital cameras”, aka intrusion detection or prevention systems, in the digital world we can pretty much rule out the scare off effect. What about the false sense security?