RE: IDS is dead, etc

From: Craig H. Rowland (crowland_at_cisco.com)
Date: 06/23/03

  • Next message: mae_at_ium.no: "Snort / Linux on floppy"
    To: "'Giles Coochey'" <giles@coochey.net>
    Date: Mon, 23 Jun 2003 09:59:12 -0500
    
    

    Hi Giles,

    On 6/19/03 6:52 PM, "Giles Coochey" <giles@coochey.net> wrote:

    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    >
    > On Thursday 19 June 2003 4:57 pm, Martin Roesch wrote:
    >
    >> So, is there any way to make the quality of data coming out of the
    >> IDS higher while at the same time diminishing the amount of
    >> information generated? We've been talking about this
    >> exact topic on
    >> this list since 1999 on and off and I think all the IDS
    >> vendors have
    >> ideas how to achieve this goal by integrating network maps and
    >> host/service identification into the IDS's world view. If those
    >> ideas should actually make their way to market, would that
    >> make the
    >> systems more useful? I believe so. (At this point I
    >> usually pitch
    >> Sourcefire, but I'll spare you all.)
    >>
    >
    > I would love to see a fingerprinting tool that identified
    > the client
    > and server Operating System / Application and reduced the
    > priority of
    > alerts for false positives when it is known that the system is not
    > vulnerable. The alerts still flag, so we see the
    > drive-by-shootings,
    > but as their priority is reduced they are less significant.
    >
    > Anyone got any development ideas on this front?

    We produced a product called ClearResponse at Psionic that was released
    in July 2002 that does this exact thing. We were acquired by Cisco in
    October 2002 and the product was renamed Cisco ThreatResponse.

    ThreatResponse works dynamically on a network with no prior network
    knowledge and doesn't rely on a pre-defined static database. Also it
    collects forensic evidence from the impacted host in real-time so if you
    see an escalated attack you can go to the GUI and view the actual
    logs/data from the targeted system and look for yourself at what
    happened (we'll grab logs in about 1-2 seconds after the alarm is seen).
    This means an attacker has almost zero time to go onto the box and
    tamper with logs before they are copied. We recently released version
    2.0 of the product and it supports both the Cisco IDS and ISS IDS
    sensors into a single GUI. Using this product can significantly reduce
    alarms from Cisco and ISS sensors. I'm not going to do too much
    plugging, you can read more about it here:

    http://www.cisco.com/en/US/products/sw/secursw/ps5054/index.html

    ..and it's freely available...

    -- Craig

    -------------------------------------------------------------------------------
    Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
    world's premier technical IT security event! 10 tracks, 15 training sessions,
    1,800 delegates from 30 nations including all of the top experts, from CSO's to
    "underground" security specialists. See for yourself what the buzz is about!
    Early-bird registration ends July 3. This event will sell out. www.blackhat.com
    -------------------------------------------------------------------------------


  • Next message: mae_at_ium.no: "Snort / Linux on floppy"

    Relevant Pages

    • Re: Recommending an IDS system
      ... re: Cisco IDS, I have a few things to say about Cisco's product: junk. ... into ONE inky-dinky "black box" that was maintained by a "security ... Like I said before, ISS ...
      (Security-Basics)
    • RE: IDS Players?
      ... We were pen-testing a client of ours and the Cisco IDS's they ... got us on 86% of the attacks, ... :::>According to Network Computing magazine, ... ::: and QA folks from Enterasys (even their top IDS guy) join ...
      (Focus-IDS)
    • RE: Recommending an IDS system
      ... That feature is not an "Auto-Update" in Cisco. ... As for writing your own signatures, ... Subject: Recommending an IDS system ...
      (Security-Basics)
    • IDS deployment on a Cat6500 series & which Snort box?
      ... A customer of us is evaluating an outer IDS deployment on its Internet Data ... Center core network which consists on a layer-3 enabled Cisco Catalyst ...
      (Focus-IDS)
    • Re: Recommending an IDS system
      ... I'm running a smaller setup than your old employer attempted to run. ... re: Cisco IDS, I have a few things to say about Cisco's product: junk. ... but the management of the signatures and ...
      (Security-Basics)