Re: Announcement: Alert Verification for Snort

From: Barry Fitzgerald (bkfsec_at_sdf.lonestar.org)
Date: 10/24/03

  • Next message: Michael Sierchio: "Re: Announcement: Alert Verification for Snort"
    Date: Fri, 24 Oct 2003 14:58:05 -0400
    To: Ron Gula <rgula@tenablesecurity.com>, focus-ids@securityfocus.com
    
    

    Ron Gula wrote:

    > Good thread so far, but when you add in the fact that your vulnerability
    > scanner can have false positives and false negatives, things get very
    > complex pretty fast.

    I think this is a VERY good point.

    What it highlights, to me, is that there really is no such thing as a
    magic security box. You still need a trained analyst who knows what the
    data means to be able to determine what has to be done with it. And, in
    that exact same light and in the context of security administration, it
    really doesn't matter whether we call them false positives, nontextuals,
    or cheese whiz. :) The only way for a person to determine what data
    really means to them is for that person or group to decide what kind of
    analysis they want to do.

    However, in the context of security tool development, it absolutely
    matters what we call each category of event. I think that the whole
    argument of "nontextuals don't matter to me as an admin" and
    "nontextuals matter to me as a developer" is missing a very key point:
    These are two seperate job functions and thinking that we can define one
    set of terms for both is slightly misplaced. It's well intentioned,
    but misplaced nonetheless.

    So, automation and correlation tools will never replace a good security
    analyst. Security is just an inherently complex process and the
    technology we have just doesn't have the fuzzy logic capabilities
    necessary to know whether host X fits it's profile of what host X is
    supposed to be or not. As long as all systems on the planet are not
    exactly the same (which I consider to be a good thing, that they aren't
    exactly the same) a correlation tool will still only be as smart as the
    analyst using it. What automation and correlation tools do give us is
    the ability to reduce our workload... which, no matter how smart a
    security analyst is, that analyst exists in the realm of physics and, on
    this planet anyway, there are only 24 hours in the day and I need around
    8 of them to sleep and a certain amount more for activities other than
    security. :)

    So let's not mix up the difference between developers and admins. These
    really are two different groups with two different interests, even if
    they do overlap somewhat. And as such, the terminology each group uses
    will not overlap perfectly.

                 -Barry

    ---------------------------------------------------------------------------
    Network with over 10,000 of the brightest minds in information security
    at the largest, most highly-anticipated industry event of the year.
    Don't miss RSA Conference 2004! Choose from over 200 class sessions and
    see demos from more than 250 industry vendors. If your job touches
    security, you need to be here. Learn more or register at
    http://www.securityfocus.com/sponsor/RSA_focus-ids_031023
    and use priority code SF4.
    ---------------------------------------------------------------------------


  • Next message: Michael Sierchio: "Re: Announcement: Alert Verification for Snort"