Re: NIPS Vendors explicit answer

• Previous message: Vikram Phatak: "Re: NIPS Vendors explicit answer"
• In reply to: Frank Knobbe: "Re: NIPS Vendors explicit answer"
• Next in thread: Ron Gula: "Re: NIPS Vendors explicit answer"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 26 Apr 2004 21:03:13 -0400
To: focus-ids@securityfocus.com

Greetings again,

Below is a clarification of my position regarding several issues...

Regards,
    -Vik

Frank Knobbe wrote:

>Greetings,
>
>I'm gonna resist to quote a lot of what Vik said (mainly product
>description) and cut to the chase. I do want to highlight this quote:
>
>On Fri, 2004-04-23 at 16:36, Vikram Phatak wrote:
>
>
>>As with firewalls, we believe IPS needs to be more black and white
>>regarding the approach taken. While much of the work being done
>>regarding anomalous behavior is cool, it is not practical unless it
>>can be used in the "real world" to prevent attacks. Believing that
>>traffic is harmful and knowing it is harmful are two different things.
>>
>>
>
>If you confine your thinking to statistical anomaly detection, then this
>may be correct. However, behavioral anomalies can be safely detected and
>used to prevent attacks. After all, you know how your network is
>supposed to act and can (by cleverly crafting custom rules) detect any
>"fishy" activity that should be prevented (or never happen in the first
>place).
>
>
I was confining my statement regarding anomalous behavior to statistical
anomaly detection in this paragraph.

>ipAngel places a great deal of emphasis on correlation of
>vulnerabilities to IDS alerts. While I wish you well in this endeavor, I
>do question the approach. I'm not harping on ipAngel in particular since
>the same applies to other vendors as well. It remains to be seen how
>much value that approach actually adds to intrusion Detection.
>
>
>
Regarding correlating VA with IDS - I agree with you regarding the
limited value of tuning an Intrusion Detection System based upon VA
results. An IDS is should be looking for "who is trying to get me",
which includes attacks that are irrelavent from an IPS perspective (like
code red going to a linux box) as well as behavioral anomalies and
statistical anomalies.

>In my opinion, you are restraining your IDS rules to certain
>vulnerabilities for certain systems. This is okay for reducing false
>positive, but imho it should not be a driving factor when developing
>your IDS rules. After all, if you know what your are vulnerable to, why
>not act and remedy the vulnerability? If you know what set of possible
>vulnerabilities might apply to you (for example, running IIS), then
>sure, use that info to tune the IDS and reduce FP's. But don't just
>focus on those vulnerabilities.
>
>
There are many reasons for not immediately remediating a vulnerability
by patching a system - (1) not enough time, (2) it may break an
application you rely on, (3) not allowed to touch the system until the
maintenance window, and so on. As far as focusing on the
vulnerabilities... Focusing on the vulnerabilities enables us to
protect systems until they are patched. Preventing vulnerabilities from
being exploited is how we keeps worms and other attacks from
successfully compromising systems. If there were no vulnerabilities,
there would be little need for Intrusion Prevention.

>IDSes are Intrusion Detection Systems. Why do we need to detect
>something that we know exists? In my opinion we should focus our efforts
>on detecting the *unknown* events, not the known ones. I argue that you
>are looking the wrong way :)
>Statistical anomaly detection is one attempt to do that (and I agree, it
>may not be the most foolproof method, but it does provides value as an
>added layer).
>
>
Why detect something that we know exists? To keep the system from being
compromised (from a prevention standpoint). From our perspective IDS &
IPS have different missions. IDS is looking for those that intend to
harm or misuse a network. IPS is all about protecting assets on the
network from being compromised. Also, by focusing on the underlying
vulnerability, we are able to address zero day exploits to existing
(non-zero day) vulnerabilities, which comprise the vast majority of
exploits.
As far as looking the wrong way.... I would argue that some IPS vendors
that have not reviewed the mission of IPS versus the mission of IDS are
looking the wrong way :-)
The real issue when trying to keep a system secure is vulnerabilities
and people's inability to keep up with patches. If there were no
vulnerabilities on a properly hardened system, there would be virtually
no successful attacks. Our approach is to protect what we know can be
protected today.

>Another method of detecting these unknown events is that of (what I
>call) descriptive behavioral anomaly detection. Using this approach you
>first describe traffic patterns that are normal and expected. You then
>get alerted when abnormal traffic patterns are detected.
>
>The simplest example I can condense this to is a single web server. Why
>let the IDS run a VA scan to determine of it's patched or not instead of
>you applying the patch? While it's fine to determine the system type so
>that IDS rules can be tuned, beyond that I don't see much added value.
>However, behavioral anomaly detection will. You would expect only
>incoming web requests to that web server. If you define that traffic
>patterns such that you will be alerted on other traffic, for example the
>web server establishing an outbound FTP session or tunnel or shell, you
>can safely detect this event and give your IDS much more value.
>
>
Why not just disallow outgoing traffic from the web server in your
firewall? Besides which by the time you detect this behavior the system
is already compromised. How does this approach prevent anything from
being compromised?

>At Praemunio, we do Intrusion Prevention differently than most other
>shops. I'm not gonna toot my horn here, but suffice to say that we use
>the behavioral approach combined with Intrusion Prevention, and I can
>tell you that it is working extremely well.
>
>I believe there is a market for vendors (like Sourcefire) to come up
>with tools to ease the pain in identifying your network and subsequently
>crafting customized rules for it (if that is indeed what Sourcefire's
>RNA does... Marty, please elaborate if I'm off track here). Instead of
>focusing on vulnerabilities, we should focus on devices/assets, which
>traffic flows are normal and which are not, and engage the IDS with
>knowledge of the good, known behavior (and have it alert on the bad)
>instead of focusing on bad behavior (and ignoring the good).
>
>
>Regards,
>Frank
>
>
>
>

-- 
Vikram Phatak
CTO, Lucid Security
http://www.lucidsecurity.com
ipANGEL -"Best Emerging Technology" - Information Security Magazine
---------------------------------------------------------------------------
---------------------------------------------------------------------------

• Previous message: Vikram Phatak: "Re: NIPS Vendors explicit answer"
• In reply to: Frank Knobbe: "Re: NIPS Vendors explicit answer"
• Next in thread: Ron Gula: "Re: NIPS Vendors explicit answer"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]