RE: Definition of Zero Day Protection

• Previous message: Carey, Steve T GARRISON: "RE: Definition of Zero Day Protection"
• Maybe in reply to: Teicher, Mark (Mark): "Definition of Zero Day Protection"
• Next in thread: Teicher, Mark (Mark): "RE: Definition of Zero Day Protection"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 9 Aug 2004 12:27:28 -0500
To: "Teicher, Mark (Mark)" <teicher@avaya.com>

Would say they are 'misguided', they believe it. But from the different IDS and IPS systems I have tested and used, the IPS CAN stop attacks, however, if someone in your organization starts using a new software, it may get stopped by the IPS. Also, if the Zero Day Exploit is on the encrypted side, like ssl, then no it wouldn't stop it.

There is some new technology being worked concerning Kernel Protection that comes close, but still is being worked.

The biggest problem with Zero Day Protection is encrypted programs. Host based programs can work, but still believe that as of today it is still going to take a human to ensure Zero Day Protection (provided they have the necessary tools to do it with).

Steve

-----Original Message-----
From: Teicher, Mark (Mark) [mailto:teicher@avaya.com]
Sent: Monday, August 09, 2004 12:14 PM
To: Carey, Steve T GARRISON
Cc: Seanor, Joseph (Joe); focus-ids@securityfocus.com
Subject: RE: Definition of Zero Day Protection

Marketing ploy?? You mean marketing people don't state the truth about
Zero Day Protection and how it works ??

/mark

-----Original Message-----
From: Carey, Steve T GARRISON [mailto:steven-carey@us.army.mil]
Sent: Monday, August 09, 2004 11:08 AM
To: Teicher, Mark (Mark)
Cc: Seanor, Joseph (Joe); focus-ids@securityfocus.com
Subject: RE: Definition of Zero Day Protection

My own personal opinion, based on 7 years of experience in intrusion
detection, is that it is a marketing ploy. Only way to ensure Zero Day
Protection is to use a 'suite' of IDS tools and have an analyst looking
at those logs 24/7 to find the Zero Day Exploit.

Vendors can state they prevent Zero Day Exploits but to do that you can
also stop legitimate traffic. Maybe sometime in the future that can
happen, but not today.

Steve Carey

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------

• Previous message: Carey, Steve T GARRISON: "RE: Definition of Zero Day Protection"
• Maybe in reply to: Teicher, Mark (Mark): "Definition of Zero Day Protection"
• Next in thread: Teicher, Mark (Mark): "RE: Definition of Zero Day Protection"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]