RE: Definition of Zero Day Protectiona

• Previous message: Michal Zalewski: "RE: Definition of Zero Day Protection"
• Next in thread: Oliver Friedrichs: "RE: Definition of Zero Day Protectiona"
• Reply: Oliver Friedrichs: "RE: Definition of Zero Day Protectiona"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 9 Aug 2004 14:23:27 -0600
To: "Carey, Steve T GARRISON" <steven-carey@us.army.mil>

 As some vendors have expressed their definition of "Zero Day" exploits
ranging from malware, viruses that anti-virus software is not up to date
to weak policy practices or unapplied patches. MyDoom and Netsky
viruses are just one example of Zero Day Virus attacks, but in those
type of causes there is a trend before it hit an enterprise environment.

Zero Day Protection from my reseach is neither heuristic or
application-behavior based, but most vendors who claim to have Zero Day
Protection implement either heurtistic or application-behavior based
algoritms, or both. Some vendors claim they can block Zero Day
exploits, but are really blocking spyware, instant messaging, peer to
peer applications, etc. Policy based systems are not dynamic in nature
as they still involved someone analyzing traffic. Dynamic based
alerting and prevention systems is not a solution since most
organizations are afraid of the SKYNET theory (from Terminator), so
therefore Zero Day Protection could be considered a dessert and the
technology a floorwax, or marketing flypaper.. ;)

-----Original Message-----
From: Carey, Steve T GARRISON [mailto:steven-carey@us.army.mil]
Sent: Monday, August 09, 2004 11:08 AM
To: Teicher, Mark (Mark)
Cc: Seanor, Joseph (Joe); focus-ids@securityfocus.com
Subject: RE: Definition of Zero Day Protection

My own personal opinion, based on 7 years of experience in intrusion
detection, is that it is a marketing ploy. Only way to ensure Zero Day
Protection is to use a 'suite' of IDS tools and have an analyst looking
at those logs 24/7 to find the Zero Day Exploit.

Vendors can state they prevent Zero Day Exploits but to do that you can
also stop legitimate traffic. Maybe sometime in the future that can
happen, but not today.

Steve Carey

-----Original Message-----
From: Teicher, Mark (Mark) [mailto:teicher@avaya.com]
Sent: Sunday, August 08, 2004 8:48 PM
To: focus-ids@securityfocus.com
Cc: Seanor, Joseph (Joe)
Subject: Definition of Zero Day Protection

What is Zero Day Protection, I think I understand the definition of Zero
Day Exploits. But what is Zero Day Protection? Another marketing blurb
or it can vendors actually offer zero day protection?

Thank you for clarifying my confusion

/m

------------------------------------------------------------------------

--
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
--
------------------------------------------------------------------------
--
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
--
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------

• Previous message: Michal Zalewski: "RE: Definition of Zero Day Protection"
• Next in thread: Oliver Friedrichs: "RE: Definition of Zero Day Protectiona"
• Reply: Oliver Friedrichs: "RE: Definition of Zero Day Protectiona"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]