RE: NADS ( was RE: IPS comparison)

From: Joseph Hamm (jhamm_at_lancope.com)
Date: 08/31/05

  • Next message: THolman_at_toplayer.com: "RE: IPS technology question." 
    Date: Wed, 31 Aug 2005 07:14:18 -0400
To: "Stefano Zanero" <zanero@elet.polimi.it>

    >I wouldn't, however, limit research on anomaly detection to statistical
    flow analysis. There is a lot more to it >(automatic correlation of
    events, unsupervised learning on protocol behavior, etc)

    We are on the same page. You need more than statistical flow analysis.

    >Brrrr. I'm not sure I would like that without a human filter.

    I agree, you can never automate blocking for every threat. Hopefully,
    administrators will choose a surgical approach in which they will
    automate blocking where it makes sense. Automate some of those tasks
    that an administrator would manually perform when a threat occurs. For
    example, if I have 3 threats to respond to at the same time, one coming
    from a VPN host, another from marketing, and the third from a critical
    server, then it might make sense to choose an automated blocking
    strategy for hosts in the VPN and marketing so the administrator can
    focus his/her efforts on handling the critical server. The goal of any
    automation should be quicker response to a threat without disrupting
    critical business operations.

    Blocking cannot be automated everywhere because the risk is too great.
    If you separate your hosts into groups and assign them priorities in
    relation to your business, then you can take a more aggressive blocking
    policy on less critical hosts. This can really speed remediation in the
    case of a worm outbreak, for example. This also leaves the
    administrator left to make only those critical judgment calls.

    Joe

    Joe Hamm, CISSP
    Senior Security Engineer
    Lancope, Inc.
    jhamm@lancope.com
    404.644.7227 (cell)
    770.225.6509 (fax)

    Lancope - Security through Network Intelligence(tm)
    StealthWatch(tm) by Lancope, a next-generation network security
    solution, delivers behavior-based intrusion detection, policy
    enforcement and insightful network analysis. Visit www.lancope.com.

    -----Original Message-----
    From: Stefano Zanero [mailto:zanero@elet.polimi.it]
    Sent: Wednesday, August 31, 2005 4:33 AM
    To: Joseph Hamm
    Cc: Seek Knowledge; Daniel Cid; Focus-Ids Mailing List
    Subject: Re: NADS ( was RE: IPS comparison)

    Joseph Hamm wrote:

    >>IMHO comparing pure play behavior detection to IPS is like comparing
    >>apples and oranges.
    >
    > I couldn't agree more. I spoke up because Stefano brought up the
    > topic of anomaly detection.

    I didn't, actually - it was brought up by other, I only felt right to
    chime in on my specific area of research :)

    > One thing that does bother me is how IPS has been painted as a "magic
    > bullet" by vendors (and even the press).

    It's a painful scene we have seen for most other technologies... you
    remember the PKI-fits-all dance, until 3-4 years ago, don't you ? :)

    > (purchase and maintain) a box everywhere you want coverage. Many
    folks
    > don't even know what NetFlow or sFlow is or how it can be used to
    > provide them much needed security information (and save them money).

    This for sure. I wouldn't, however, limit research on anomaly detection
    to statistical flow analysis. There is a lot more to it (automatic
    correlation of events, unsupervised learning on protocol behavior, etc)

    > This allows the NADS to find the piece of network infrastructure
    > closest to the threat (router, switch, firewall, etc.) and take
    > blocking action there in order to quarantine the attack.

    Brrrr. I'm not sure I would like that without a human filter.

    Best,
    Stefano

    Ph.D. Student
    Politecnico di Milano - Dip. Elettronica e Informazione
    www.elet.polimi.it/upload/zanero

    ------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it
    with real-world attacks from CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    ------------------------------------------------------------------------

  • Next message: THolman_at_toplayer.com: "RE: IPS technology question."