Dailydave mailing list archives
What EINSTEIN isn't. (Sheesh)
From: Dave Aitel <dave.aitel () gmail com>
Date: Fri, 29 Jan 2016 14:01:47 +0000
http://www.defenseone.com/technology/2016/01/us-homeland-securitys-6b-firewall-has-more-few-frightening-blind-spots/125528/ Let me quote from this weirdly wrong article here: "EINSTEIN relies on patterns of attacks, called signatures, to spot suspicious traffic, but it does not scan for 94 percent of commonly known vulnerabilities or check web traffic for malicious content <http://www.gao.gov/assets/680/674829.pdf>." I wanted to correct some craziness I saw in DefenseOne this morning. Apparently it is quite difficult to figure out what EINSTEIN is for, and the technology is complex, so I'm going to clarify matters PURELY AS AN OUTSIDER. To sum up the article, for people who don't want to read it: Someone is complaining that the EINSTEIN system does not function as a giant perfect Intrusion Prevention System (IPS) for the whole Government! Keep in mind, we already know AV, IPS and IDS and related technologies VERY MUCH DON'T WORK AT SCALE! First of all: There is not enough memory in the world to hold the state machines you would need to track all the TCP connections going to all the Government networks in the world. The developers of EINSTEIN are *not stupid* enough to think they're going to build a big Palo Alto box. Nor do they want to be in the business of writing thousands of IPS signatures, all of which are probably a giant waste of time. Instead, EINSTEIN allows the Government to do analysis across individual intrusions, detecting where attackers go when they laterally move from, say, OPM, to the State Department. Just to sum it up: “Regarding zero day exploits,” Homeland Security officials stated “there is no way to identify them until they are announced,” the report states. Once they are disclosed, DHS can mold a signature to the attack pattern and feed it into EINSTEIN. If you tie that to the feed obviously coming from the NSA, you have something very very useful. Much more useful than an IPS would be. It is about situational awareness and response, not protection. It still needs testing, but of a very different sort. -dave
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- What EINSTEIN isn't. (Sheesh) Dave Aitel (Jan 29)
- Re: What EINSTEIN isn't. (Sheesh) Thomas Quinlan (Jan 29)