IDS mailing list archives
Re: IDS thoughts
From: "Stephen P. Berry" <spb () meshuggeneh net>
Date: Tue, 03 Jun 2003 14:03:51 -0700
I wrote:
Anytime you have an interface between zones of different risk, liability, threat, or whatever, there should be: -A policy which enunciates and addresses this difference -A mechanism for enforcing this policy -A mechanism for auditing the enforcement of this policy
Stefano Zanero writes:
Yes. But, as long as you can clearly DEFINE this policy, the enforcement mechanism and the detection mechanism can be the same. If you check twice against the same rule, you are not doing "anomaly detection" - at least, not in my concept :-)
This is true. It is also irrelevant. You don't don't want a discrete monitoring mechanism because you want to do anomaly detection (or at least, that is not the exclusive reason). You want your monitoring mechanism to be decoupled from your policy enforcement mechanism to be able to audit the failure mode of your enforcement mechanism. Whether or not this entails anomaly detection (for some suitably gerrymandered definition of the term) is beside the point. The fact that there is a common Latin phrase which reflects this dilemma---`Quis custodiet ipsos custodes?'[0]---suggests that this is a class of problem whose importance has been recognised for quite some time[1]. -spb ----- 0 `Who keeps the keepers?' or (currently more popularly) `Who watches the watchmen?' 1 Although it appears to be traditional for (online) information security to defer adoption of applicable innovations until forced to by brutal necessity. Most network anomaly detection systems, for example, are significantly less sophisticated than the traffic analysis tools used by British intelligence in the Second World War.
Attachment:
_bin
Description:
Current thread:
- Re: IDS thoughts Stefano Zanero (Jun 02)
- Re: IDS thoughts Stephen P. Berry (Jun 02)
- Re: IDS thoughts Raistlin (Jun 03)
- Re: IDS thoughts Stephen P. Berry (Jun 03)
- Re: IDS thoughts Raistlin (Jun 03)
- <Possible follow-ups>
- Re: IDS thoughts Jimi Thompson (Jun 02)
- Re: IDS thoughts Stephen P. Berry (Jun 02)