IDS mailing list archives
Re: Announcement: Alert Verification for Snort
From: Barry Fitzgerald <bkfsec () sdf lonestar org>
Date: Fri, 24 Oct 2003 14:58:05 -0400
Ron Gula wrote:
Good thread so far, but when you add in the fact that your vulnerability scanner can have false positives and false negatives, things get verycomplex pretty fast.
I think this is a VERY good point. What it highlights, to me, is that there really is no such thing as a magic security box. You still need a trained analyst who knows what the data means to be able to determine what has to be done with it. And, in that exact same light and in the context of security administration, it really doesn't matter whether we call them false positives, nontextuals, or cheese whiz. :) The only way for a person to determine what data really means to them is for that person or group to decide what kind of analysis they want to do.
However, in the context of security tool development, it absolutely matters what we call each category of event. I think that the whole argument of "nontextuals don't matter to me as an admin" and "nontextuals matter to me as a developer" is missing a very key point: These are two seperate job functions and thinking that we can define one set of terms for both is slightly misplaced. It's well intentioned, but misplaced nonetheless.
So, automation and correlation tools will never replace a good security analyst. Security is just an inherently complex process and the technology we have just doesn't have the fuzzy logic capabilities necessary to know whether host X fits it's profile of what host X is supposed to be or not. As long as all systems on the planet are not exactly the same (which I consider to be a good thing, that they aren't exactly the same) a correlation tool will still only be as smart as the analyst using it. What automation and correlation tools do give us is the ability to reduce our workload... which, no matter how smart a security analyst is, that analyst exists in the realm of physics and, on this planet anyway, there are only 24 hours in the day and I need around 8 of them to sleep and a certain amount more for activities other than security. :)
So let's not mix up the difference between developers and admins. These really are two different groups with two different interests, even if they do overlap somewhat. And as such, the terminology each group uses will not overlap perfectly.
-Barry --------------------------------------------------------------------------- Network with over 10,000 of the brightest minds in information security at the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register athttp://www.securityfocus.com/sponsor/RSA_focus-ids_031023 and use priority code SF4.
---------------------------------------------------------------------------
Current thread:
- Re: Announcement: Alert Verification for Snort, (continued)
- Re: Announcement: Alert Verification for Snort Martin Roesch (Oct 24)
- Re: Announcement: Alert Verification for Snort Martin Roesch (Oct 23)
- Re: Announcement: Alert Verification for Snort Randy Taylor (Oct 23)
- Re: Announcement: Alert Verification for Snort Michael Stone (Oct 24)
- Re: Announcement: Alert Verification for Snort Michael Sierchio (Oct 24)
- Re: Announcement: Alert Verification for Snort Michael Stone (Oct 27)
- Re: Announcement: Alert Verification for Snort Martin Roesch (Oct 23)
- Re: Announcement: Alert Verification for Snort Michael Sierchio (Oct 23)
- Re: Announcement: Alert Verification for Snort Ron Gula (Oct 23)
- Re: Announcement: Alert Verification for Snort Frank Knobbe (Oct 24)
- Re: Announcement: Alert Verification for Snort Barry Fitzgerald (Oct 24)
- RE: Announcement: Alert Verification for Snort Craig H. Rowland (Oct 24)
- Re: Announcement: Alert Verification for Snort Robin Sommer (Oct 24)
- Re: Announcement: Alert Verification for Snort Martin Roesch (Oct 23)
- Re: Announcement: Alert Verification for Snort Michael Krieger (Oct 24)
- Re: Announcement: Alert Verification for Snort Bill Royds (Oct 24)
- Re: Announcement: Alert Verification for Snort Michael Stone (Oct 23)