Re: Announcement: Alert Verification for Snort

[Barry Fitzgerald <bkfsec () sdf lonestar org>]

Ron Gula wrote:

> Good thread so far, but when you add in the fact that your vulnerability
> scanner can have false positives and false negatives, things get very
> complex pretty fast. 


I think this is a VERY good point. 

What it highlights, to me, is that there really is no such thing as a 
magic security box.  You still need a trained analyst who knows what the 
data means to be able to determine what has to be done with it.  And, in 
that exact same light and in the context of security administration, it 
really doesn't matter whether we call them false positives, nontextuals, 
or cheese whiz.  :)  The only way for a person to determine what data 
really means to them is for that person or group to decide what kind of 
analysis they want to do.

However, in the context of security tool development, it absolutely 
matters what we call each category of event.  I think that the whole 
argument of "nontextuals don't matter to me as an admin" and 
"nontextuals matter to me as a developer" is missing a very key point:  
These are two seperate job functions and thinking that we can define one 
set of terms for both is slightly misplaced.   It's well intentioned, 
but misplaced nonetheless.

So, automation and correlation tools will never replace a good security 
analyst.  Security is just an inherently complex process and the 
technology we have just doesn't have the fuzzy logic capabilities 
necessary to know whether host X fits it's profile of what host X is 
supposed to be or not.   As long as all systems on the planet are not 
exactly the same (which I consider to be a good thing, that they aren't 
exactly the same) a correlation tool will still only be as smart as the 
analyst using it.  What automation and correlation tools do give us is 
the ability to reduce our workload... which, no matter how smart a 
security analyst is, that analyst exists in the realm of physics and, on 
this planet anyway, there are only 24 hours in the day and I need around 
8 of them to sleep and a certain amount more for activities other than 
security.  :)

So let's not mix up the difference between developers and admins.  These 
really are two different groups with two different interests, even if 
they do overlap somewhat.  And as such, the terminology each group uses 
will not overlap perfectly.

            -Barry




---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_focus-ids_031023 
and use priority code SF4.
---------------------------------------------------------------------------