IDS mailing list archives
Re: NIPS Vendors explicit answer
From: Vikram Phatak <vphatak () lucidsecurity com>
Date: Mon, 26 Apr 2004 21:03:13 -0400
Greetings again, Below is a clarification of my position regarding several issues... Regards, -Vik Frank Knobbe wrote:
I was confining my statement regarding anomalous behavior to statistical anomaly detection in this paragraph.Greetings, I'm gonna resist to quote a lot of what Vik said (mainly productdescription) and cut to the chase. I do want to highlight this quote:On Fri, 2004-04-23 at 16:36, Vikram Phatak wrote:As with firewalls, we believe IPS needs to be more black and white regarding the approach taken. While much of the work being done regarding anomalous behavior is cool, it is not practical unless it can be used in the "real world" to prevent attacks. Believing that traffic is harmful and knowing it is harmful are two different things.If you confine your thinking to statistical anomaly detection, then this may be correct. However, behavioral anomalies can be safely detected and used to prevent attacks. After all, you know how your network is supposed to act and can (by cleverly crafting custom rules) detect any "fishy" activity that should be prevented (or never happen in the first place).
Regarding correlating VA with IDS - I agree with you regarding the limited value of tuning an Intrusion Detection System based upon VA results. An IDS is should be looking for "who is trying to get me", which includes attacks that are irrelavent from an IPS perspective (like code red going to a linux box) as well as behavioral anomalies and statistical anomalies.ipAngel places a great deal of emphasis on correlation of vulnerabilities to IDS alerts. While I wish you well in this endeavor, I do question the approach. I'm not harping on ipAngel in particular since the same applies to other vendors as well. It remains to be seen how much value that approach actually adds to intrusion Detection.
There are many reasons for not immediately remediating a vulnerability by patching a system - (1) not enough time, (2) it may break an application you rely on, (3) not allowed to touch the system until the maintenance window, and so on. As far as focusing on the vulnerabilities... Focusing on the vulnerabilities enables us to protect systems until they are patched. Preventing vulnerabilities from being exploited is how we keeps worms and other attacks from successfully compromising systems. If there were no vulnerabilities, there would be little need for Intrusion Prevention.In my opinion, you are restraining your IDS rules to certain vulnerabilities for certain systems. This is okay for reducing false positive, but imho it should not be a driving factor when developing your IDS rules. After all, if you know what your are vulnerable to, why not act and remedy the vulnerability? If you know what set of possible vulnerabilities might apply to you (for example, running IIS), then sure, use that info to tune the IDS and reduce FP's. But don't just focus on those vulnerabilities.
Why detect something that we know exists? To keep the system from being compromised (from a prevention standpoint). From our perspective IDS & IPS have different missions. IDS is looking for those that intend to harm or misuse a network. IPS is all about protecting assets on the network from being compromised. Also, by focusing on the underlying vulnerability, we are able to address zero day exploits to existing (non-zero day) vulnerabilities, which comprise the vast majority of exploits. As far as looking the wrong way.... I would argue that some IPS vendors that have not reviewed the mission of IPS versus the mission of IDS are looking the wrong way :-) The real issue when trying to keep a system secure is vulnerabilities and people's inability to keep up with patches. If there were no vulnerabilities on a properly hardened system, there would be virtually no successful attacks. Our approach is to protect what we know can be protected today.IDSes are Intrusion Detection Systems. Why do we need to detect something that we know exists? In my opinion we should focus our efforts on detecting the *unknown* events, not the known ones. I argue that youare looking the wrong way :) Statistical anomaly detection is one attempt to do that (and I agree, itmay not be the most foolproof method, but it does provides value as anadded layer).
Why not just disallow outgoing traffic from the web server in your firewall? Besides which by the time you detect this behavior the system is already compromised. How does this approach prevent anything from being compromised?Another method of detecting these unknown events is that of (what I call) descriptive behavioral anomaly detection. Using this approach you first describe traffic patterns that are normal and expected. You then get alerted when abnormal traffic patterns are detected. The simplest example I can condense this to is a single web server. Why let the IDS run a VA scan to determine of it's patched or not instead of you applying the patch? While it's fine to determine the system type so that IDS rules can be tuned, beyond that I don't see much added value. However, behavioral anomaly detection will. You would expect only incoming web requests to that web server. If you define that traffic patterns such that you will be alerted on other traffic, for example the web server establishing an outbound FTP session or tunnel or shell, you can safely detect this event and give your IDS much more value.
At Praemunio, we do Intrusion Prevention differently than most other shops. I'm not gonna toot my horn here, but suffice to say that we use the behavioral approach combined with Intrusion Prevention, and I can tell you that it is working extremely well. I believe there is a market for vendors (like Sourcefire) to come up with tools to ease the pain in identifying your network and subsequently crafting customized rules for it (if that is indeed what Sourcefire'sRNA does... Marty, please elaborate if I'm off track here). Instead of focusing on vulnerabilities, we should focus on devices/assets, whichtraffic flows are normal and which are not, and engage the IDS with knowledge of the good, known behavior (and have it alert on the bad) instead of focusing on bad behavior (and ignoring the good). Regards, Frank
-- Vikram Phatak CTO, Lucid Security http://www.lucidsecurity.com ipANGEL -"Best Emerging Technology" - Information Security Magazine --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- NIPS Vendors explicit answer christian graf (Apr 08)
- Re: NIPS Vendors explicit answer christian graf (Apr 19)
- <Possible follow-ups>
- RE: NIPS Vendors explicit answer Kohlenberg, Toby (Apr 12)
- Re: NIPS Vendors explicit answer Vikram Phatak (Apr 26)
- Re: NIPS Vendors explicit answer Ron Gula (Apr 26)
- Re: NIPS Vendors explicit answer Vikram Phatak (Apr 27)
- Re: NIPS Vendors explicit answer Frank Knobbe (Apr 27)
- Re: NIPS Vendors explicit answer Vikram Phatak (Apr 27)
- Message not available
- Re: NIPS Vendors explicit answer Frank Knobbe (Apr 27)
- Re: NIPS Vendors explicit answer Vikram Phatak (Apr 27)
- RE: NIPS Vendors explicit answer Rob Shein (Apr 28)
- RE: NIPS Vendors explicit answer Frank Knobbe (Apr 30)
- RE: NIPS Vendors explicit answer Rob Shein (Apr 30)
- Re: NIPS Vendors explicit answer Ron Gula (Apr 26)
- Re: IDSes and known attacks (was: NIPS Vendors explicit answer) Drexx Laggui (Apr 28)
- Re: NIPS Vendors explicit answer Ron Gula (Apr 28)
- Re: NIPS Vendors explicit answer Vikram Phatak (Apr 28)