RE: Anomaly Based Network IDS

["Drew Copley" <dcopley () eEye com>]

> -----Original Message-----
> From: Drew Copley 
> Sent: Tuesday, June 22, 2004 8:35 PM
> To: 'Wozny, Scott (US - New York)'; 
> focus-ids () securityfocus com; secdistlist () dauncey net
> Subject: RE: Anomaly Based Network IDS
>
>  
>
> > -----Original Message-----
> > From: Wozny, Scott (US - New York) [mailto:swozny () deloitte com] 
> > Sent: Tuesday, June 22, 2004 2:32 PM
> > To: Drew Copley; Aaron Jordan; focus-ids () securityfocus com; 
> > secdistlist () dauncey net
> > Subject: RE: Anomaly Based Network IDS
> >
> > Semantics aside I find the smoke and mirrors aspect of this 
> technology
> > fascinating.  The bottom line is this.  The heart of 
> anomaly based IDS
> > is to tell you that your network traffic patterns (from what you're
> > feeding the device) are noticeably different today than they were
> > yesterday (or an hour ago or 5 minutes ago or whatever).  
> > While this is
> > an interesting value proposition it's an addition to, not a 
> > replacement
> > for, classical signature based IDS (or IPS if you're brave) 
> that those
> > in the trenches rely upon every day to tell them who is knocking at
> > their doors and who brought in an infected laptop from home that's
> > raising hell on the intranet.  If an exploit is released for a
> > vulnerability that isn't known in the security community 
> (specifically
> > the signature-based vendors) yet then anomaly based IDS does 
> > have a real
> > opportunity to be your first warning that something is amiss. 
>
> [Noting that the original post was from lancope itself, posing
> as an actual customer that had "found zero day vulneribilities" -- 
> one of the most absurd and misinformed lines I have heard in a 
> long time... noting and moving on.]
>
> There are several chances to "find" zero day. This is not a 
> semantical issue, at all. It is a very critical issue.
>
> If people are clutching to smoke and mirrors, they will find
> themselves in deep water when the ship is sinking. To continue
> with the analogy.
>
> Anyway, you are right, the technology is advancing, here is
> a more fresh article with a less entertaining and pertinant 
> title:
>
> http://www.nwc.securitypipeline.com/howto/showArticle.jhtml?ar
> ticleId=17602432&pgno=1
>
> Lancope's StealthWatch gets a C+, btw. 

<snip>

I should note, ordinarily, I would never point out such things.

I have not tested out Lancope's StealthWatch, and have no idea
of how good or bad it was. Reviews can often be unfair -- they
can get a bad build, or they can represent a product far behind
what soon to be revealed future fixes will show. They represent
a version in a static point in time... often times a version just
before this version reviewed or the version a few months after
the review will have the bad issues solved. 

Sometimes, not. But, often so. Such is a secondary benefit of
the reviewing process -- major bugs are forced into the spotlight.

As, I am sure we all realize, the forged post was made by a single,
ambitious but misinformed individual -- as it reeks of. My general
comments
were not stated with Lancope in mind, at all... whose product
I have admittedly not tested.

So, just to be fair.


---------------------------------------------------------------------------

---------------------------------------------------------------------------