RE: NADS ( was RE: IPS comparison)

["Joseph Hamm" <jhamm () lancope com>]

> I wouldn't, however, limit research on anomaly detection to statistical
flow analysis. There is a lot more to it >(automatic correlation of
events, unsupervised learning on protocol behavior, etc)

We are on the same page.  You need more than statistical flow analysis.

> Brrrr. I'm not sure I would like that without a human filter.

I agree, you can never automate blocking for every threat.  Hopefully,
administrators will choose a surgical approach in which they will
automate blocking where it makes sense.  Automate some of those tasks
that an administrator would manually perform when a threat occurs.  For
example, if I have 3 threats to respond to at the same time, one coming
from a VPN host, another from marketing, and the third from a critical
server, then it might make sense to choose an automated blocking
strategy for hosts in the VPN and marketing so the administrator can
focus his/her efforts on handling the critical server.  The goal of any
automation should be quicker response to a threat without disrupting
critical business operations.  

Blocking cannot be automated everywhere because the risk is too great.
If you separate your hosts into groups and assign them priorities in
relation to your business, then you can take a more aggressive blocking
policy on less critical hosts.  This can really speed remediation in the
case of a worm outbreak, for example.  This also leaves the
administrator left to make only those critical judgment calls.  

Joe

Joe Hamm, CISSP
Senior Security Engineer
Lancope, Inc.
jhamm () lancope com
404.644.7227  (cell)
770.225.6509   (fax)

Lancope - Security through Network Intelligence(tm)
StealthWatch(tm) by Lancope, a next-generation network security
solution, delivers behavior-based intrusion detection, policy
enforcement and insightful network analysis.  Visit www.lancope.com.


-----Original Message-----
From: Stefano Zanero [mailto:zanero () elet polimi it] 
Sent: Wednesday, August 31, 2005 4:33 AM
To: Joseph Hamm
Cc: Seek Knowledge; Daniel Cid; Focus-Ids Mailing List
Subject: Re: NADS ( was RE: IPS comparison)

Joseph Hamm wrote:

> > IMHO comparing pure play behavior detection to IPS is like comparing  
> > apples and oranges.
>
> I couldn't agree more.  I spoke up because Stefano brought up the 
> topic of anomaly detection.

I didn't, actually - it was brought up by other, I only felt right to
chime in on my specific area of research :)

> One thing that does bother me is how IPS has been painted as a "magic 
> bullet" by vendors (and even the press).

It's a painful scene we have seen for most other technologies... you
remember the PKI-fits-all dance, until 3-4 years ago, don't you ? :)

> (purchase and maintain) a box everywhere you want coverage.   Many
folks
> don't even know what NetFlow or sFlow is or how it can be used to 
> provide them much needed security information (and save them money).

This for sure. I wouldn't, however, limit research on anomaly detection
to statistical flow analysis. There is a lot more to it (automatic
correlation of events, unsupervised learning on protocol behavior, etc)

> This allows the NADS to find the piece of network infrastructure 
> closest to the threat (router, switch, firewall, etc.) and take 
> blocking action there in order to quarantine the attack.

Brrrr. I'm not sure I would like that without a human filter.

Best,
Stefano

Ph.D. Student
Politecnico di Milano - Dip. Elettronica e Informazione
www.elet.polimi.it/upload/zanero

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------