IDS mailing list archives
RE: NADS ( was RE: IPS comparison)
From: "Joseph Hamm" <jhamm () lancope com>
Date: Wed, 31 Aug 2005 07:14:18 -0400
I wouldn't, however, limit research on anomaly detection to statistical
flow analysis. There is a lot more to it >(automatic correlation of events, unsupervised learning on protocol behavior, etc) We are on the same page. You need more than statistical flow analysis.
Brrrr. I'm not sure I would like that without a human filter.
I agree, you can never automate blocking for every threat. Hopefully, administrators will choose a surgical approach in which they will automate blocking where it makes sense. Automate some of those tasks that an administrator would manually perform when a threat occurs. For example, if I have 3 threats to respond to at the same time, one coming from a VPN host, another from marketing, and the third from a critical server, then it might make sense to choose an automated blocking strategy for hosts in the VPN and marketing so the administrator can focus his/her efforts on handling the critical server. The goal of any automation should be quicker response to a threat without disrupting critical business operations. Blocking cannot be automated everywhere because the risk is too great. If you separate your hosts into groups and assign them priorities in relation to your business, then you can take a more aggressive blocking policy on less critical hosts. This can really speed remediation in the case of a worm outbreak, for example. This also leaves the administrator left to make only those critical judgment calls. Joe Joe Hamm, CISSP Senior Security Engineer Lancope, Inc. jhamm () lancope com 404.644.7227 (cell) 770.225.6509 (fax) Lancope - Security through Network Intelligence(tm) StealthWatch(tm) by Lancope, a next-generation network security solution, delivers behavior-based intrusion detection, policy enforcement and insightful network analysis. Visit www.lancope.com. -----Original Message----- From: Stefano Zanero [mailto:zanero () elet polimi it] Sent: Wednesday, August 31, 2005 4:33 AM To: Joseph Hamm Cc: Seek Knowledge; Daniel Cid; Focus-Ids Mailing List Subject: Re: NADS ( was RE: IPS comparison) Joseph Hamm wrote:
IMHO comparing pure play behavior detection to IPS is like comparing apples and oranges.I couldn't agree more. I spoke up because Stefano brought up the topic of anomaly detection.
I didn't, actually - it was brought up by other, I only felt right to chime in on my specific area of research :)
One thing that does bother me is how IPS has been painted as a "magic bullet" by vendors (and even the press).
It's a painful scene we have seen for most other technologies... you remember the PKI-fits-all dance, until 3-4 years ago, don't you ? :)
(purchase and maintain) a box everywhere you want coverage. Many
folks
don't even know what NetFlow or sFlow is or how it can be used to provide them much needed security information (and save them money).
This for sure. I wouldn't, however, limit research on anomaly detection to statistical flow analysis. There is a lot more to it (automatic correlation of events, unsupervised learning on protocol behavior, etc)
This allows the NADS to find the piece of network infrastructure closest to the threat (router, switch, firewall, etc.) and take blocking action there in order to quarantine the attack.
Brrrr. I'm not sure I would like that without a human filter. Best, Stefano Ph.D. Student Politecnico di Milano - Dip. Elettronica e Informazione www.elet.polimi.it/upload/zanero ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- NADS ( was RE: IPS comparison) Joseph Hamm (Aug 31)
- Re: NADS ( was RE: IPS comparison) Seek Knowledge (Aug 31)
- Re: NADS ( was RE: IPS comparison) Stefano Zanero (Aug 31)
- Re: NADS ( was RE: IPS comparison) Iván Arce (Aug 31)
- <Possible follow-ups>
- RE: NADS ( was RE: IPS comparison) Joseph Hamm (Aug 31)