IDS mailing list archives
Useful NADS
From: "Andrew Plato" <andrew.plato () anitian com>
Date: Wed, 31 Aug 2005 14:45:50 -0700
Honestly, I have never found "network anomaly detection (NADS)" to be a tremendously valuable technology for most organizations. It is definitely not a strong zero-day detector, although with the stars aligned I am sure it could be. If networks were built and managed to exact specifications, I could understand how network anomaly detection has merit. But in the hundreds of networks I have seen, very few of them are very clean. Most of them are filthy with a constant onslaught of "anomalies.' You give the example of a DNS server suddenly firing up and sending out requests. For every potential bad thing that could indicate, there are at least as many normal, acceptable and totally legitimate reasons such an event would happen. Thus when a NADS fires off an alert about this (or blocks it), there are just as many reasons to ignore it as there are to pay attention to it. As such, the IT admins are likely going to turn off that detection as soon as they get a dozen or so false positives. Whatever benefit that feature had, is then irrelevant. One thing I have learned in my travels installing IPS/IDS for 6+ years now is that 95% of the admins out there pay very little attention to the deluge of data that comes from IPS/IDS technologies. Its just too much data. Its too hard to separate the wheat from the chaff. As such, most adopt the attitude of "stop bad, allow good, log the rest." And therefore, tons of "might be" events are just going to get ignored. Moreover, baselining these networks is also rarely useful. Baselining only works if your network actually stays within its baseline fairly regularly. Of the networks I've seen, most would routinely break their own baselines. Moreover, its very easy for "bad stuff" to stay within the baseline, especially if the baseline has been tweaked and tuned to the point of irrelevance in order to stop the deluge of events. So, while there may be a place for NADS, it would have to be intermixed with traditional IPS signature matching to be really effective and useful. And if the biggest plus of your product is just NADS, then the IPS is probably just tacked on to be competitive in the market. As such, organizations would be better off getting an a top of the line IPS, not a NADS that happens to have an IPS thrown in. ----------------------------------------------- Andrew Plato, CISSP President/Principal Consultant Anitian Enterprise Security ----------------------------------------------- -----Original Message----- From: Adam Powers [mailto:apowers () lancope com] Sent: Tuesday, August 30, 2005 3:02 PM To: Ron Gula; Focus-Ids Mailing List Subject: Re: IPS comparison
- I agree that "anomaly detection" != "zero day" detection. Just
because
my DNS server starts to connect to all the other hosts on my
network,
doesn't mean it has got a worm on it.
This is why most of today's *successful* anomaly detection technologies incorporate a learning or "behavioral" component that overcomes this kind of problem. Take StealthWatch for instance. When a new DNS server comes online, StealthWatch looks at the flows being generated by the server, figures out what the server is and how it's behaving, then applies the appropriate algorithms given the contextual awareness of the server's learned behaviors. In a nutshell: 1. New host detected. 2. Let's watch it for a bit and figure out what it's up to. 3. Now that we know what the machine is and does, apply the proper anomaly detection techniques to the traffic generated by the host. Let's study your DNS example... ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- Useful NADS Andrew Plato (Sep 01)
- Re: Useful NADS Adam Powers (Sep 01)
- Re: Useful NADS Adam Powers (Sep 01)
- <Possible follow-ups>
- RE: Useful NADS Andrew Plato (Sep 01)
- Re: Useful NADS Adam Powers (Sep 01)