Snort mailing list archives
Re: [Emerging-Sigs] Matt Jonkman in the new Hakin9
From: Matthew Jonkman <jonkman () emergingthreatspro com>
Date: Wed, 2 Feb 2011 15:17:34 -0500
On Feb 1, 2011, at 11:58 AM, Jason Wallace wrote:
"An effective IDS ruleset HAS to cover malware." -- In my opinion, I[DP]S is not the answer to malware. "Many of those will not happen while the computer is on your network [ ... ]" That is why IDS has limited value when it comes to malware. I do not think IDS should ignore malware, but at most it should be seen as a second or third layer of protection. Patching, privilege reduction, and content filtering _at the asset level_ combined with user education will always be better primary levels of defense then IDS for this type of threat. An infected asset (on or off your network) constitutes a failure in your security program. That failure should initiate some sort of action/response. If the user was off-site when the infection occurred (and ~85% of our malware infections occur off-site, and yes I have that data) there is no direct action I can take from a network based IDS perspective to prevent a recurrence of that infection. If it is not directly actionable, it should not be considered a primary defense layer. If it is not a primary defense then it does not HAVE to cover it. Coverage would, at that point, be a value add.
It's not the end all answer, nothing is. A lot of technologies have to work together. IDS I think is absolutely definitely no doubt one of them. We are never going to catch everything on the host with host based tools. And if you think about it, there is one thing malware HAS to do to be of use to it's master. It has to talk to someone and either take commands or slip out information. This is 100% in the purview of IDS. You won't catch every attack or exploit, but we can do a lot for catching CnC traffic. And no, we won't catch them all. But lets hope the overlap of what we catch and what the AV vendors don't catch overlaps to get us closer to secure. Yes, an infection is a failure. But we will always have failures. And you;ll have hosts that come in from the outside already infected. You MUST focus on CnC channels, I don't see any alternative. And on the NSS point, we test our AV vendors by how fast they cover the malware of the day. Why not apply the same standard to our IDS vendors?
The biggest issue I had with that article (until I dug deeper) was this... "I believe we need to as consumers realign what we read into those marketing phrases, and reconsider what we should allow to be acceptable for the rhetoric." [ ... ] "We’ve just gone through launch, and have spent a lot of time developing our marketing slang. We purposely chose to use the term comprehensive to describe our ruleset." [ ... ] "We did not choose to use the term Complete. I don’t think any security product can nor should give the impression that they’ll catch everything." Sounds great, but while the main page of the ET Pro web site (which will set many potential customer's initial impression) is entitled "the comprehensive ruleset" the first paragraph on the ET PRO website however is titled "Complete Coverage." That put me off a little bit until I read the "the rules > coverage" page which does use "comprehensive" as opposed to "complete." Purposeful rhetoric? No, of course not, but that inconsistency immediately stood out when I went from the article directly to the main page of the ET Pro website.
True, looks inconsistent. Complete there is used in the context that Pro is not just malware, but full range coverage. Whereas the ET Open ruleset is best effort and very much focused on malware and experimental stuff. I'll change the wording to make that more clear. We are not the end all, catch everything, last security product you need. No one is. We're another cog in the wheel that should be your overall security program. We think we're a better cog than the equivalents though of course! :)
All my previous points are obviously my opinion and can be argued either way, and I don't think there is a "right answer" that fits everyone's views points on IDS/IPS. While I do not agree with everything Matt said, I think the article did explain his point of view and vision. Thanks for the interesting read.
Thanks. I like to rant, and I know I generalized a LOT in that article. But my overarching hope is that we all become more critical of the marketing hype, and keep in mind that everything we buy and deploy is just one part. None of them are complete, you have to look at the gaps between and make sure you're doing the best to have overlap to get you closest to 100%. Matt ---------------------------------------------------- Matthew Jonkman Emergingthreats.net Emerging Threats Pro Open Information Security Foundation (OISF) Phone 765-807-8630 Fax 312-264-0205 http://www.emergingthreatspro.com http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc ------------------------------------------------------------------------------ Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Matt Jonkman in the new Hakin9 Castle, Shane (Jan 31)
- Re: [Emerging-Sigs] Matt Jonkman in the new Hakin9 Matthew Jonkman (Jan 31)
- Re: [Emerging-Sigs] Matt Jonkman in the new Hakin9 Will Metcalf (Jan 31)
- Re: [Emerging-Sigs] Matt Jonkman in the new Hakin9 Dale Handy (Jan 31)
- Re: [Emerging-Sigs] Matt Jonkman in the new Hakin9 Michael Lubinski (Jan 31)
- Re: [Emerging-Sigs] Matt Jonkman in the new Hakin9 Joel Esler (Jan 31)
- Re: [Emerging-Sigs] Matt Jonkman in the new Hakin9 Matthew Jonkman (Jan 31)
- Re: [Emerging-Sigs] Matt Jonkman in the new Hakin9 Michael Lubinski (Jan 31)
- Re: [Emerging-Sigs] Matt Jonkman in the new Hakin9 Matthew Jonkman (Jan 31)
- Re: [Emerging-Sigs] Matt Jonkman in the new Hakin9 Jason Wallace (Feb 01)
- Re: [Emerging-Sigs] Matt Jonkman in the new Hakin9 Matthew Jonkman (Feb 02)
- Re: [Emerging-Sigs] Matt Jonkman in the new Hakin9 Martin Holste (Feb 02)
- Re: was--Matt Jonkman in the new Hakin9--now detecting infections John York (Feb 03)
- Re: was--Matt Jonkman in the new Hakin9--now detecting infections Matthew Jonkman (Feb 03)
- Re: was--Matt Jonkman in the new Hakin9--now detecting infections Marshall Bartoszek (Feb 04)
- Re: was--Matt Jonkman in the new Hakin9--now detecting infections Jefferson, Shawn (Feb 03)
- Re: was--Matt Jonkman in the new Hakin9--now detecting infections John York (Feb 03)
- Re: [Emerging-Sigs] Matt Jonkman in the new Hakin9 Will Metcalf (Jan 31)
- Re: [Emerging-Sigs] Matt Jonkman in the new Hakin9 Matthew Jonkman (Jan 31)
- Re: [Emerging-Sigs] Matt Jonkman in the new Hakin9 Jason Wallace (Feb 03)
- Re: [Emerging-Sigs] Matt Jonkman in the new Hakin9 Martin Holste (Feb 03)
- Re: [Emerging-Sigs] Matt Jonkman in the new Hakin9 Will Metcalf (Feb 04)