Dailydave mailing list archives
Re: lots of monkeys staring at a screen....security?
From: Ron Gula <rgula () tenablesecurity com>
Date: Sat, 28 Oct 2006 07:57:42 -0400
Thomas Ptacek wrote:
I am waiting for someone to tell me the story about how an IDS saved their bacon.
Before I even thought about writing Dragon, we used ISS RealSecure and regularly caught a few internal users who were doing internal probes and attempting to gain access to other servers they should not have been. I was surprised at how effective NIDS monitoring was (this was late 1990s) that we caught people trying to exploit things like Cold Fusion, that older Compaq manager bug and so on. When I finally did the Dragon IDS, for a year or two, we were tracking customers who had either been able to discover internal hackers and fire them or who had to open up ongoing investigations because there was a set of remote folks trying to penetrate their network. Comments in general: - anomaly algorithms are just different forms of signatures; both can be bypassed and there are good/bad algorithms - even if your IDS totally sucks, you still might be from a business vertical where the auditors require you to run something - even if your IDS totally sucks, for the general internal user population, it is a deterrent. - even if your IDS (IPS) totally sucks, if your IT guys believe in it, they will use it as an excuse to delay patching since they are "protected" - an attack and a backdoor which involves an encrypted shell may or may not be detected by a NIDS. Depends on the attack and the NIDS. There are still many idiot hackers who use some sort of cool attack, cool encrypted shell and then set up an IRC server on the box. So having said that, today in 2006, I still see a lot of value in NIDS for monitoring, but if that is all that one does and doesn't take into account vulnerabilities, firewall logs, proxy logs, host logs, .etc, then there is a lot that can be missed. Ron Gula, CTO Tenable Network Security _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: lots of monkeys staring at a screen....security?, (continued)
- Re: lots of monkeys staring at a screen....security? Joanna Rutkowska (Oct 27)
- Re: lots of monkeys staring at a screen....security? Gadi Evron (Oct 27)
- Re: lots of monkeys staring at a screen....security? Joanna Rutkowska (Oct 27)
- Re: lots of monkeys staring at a screen....security? Blue Boar (Oct 26)
- Re: lots of monkeys staring at a screen....security? Jamie Riden (Oct 26)
- Re: lots of monkeys staring at a screen....security? Kevin Johnson (Oct 27)
- Re: lots of monkeys staring at a screen....security? Dave Aitel (Oct 27)
- Re: lots of monkeys staring at a screen....security? Halvar Flake (Oct 27)
- Re: lots of monkeys staring at a screen....security? Thomas Ptacek (Oct 27)
- Re: lots of monkeys staring at a screen....security? Matt Beaumont (Oct 27)
- Re: lots of monkeys staring at a screen....security? Dave Aitel (Oct 28)
- Re: lots of monkeys staring at a screen....security? Ron Gula (Oct 28)
- Re: lots of monkeys staring at a screen....security? liquidfish (Oct 27)
- Re: lots of monkeys staring at a screen....security? Gadi Evron (Oct 28)
- Re: lots of monkeys staring at a screen....security? Thomas Ptacek (Oct 29)
- Re: lots of monkeys staring at a screen....security? Gadi Evron (Oct 29)
- Re: lots of monkeys staring at a screen....security? David Maynor (Oct 29)
- Re: lots of monkeys staring at a screen....security? Dave Aitel (Oct 27)
- Re: lots of monkeys staring at a screen....security? Florian Weimer (Oct 29)
- Re: lots of monkeys staring at a screen....security? Paul Wouters (Oct 27)
- Re: lots of monkeys staring at a screen....security? Blue Boar (Oct 27)
- Re: lots of monkeys staring at a screen....security? Florian Weimer (Oct 29)
- Re: lots of monkeys staring at a screen....security? Kevin Johnson (Oct 29)