Dailydave mailing list archives
Re: What EINSTEIN isn't. (Sheesh)
From: "Thomas Quinlan" <tom () thomasquinlan com>
Date: Fri, 29 Jan 2016 15:22:29 +0000
I've not been doing anything for the government for some years now, but it (Einstein) was very effective for some of the things we really did need it for while I was doing those things. We didn't have access directly, but the guys at US-CERT who did knew what they were doing and so did we and it was one of those things to look back on proudly.
On 29 Jan 2016, at 14:01, Dave Aitel wrote:
http://www.defenseone.com/technology/2016/01/us-homeland-securitys-6b-firewall-has-more-few-frightening-blind-spots/125528/ Let me quote from this weirdly wrong article here: "EINSTEIN relies on patterns of attacks, called signatures, to spotsuspicious traffic, but it does not scan for 94 percent of commonly knownvulnerabilities or check web traffic for malicious content <http://www.gao.gov/assets/680/674829.pdf>." I wanted to correct some craziness I saw in DefenseOne this morning. Apparently it is quite difficult to figure out what EINSTEIN is for, and the technology is complex, so I'm going to clarify matters PURELY AS AN OUTSIDER.To sum up the article, for people who don't want to read it: Someone is complaining that the EINSTEIN system does not function as a giant perfect Intrusion Prevention System (IPS) for the whole Government! Keep in mind, we already know AV, IPS and IDS and related technologies VERY MUCH DON'TWORK AT SCALE!First of all: There is not enough memory in the world to hold the state machines you would need to track all the TCP connections going to all theGovernment networks in the world. The developers of EINSTEIN are *notstupid* enough to think they're going to build a big Palo Alto box. Nor do they want to be in the business of writing thousands of IPS signatures, allof which are probably a giant waste of time.Instead, EINSTEIN allows the Government to do analysis across individual intrusions, detecting where attackers go when they laterally move from,say, OPM, to the State Department. Just to sum it up:“Regarding zero day exploits,” Homeland Security officials stated “there is no way to identify them until they are announced,” the report states. Once they are disclosed, DHS can mold a signature to the attack pattern and feedit into EINSTEIN. If you tie that to the feed obviously coming from the NSA, you havesomething very very useful. Much more useful than an IPS would be. It is about situational awareness and response, not protection. It still needstesting, but of a very different sort. -dave _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- What EINSTEIN isn't. (Sheesh) Dave Aitel (Jan 29)
- Re: What EINSTEIN isn't. (Sheesh) Thomas Quinlan (Jan 29)