Re: IDS: some rambling

["Ivan Arce,CORE" <ivan () securenetworks com>]

On Wed, 18 Feb 1998, Marcus J. Ranum wrote:

> There are a couple basic questions I've always had about the
> goal of IDS, which led me to take the slightly different approach
> of building event recording and analysis engines. Mostly they
> stem from early experience building firewalls.
>
> My customers used to ask me "will it tell me when it's under attack??"
>
> Well, y'know, that sounds like a great idea! Until you think about
> it. I built firewalls that would detect certain known attacks and
> notify the administrator. Then I realized one day that it was just
> an amazingly stupid thing to do. Since I knew what the attack was,
> I knew that my firewall could resist it: so why should I BOTHER
> telling the customer?? By definition, an attack that you know you
> can resist is practically a non-event. I guess it's interesting but
> it's not VERY interesting. VERY interesting is an attack you cannot
> resist. The problem is -- how do you detect an attack you cannot
> resist?

well, I think your own comments might lead to an answer.
attacks are usually not isolated events, if someone is trying to
break into your network she (im using female attackers in the
usual Ptaceksque style) will try different attacks one after another.
If the first succeded and your firewall/ids didnt detected you are
certainly out of luck, but if the first attack failed and your
firewall/ids detected AND reported it, theres a good chance that
a human being is drag into the game and can detect those things
that a non-human security component cant.
In that sense is that i consider an IDS some sort of
'early-warning' system.
Its probably not how IDSes are being marketed, but thats
a different story altogether.

Post-mortem analysis, "forensics and ballistic", is surely a
good step in minimizing future damage by reducing the lifespan between
sucessful attacks and fix deployment but certain organizations just
cant afford a 'post-mortem' analysis, they need the subject alive,
figuring out how the subject got killed will help them
but wont repair all the damage already done.

-ivan  
   

==============================[ CORE Seguridad de la Informacion S.A. ]=======
Ivan Arce
Gerencia de Tecnologia                          Email     : ivan () core-sdi com
Av. Santa Fe 2861 5to C                         TE        : +54-1-821-1030
CP 1425                                         FAX       : +54-1-821-1030
Buenos Aires, Argentina                         Mensajeria: +54-1-317-4157
==============================================================================