Re: IDS is dead, etc

[Martin Roesch <roesch () sourcefire com>]

I agree Lance, but they don't reduce the analysis manpower required (in some
ways they increase it).  Just because all the data going to a honeypot is
"interesting" doesn't mean that it's "valuable".  Correlating data from a
honeypot against data from attacks that target critical assets is valuable,
but researching tools and techniques of attackers is time and labor
intensive, not to mention requiring a level of expertise that makes IDS
analysis look simple by comparison.  In the area of improving intrusion
detection they generate lots of information that *require* users to apply
context manually, there's no notion of defending real targets from possible
attacks.

I'm not saying that they don't have value (I think they're a great
"backstop" technology for NIDS), but I don't see where they greatly simplify
data management or prioritization of attacks against high value targets like
production servers.  The attackers who are hitting the honeypots will be
giving away a number of things that may help you make your IDS better
against a specific attacker, but integration of the critical data is not
automated and requires a high degree of skill to get the best use out of.

     -Marty


On 6/19/03 11:54 PM, "Lance Spitzner" <lance () honeynet org> wrote:

> On 19 Jun 2003, Martin Roesch wrote:
>
> > Boiling the Gartner report down, here are my take aways:
> >
> > 1) IDSes produce too many false positives (i.e. the quality of the
> > information they produce is low)
> >
> > 2) IDSes produce too much data (i.e. the quantity of information they
> > produce is high)
> >
> > 3) There is no solution to these problems, therefore IDS is dead and we
> > should all buy in-line IPS, er, "deep content inspection firewalls"!
> >
> > So, is there any way to make the quality of data coming out of the IDS
> > higher while at the same time diminishing the amount of information
> > generated?  
>
> This is where I think honeypots represent such an exciting opportunity
> by working with existing detection solutions.  Honeypots dramatically
> reduce the amount of data and false positives an organization collects.
> Honeypots have the added bonus of working in both IPv6 and encrypted
> environments.  By corrolating these capabilities with current IDS
> technologies, we can help address these issues.
>
>      Honeypots: Simple, Effective Detection
>      http://www.securityfocus.com/infocus/1690
>
> lance

-- 
Martin Roesch - Founder/CTO Sourcefire Inc. - (410) 290-1616
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch () sourcefire com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org



-------------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
-------------------------------------------------------------------------------