RE: IDS is dead, etc

["Craig H. Rowland" <crowland () cisco com>]

Hi Giles,

On 6/19/03 6:52 PM, "Giles Coochey" <giles () coochey net> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Thursday 19 June 2003 4:57 pm, Martin Roesch wrote:
>
> > So, is there any way to make the quality of data coming out of the 
> > IDS higher while at the same time diminishing the amount of 
> > information generated?  We've been talking about this 
> > exact topic on 
> > this list since 1999 on and off and I think all the IDS 
> > vendors have 
> > ideas how to achieve this goal by integrating network maps and 
> > host/service identification into the IDS's world view.  If those 
> > ideas should actually make their way to market, would that 
> > make the 
> > systems more useful?  I believe so.  (At this point I 
> > usually pitch 
> > Sourcefire, but I'll spare you all.)
>
> I would love to see a fingerprinting tool that identified 
> the client 
> and server Operating System / Application and reduced the 
> priority of 
> alerts for false positives when it is known that the system is not 
> vulnerable. The alerts still flag, so we see the 
> drive-by-shootings, 
> but as their priority is reduced they are less significant.
>
> Anyone got any development ideas on this front?

We produced a product called ClearResponse at Psionic that was released
in July 2002 that does this exact thing. We were acquired by Cisco in
October 2002 and the product was renamed Cisco ThreatResponse. 

ThreatResponse works dynamically on a network with no prior network
knowledge and doesn't rely on a pre-defined static database. Also it
collects forensic evidence from the impacted host in real-time so if you
see an escalated attack you can go to the GUI and view the actual
logs/data from the targeted system and look for yourself at what
happened (we'll grab logs in about 1-2 seconds after the alarm is seen).
This means an attacker has almost zero time to go onto the box and
tamper with logs before they are copied. We recently released version
2.0 of the product and it supports both the Cisco IDS and ISS IDS
sensors into a single GUI. Using this product can significantly reduce
alarms from Cisco and ISS sensors. I'm not going to do too much
plugging, you can read more about it here:

http://www.cisco.com/en/US/products/sw/secursw/ps5054/index.html

..and it's freely available...

-- Craig

-------------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
-------------------------------------------------------------------------------