IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Definition of Zero Day Protection

From: "hidsbr" <hidsbr () bol com br>
Date: Mon, 9 Aug 2004 19:20:42 -0300

I believe the best protection is composed by IPSses
with high level configuration and HIDS on servers
blocking the undesired zero day attacks.

This way you can avoid stopping normal traffic without
protecting the servers.


----- Original Message -----
From: "Carey, Steve T GARRISON" <steven-
carey () us army mil>
To: "Teicher, Mark (Mark)" <teicher () avaya com>
Cc: "Seanor, Joseph (Joe)" <jseanor () avaya com>; <focus-
ids () securityfocus com>
Sent: Monday, August 09, 2004 2:27 PM
Subject: RE: Definition of Zero Day Protection


Would say they are 'misguided', they believe it.  But
from the different IDS and IPS systems I have tested
and used, the IPS CAN stop attacks, however, if someone
in your organization starts using a new software, it
may get stopped by the IPS.  Also, if the Zero Day
Exploit is on the encrypted side, like ssl, then no it
wouldn't stop it.

There is some new technology being worked concerning
Kernel Protection that comes close, but still is being
worked.

The biggest problem with Zero Day Protection is
encrypted programs.  Host based programs can work, but
still believe that as of today it is still going to
take a human to ensure Zero Day Protection (provided
they have the necessary tools to do it with).

Steve

-----Original Message-----
From: Teicher, Mark (Mark) [mailto:teicher () avaya com]
Sent: Monday, August 09, 2004 12:14 PM
To: Carey, Steve T GARRISON
Cc: Seanor, Joseph (Joe); focus-ids () securityfocus com
Subject: RE: Definition of Zero Day Protection


Marketing ploy??  You mean marketing people don't state
the truth about
Zero Day Protection and how it works ??

/mark

-----Original Message-----
From: Carey, Steve T GARRISON [mailto:steven-
carey () us army mil]
Sent: Monday, August 09, 2004 11:08 AM
To: Teicher, Mark (Mark)
Cc: Seanor, Joseph (Joe); focus-ids () securityfocus com
Subject: RE: Definition of Zero Day Protection

My own personal opinion, based on 7 years of experience
in intrusion
detection, is that it is a marketing ploy.  Only way to
ensure Zero Day
Protection is to use a 'suite' of IDS tools and have an
analyst looking
at those logs 24/7 to find the Zero Day Exploit.

Vendors can state they prevent Zero Day Exploits but to
do that you can
also stop legitimate traffic.  Maybe sometime in the
future that can
happen, but not today.

Steve Carey

--------------------------------------------------------
------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-
world attacks from CORE
IMPACT.
Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-
ids_040708 to learn more.
--------------------------------------------------------
------------------

 
__________________________________________________________________________
Acabe com aquelas janelinhas que pulam na sua tela.
AntiPop-up UOL - É grátis!
http://antipopup.uol.com.br/



--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: