Re: Definition of Zero Day Protection

[Martin Roesch <roesch () sourcefire com>]

I think this is a question of determinism versus nondeterminism in  
intrusion detection systems.  The anticipated (hoped for?) implication  
by the offending marketing group of a system that offers "Zero Day  
Protection" is that the system is somehow nondeterministic in how it  
goes about detecting attacks on the network and can therefore protect  
you from things that nobody knows about.  People who know how IDSes  
work know that this is a load of BS, but you can't keep a good  
marketing person down.

The reality of zero day protection as it stands today revolves  
primarily around protocol anomaly detection and rate-based  
thresholding.  If the value of the foobar field in some protocol is  
larger than some expected norm then we can predict that there's a  
problem/anomaly/attack in progress and we can alert/prevent said  
attack.  We know that this is deterministic in effect, just that it's  
hard coded into the protocol analysis module (i.e. a hard coded  
"signature").  The concept of an IDS is simple, we tell it what to look  
for and it tells us when it sees it, but the process of telling it what  
to look for has determinism implicit in the actual code that gets put  
into the system if things are being hardcoded or into its "signatures"  
in a language based system.

Here's a pretty good example.  We had rules available for Sasser about  
two weeks before Sasser actually hit the net.  How did we do it?  We  
wrote Snort rules that (statefully) analyzed the DCERPC protocol and  
were capable of detecting the exploitation of the vulnerability.  In  
effect, we had "zero day protection" for everyone that was up to date  
on their Snort rules from Sasser.  So it is possible to have "zero day  
protection" but it's still from a set of things that you can imagine  
ahead of time and let your security infrastructure know about.  Truly  
unknown attacks will waltz right by everything, which is why defense in  
depth and monitoring are still important.

     -Marty

On Aug 8, 2004, at 9:47 PM, Teicher, Mark (Mark) wrote:

> What is Zero Day Protection, I think I understand the definition of  
> Zero
> Day Exploits.  But what is Zero Day Protection?  Another marketing  
> blurb
> or it can vendors actually offer zero day protection?
>
> Thank you for clarifying my confusion
>
> /m
>
> ----------------------------------------------------------------------- 
> ---
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from  
> CORE
> IMPACT.
> Go to  
> http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to  
> learn more.
> ----------------------------------------------------------------------- 
> ---
--
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Intelligent Security Monitoring
roesch () sourcefire com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------