IDS mailing list archives
RE: Are sophisticated attacks just FUD?
From: "Runion Mark A FGA DOIM WEBMASTER(ctr)" <mark.runion () us army mil>
Date: Thu, 1 Jul 2004 16:23:20 -0000
Step back a few years, say 2000, when I was writing this type of system/process to create a high level network view of the entirety a network. In my limited experience building this type of system, unless the view created covers every aspect of real-time data flow from the highest level to distinct individual systems there is no point in even trying to enumerate "attacks". To put this simply, a single IDS allows you to see only a tiny fragment of an isolated network segment. Should you base you entire security strategy on this one segment? Of course not. Is the hype created as a sales platform for this IDS the end all of security for a network? Of course not. Can you say this about any distinct piece of the entire puzzle; Can we limit out judgement to a firewall stack? Again, of course not. Anyone else watched a few dozen IDS's start freaking out, spitting red lines like mad, and all because a small network traffic clog delayed some packets with the rest of a completely normal communications link? The purpose in the overall security infrastructure of each element like an IDS or a firewall is clear. But time and time again I see the conversation twisting to the "latest" new toy. In this case, the boss is right. If you operate a security infrastructure without a fully interconnected intelligent security network and do detect a sophisticated attack, it was blind luck or your version of corporate police enticed the intruder to make a confession. Forensics is not a timely detection. - Mark Runion -----Original Message----- From: Joshua Berry [mailto:jberry () PENSON COM] Sent: Wednesday, June 30, 2004 5:36 AM To: Sam Heshbon; focus-ids () securityfocus com Subject: RE: Are sophisticated attacks just FUD? You cannot point to the firewall as evidence that you are never targeted in a large network. What about across VPN connections, or inside attacks, or if you are large enough you probably have Point-to-Point connections with other offices, vendors or customers. Also, just because you do not know of a breach does not mean that one has not occurred. This would hopefully be part of a sophisticated attack: not getting caught, or at least for some time. -----Original Message----- From: Sam Heshbon [mailto:sheshbon () yahoo com] Sent: Tuesday, June 29, 2004 11:12 AM To: focus-ids () securityfocus com Subject: Are sophisticated attacks just FUD? I had a big discussion with my boss who claims most of the IPS, SIM and other new tools are just a hype protecting from sophisticated threats, which only exist in labs. He thinks multi staged attacks and so on do not often happen in the wild and shows our firewall's logs as evidence. It is true we see mostly worms.(NMAP) scanning happens once in a while, but he claims it's a script kiddy and the fact we have never seen a breach means it is not a real threat (we run a large network operation). I'm looking for statistical data showing how frequent sophisticated attacks and advanced tools are evolved and what there damage is to the corporate. If anyone knows of a research showing if this is FUD or a real problem, I'd love to prove him wrong (I'm willing to admit I'd be happy to have some new toys ;) __________________________________ Do you Yahoo!? New and Improved Yahoo! Mail - 100MB free storage! http://promotions.yahoo.com/new_mail ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- --------------------------------------------------------------------------- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- Re: Are sophisticated attacks just FUD? Drew Simonis (Jun 30)
- <Possible follow-ups>
- Re: Are sophisticated attacks just FUD? Brian Lund (Jun 30)
- RE: Are sophisticated attacks just FUD? Keith T. Morgan (Jun 30)
- RE: Are sophisticated attacks just FUD? Angel Rivera (Jun 30)
- RE: Are sophisticated attacks just FUD? drbitbucket (Jul 01)
- RE: Are sophisticated attacks just FUD? Steve Hall (Jul 01)
- RE: Are sophisticated attacks just FUD? Joshua Berry (Jul 01)
- RE: Are sophisticated attacks just FUD? Chuck Herrin (Jul 04)
- RE: Are sophisticated attacks just FUD? Rob Shein (Jul 01)
- RE: Are sophisticated attacks just FUD? Runion Mark A FGA DOIM WEBMASTER(ctr) (Jul 04)
- Re: Are sophisticated attacks just FUD? Anton A. Chuvakin (Jul 09)