RE: Are sophisticated attacks just FUD?

["Runion Mark A FGA DOIM WEBMASTER(ctr)" <mark.runion () us army mil>]

Step back a few years, say 2000, when I was writing this type of
system/process to create a high level network view of the entirety a
network.  In my limited experience building this type of system, unless the
view created covers every aspect of real-time data flow from the highest
level to distinct individual systems there is no point in even trying to
enumerate "attacks".

To put this simply, a single IDS allows you to see only a tiny fragment of
an isolated network segment.  Should you base you entire security strategy
on this one segment?  Of course not.  Is the hype created as a sales
platform for this IDS the end all of security for a network?  Of course not.
Can you say this about any distinct piece of the entire puzzle;  Can we
limit out judgement to a firewall stack?  Again, of course not.

Anyone else watched a few dozen IDS's start freaking out, spitting red lines
like mad, and all because a small network traffic clog delayed some packets
with the rest of a completely normal communications link?  The purpose in
the overall security infrastructure of each element like an IDS or a
firewall is clear.  But time and time again I see the conversation twisting
to the "latest" new toy.

In this case, the boss is right.

If you operate a security infrastructure without a fully interconnected
intelligent security network and do detect a sophisticated attack, it was
blind luck or your version of corporate police enticed the intruder to make
a confession.  Forensics is not a timely detection.

-
Mark Runion
 

-----Original Message-----
From: Joshua Berry [mailto:jberry () PENSON COM] 
Sent: Wednesday, June 30, 2004 5:36 AM
To: Sam Heshbon; focus-ids () securityfocus com
Subject: RE: Are sophisticated attacks just FUD?

You cannot point to the firewall as evidence that you are never targeted
in a large network.  What about across VPN connections, or inside
attacks, or if you are large enough you probably have Point-to-Point
connections with other offices, vendors or customers.  

Also, just because you do not know of a breach does not mean that one
has not occurred.  This would hopefully be part of a sophisticated
attack: not getting caught, or at least for some time.

-----Original Message-----
From: Sam Heshbon [mailto:sheshbon () yahoo com] 
Sent: Tuesday, June 29, 2004 11:12 AM
To: focus-ids () securityfocus com
Subject: Are sophisticated attacks just FUD?

I had a big discussion with my boss who claims most of the IPS, SIM and
other new tools are just a
hype protecting from sophisticated threats, which only exist in labs.
He thinks multi staged attacks and so on do not often happen in the wild
and shows our firewall's
logs as evidence. It is true we see mostly worms.(NMAP) scanning happens
once in a while, but he
claims it's a script kiddy and the fact we have never seen a breach
means it is not a real threat
(we run a large network operation).
I'm looking for statistical data showing how frequent sophisticated
attacks and advanced tools are
evolved and what there damage is to the corporate. If anyone knows of a
research showing if this
is FUD or a real problem, I'd love to prove him wrong (I'm willing to
admit I'd be happy to have
some new toys ;)



        
                
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!
http://promotions.yahoo.com/new_mail 

------------------------------------------------------------------------
---

------------------------------------------------------------------------
---


---------------------------------------------------------------------------

---------------------------------------------------------------------------

---------------------------------------------------------------------------

---------------------------------------------------------------------------