NADS ( was RE: IPS comparison)

["Joseph Hamm" <jhamm () lancope com>]

Hassan,

You make some good points, but I'd like the opportunity to clear up a
few things about my NADS:

> IMHO comparing pure play behavior detection to IPS is like comparing
apples and oranges. 

I couldn't agree more.  I spoke up because Stefano brought up the topic
of anomaly detection. One thing that does bother me is how IPS has been
painted as a "magic bullet" by vendors (and even the press).  IPS works
great at the perimeter or other "choke points" in the network.  However,
in speaking with customers, it is too costly to deploy in a scenario
that can give you adequate network visibility or proper blocking
capabilities inside your organization.  It should remain a perimeter
solution, placed in a strategic location to protect key assets (example
would be a group of critical servers), or perhaps one day merged into
your network infrastructure (perhaps the future as painted by
Tippingpoint and 3com).

> NADS appears to be more similar to the old sniffer technology with the
added feature of /possibly/ giving better clues
> as to the cause of the anomaly from a security perspective whereas the
old Network General style explains from network
> problem perspective.
 
Yes.  NADS gives much of the value of traditional network
troubleshooting tools like Sniffer.  But this is only a fraction of its
capabilities.  These systems can gain network info from taps,
SPAN/mirror ports, NetFlow, or sFlow.  The result of this hybrid
approach is a much broader network visibility than traditional security
devices such as IDS or IPS can provide (at least for the same costs).
The reason you get more visibility with fewer boxes deployed is because
these systems can leverage the flow information (NetFlow or sFlow info
exported from your routers/switches).  You essential turn all of your
routers and switches into security probes so you don't have to deploy
(purchase and maintain) a box everywhere you want coverage.   Many folks
don't even know what NetFlow or sFlow is or how it can be used to
provide them much needed security information (and save them money).  

> Protocol anomaly at least looks more promising in the IPS space as the
action capability is there. In my experience, it definitely takes time
baselining... but once
> baslined, it could be a valuable tool (again when the action component
- read IPS - is added).

Yes, baselining takes some time.  So does tuning a signature-based
product.  We should all know by now that IPS is easy to deploy and tune
cause they've ripped out all of the signatures and only block on the
handful that they know they can block on accurately.  Don't get me
wrong.  With that being said, I still see the value of using IPS to
detect and block low hanging fruit.

On the other hand, NADS can have full network visibility, understand
what is normal activity for hosts, alarm the administrator, and even
take blocking action on the administrator's behalf.  How does it do this
without being inline?  It leverages the existing network infrastructure
to block attacks...something that is being called "infrastructure IPS".
This allows the NADS to find the piece of network infrastructure closest
to the threat (router, switch, firewall, etc.) and take blocking action
there in order to quarantine the attack.  Your IPS can't do that!
IDS/IPS can only detect and block once traffic passes the device (which
works great at the perimeter).  Since a NADS system has complete
visibility, it can instruct your infrastructure to take blocking actions
and stop internal threats more effectively.

> That whole Gartner prophecy of "IDS is dead" was referring to the idea
that detection by itself is just not enough. Maybe behavior detection
(NADS) might be good for
> forensics... but I'll take IPS wherever I can get it thank you. If one
can't afford IPS... then I guess going the forensics only route is
better than nothing. But even >then, pure-play behavior-based solutions
leaves the gap of not detecting known bad stuff.

As mentioned above, NADS can detect and block malicious activity.  And
yes, they provide a wealth of forensic information.  Lancope provides
the last 30 days.  As far as detecting known bad stuff, I suggest a
hybrid approach.  IPS at the perimeter to catch low hanging fruit, IDS
internally to detect known attacks, NADS to understand normal behavior
and detect/block on threats.  Your better NADS can correlate events from
signature based IDS.  This means that they can weed through the
thousands of signature-based IDS events that might be occurring daily
and cherry pick those that correlate to a behavioral change from a host.

A great example of this would be saving the administrator the time of
sorting through 1000 RPC buffer overflow alarms generated by his IDS
because his servers were not vulnerable and experienced no behavioral
change after the attack.  However, the administrator would be presented
the one RPC buffer overflow that correlated to a host that went outside
of its normal behavior and started scanning other hosts, connected to a
remote server on some random port, etc.

> btw... even Lancope has signatures (however outdated they may be)... so
even Lancope realizes the value of signatures in the security tool box.

They aren't signatures, but yes, we do have behavioral algorithms that
look for suspicious activity.  And yes, some of these do not require a
baseline to determine malicious behavior so in vague terms they could be
considered somewhat like a signature.  For example, I don't have to have
a baseline of a host to know that aggressive scanning on port 445 is
bad, port 80 traffic that is not valid http is bad, etc.

Hope this clarifies my position a bit.

Regards,
Joe 


Joe Hamm, CISSP
Senior Security Engineer
Lancope, Inc.
jhamm () lancope com
404.644.7227  (cell)
770.225.6509   (fax)

Lancope - Security through Network Intelligence(tm)
StealthWatch(tm) by Lancope, a next-generation network security
solution, delivers behavior-based intrusion detection, policy
enforcement and insightful network analysis.  Visit www.lancope.com.


-----Original Message-----
From: Seek Knowledge [mailto:aseeker03 () yahoo com] 
Sent: Tuesday, August 30, 2005 6:58 PM
To: Joseph Hamm; Stefano Zanero; Daniel Cid; Focus-Ids Mailing List
Subject: RE: IPS comparison

IMHO comparing pure play havior detection to IPS is like comparing
apples and oranges. 

NADS appears to be more similar to the old sniffer technology with the
added feature of /possibly/ giving better clues as to the cause of the
anomaly from a security perspective whereas the old Network General
style explains from network problem perspective.

Protocol anomaly at least looks more promising in the IPS space as the
action capability is there. In my experience, it definitely takes time
baselining... but once baslined, it could be a valuable tool (again when
the action component - read IPS - is added).

That whole Gartner prophecy of "IDS is dead" was referring to the idea
that detection by itself is just not enough. Maybe behavior detection
(NADS) might be good for forensics... but I'll take IPS wherever I can
get it thank you. If one can't afford IPS... then I guess going the
forensics only route is better than nothing. But even then, pure-play
behavior-based solutions leaves the gap of not detecting known bad
stuff.

btw... even Lancope has signatures (however outdated they may be)... so
even Lancope realizes the value of signatures in the security tool box.

Regards,
Hassan  Karim, CISSP

--- Joseph Hamm <jhamm () lancope com> wrote:

> > Fact is, anomaly detection is so rare that it's
> almost unexistant in
> the commercial products, except for limited forms
> > of "protocol anomaly detection" and for Arbor's
> peakflow technology. 
>
> Not true!  The only reason this space hasn't gotten as much attention 
> over the last few years is cause everyone was busy buying signature 
> IDS and now IPS solutions.
>
> Pure Network Anomaly Detection players:
> Arbor
> Lancope
> Mazu
> Q1 Labs
> (All of these have been around for several years despite the lack of 
> industry attention to this space. Am I missing any new ones?)
>
> Also, for a recent article on network anomaly detection systems 
> (NADS), check out this month's Information Security Magazine (cover 
> story).  The NADS space (this is only the latest acronym used to 
> describe this group of products), is starting to get more attention 
> and press coverage.  You will also find some articles that call these 
> products NBAD (Network Behavior Anomaly Detection) solutions.
>
> Many security companies can detect "anomalies" in some form.  Almost 
> every security vendor has the word "anomaly" in their marketing 
> literature.  You need to understand what they mean by an "anomaly" and

> how they detect them.
>
> "protocol anomaly detection" and "network anomaly detection" are two 
> different things although detecting network anomalies can include 
> protocol anomalies as well.  An IPS is a point solution, usually has 
> limited network visibility (unless you spend a fortune and deploy them

> everywhere), and can only perform protocol anomaly detection (from 
> what I've seen).  In order to have the best NADS, you need complete 
> network visibility and an understanding of what is "normal"
> on your network.
>
> Rolling out NADS generally requires less appliances than IPS (read 
> less
> cost) because one box can gather network info from multiple SPAN 
> ports, network taps, or get NetFlow/sFlow feeds from remote 
> routers/switches.
>
> Kind regards,
> Joe
>
> Joe Hamm, CISSP
> Senior Security Engineer
> Lancope, Inc.
> jhamm () lancope com
> 404.644.7227  (cell)
> 770.225.6509   (fax)
>
> Lancope - Security through Network Intelligence(tm)
> StealthWatch(tm) by Lancope, a next-generation network security 
> solution, delivers behavior-based intrusion detection, policy 
> enforcement and insightful network analysis.  Visit www.lancope.com.
>
>
> -----Original Message-----
> From: Stefano Zanero
> [mailto:s.zanero () securenetwork it]
> Sent: Monday, August 29, 2005 6:01 PM
> To: Daniel Cid; Focus-Ids Mailing List
> Subject: Re: IPS comparison
>
> Daniel Cid wrote:
> > This "anomaly" detection will only detect 0-day
> exploits for known
> > vulnerabilities.
>
> A zero-day exploit is a curious marketing thing. You suddenly redefine

> a difficult problem (catching zero-days) as a rather simpler problem 
> (create signatures that actually describe the vulnerability, which is 
> what any signature worth your licensing cost should do).
>
> So, presto!, you can rush up and put out some rather nice marketing 
> material on it.
>
> Fact is, anomaly detection is so rare that it's almost unexistant in 
> the commercial products, except for limited forms of "protocol anomaly

> detection" and for Arbor's peakflow technology.
>
> Best,
> Stefano Zanero
> ---------------------------
> Secure Network S.r.l.
> www.securenetwork.it
------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from

> CORE IMPACT.
> Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
------------------------------------------------------------------------
>
------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from

> CORE IMPACT.
> Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
------------------------------------------------------------------------
>


Send instant messages to your online friends
http://uk.messenger.yahoo.com 

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------