IDS mailing list archives
RE: Current state of Anomaly-based Intrusion Detection
From: "Gunnoe, Jason" <Jason.Gunnoe () thomson com>
Date: Thu, 3 Mar 2005 14:45:49 -0500
On the contrary, I think that these large scale views would be perfect for identifying a storm like slammer. If that is what you team is looking for. How often do those come around? I think the industry has changed, or at least started to, and began to look a little closer to home. Perimeter defense is not as effective as a layered approach because of the realities of business interconnects today. Patch management, host based IDS and other technologies have really begun to fill, or muscle in to, those gaps. What I am saying is simply that when the service is offered by a large ISP, it is much less valuable than it's made out to be. Yes, slammer deserves a spot on the great map of internet disruptions. However, I need something that is a little closer to my assets. I.E. Something that can identify and/or verify lost integrity, stolen PII, or a confidentiality breach. In our ball court, everything else boils down to an SLA or noise. Sorry, I'm getting off topic again... jg -----Original Message----- From: Thomas Ptacek [mailto:tqbf () arbor net] Sent: Thursday, March 03, 2005 1:09 PM To: Gunnoe, Jason Cc: focus-ids () lists securityfocus com Subject: Re: Current state of Anomaly-based Intrusion Detection On Mar 1, 2005, at 2:17 PM, Gunnoe, Jason wrote:
I have seen large ISP's implement anomaly technologies on internet backbones, but typically, they are only useful for identifying large scale malware disruptions before they happen. They always give the slammer example, which is what, 4 years old now...
The Slammer example is usually given because it was one of the hardest attacks in the last 2 years to defend against, and one of the most damaging. I'm not sure whether you're trying to imply that these detection capabilities "weren't up to the task" of detecting Sasser. If that's your point, why don't you take a minute to justify it? --- Thomas H. Ptacek // Arbor Networks (734) 327-0000 -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- Re: Current state of Anomaly-based Intrusion Detection, (continued)
- Re: Current state of Anomaly-based Intrusion Detection Adam Powers (Mar 04)
- Re: Current state of Anomaly-based Intrusion Detection Chris Keladis (Mar 06)
- Re: Current state of Anomaly-based Intrusion Detection Adam Powers (Mar 06)
- Re: Current state of Anomaly-based Intrusion Detection Adam Powers (Mar 04)
- RE: Current state of Anomaly-based Intrusion Detection security.feeds (Mar 02)
- RE: Current state of Anomaly-based Intrusion Detection Orit Vidas (Mar 09)
- RE: Current state of Anomaly-based Intrusion Detection Andrew Plato (Mar 01)
- RE: Current state of Anomaly-based Intrusion Detection Frank Knobbe (Mar 02)
- RE: Current state of Anomaly-based Intrusion Detection SecurIT Informatique Inc. (Mar 06)
- RE: Current state of Anomaly-based Intrusion Detection Frank Knobbe (Mar 02)
- RE: Current state of Anomaly-based Intrusion Detection Gunnoe, Jason (Mar 02)
- Re: Current state of Anomaly-based Intrusion Detection Thomas Ptacek (Mar 06)
- RE: Current state of Anomaly-based Intrusion Detection Gunnoe, Jason (Mar 06)