Re: [Emerging-Sigs] Matt Jonkman in the new Hakin9

[Matthew Jonkman <jonkman () emergingthreatspro com>]

On Feb 1, 2011, at 11:58 AM, Jason Wallace wrote:
> "An effective IDS ruleset HAS to cover malware."
>
> -- In my opinion, I[DP]S is not the answer to malware. "Many of those
> will not happen while the computer is on your network [ ... ]" That is
> why IDS has limited value when it comes to malware. I do not think IDS
> should ignore malware, but at most it should be seen as a second or
> third layer of protection. Patching, privilege reduction, and content
> filtering _at the asset level_ combined with user education will
> always be better primary levels of defense then IDS for this type of
> threat. An infected asset (on or off your network) constitutes a
> failure in your security program. That failure should initiate some
> sort of action/response. If the user was off-site when the infection
> occurred (and ~85% of our malware infections occur off-site, and yes I
> have that data) there is no direct action I can take from a network
> based IDS perspective to prevent a recurrence of that infection. If it
> is not directly actionable, it should not be considered a primary
> defense layer. If it is not a primary defense then it does not HAVE to
> cover it. Coverage would, at that point, be a value add.

It's not the end all answer, nothing is. A lot of technologies have to work together. IDS I think is absolutely 
definitely no doubt one of them.

We are never going to catch everything on the host with host based tools. And if you think about it, there is one thing 
malware HAS to do to be of use to it's master. It has to talk to someone and either take commands or slip out 
information. This is 100% in the purview of IDS. 

You won't catch every attack or exploit, but we can do a lot for catching CnC traffic. And no, we won't catch them all. 
But lets hope the overlap of what we catch and what the AV vendors don't catch overlaps to get us closer to secure. 

Yes, an infection is a failure. But we will always have failures. And you;ll have hosts that come in from the outside 
already infected. You MUST focus on CnC channels, I don't see any alternative. 

And on the NSS point, we test our AV vendors by how fast they cover the malware of the day. Why not apply the same 
standard to our IDS vendors? 

> The biggest issue I had with that article (until I dug deeper) was this...
>
> "I believe we need to as consumers realign what we read into those
> marketing phrases, and reconsider what we should allow to be
> acceptable for the rhetoric."
> [ ... ]
> "We’ve just gone through launch, and have spent a lot of time
> developing our marketing slang. We purposely chose to use the term
> comprehensive to describe our ruleset."
> [ ... ]
> "We did not choose to use the term Complete. I don’t think any
> security product can nor should give the impression that they’ll catch
> everything."
>
> Sounds great, but while the main page of the ET Pro web site (which
> will set many potential customer's initial impression) is entitled
> "the comprehensive ruleset" the first paragraph on the ET PRO website
> however is titled "Complete Coverage." That put me off a little bit
> until I read the "the rules > coverage" page which does use
> "comprehensive" as opposed to "complete." Purposeful rhetoric? No, of
> course not, but that inconsistency immediately stood out when I went
> from the article directly to the main page of the ET Pro website.

True, looks inconsistent. Complete there is used in the context that Pro is not just malware, but full range coverage. 
Whereas the ET Open ruleset is best effort and very much focused on malware and experimental stuff. I'll change the 
wording to make that more clear. 

We are not the end all, catch everything, last security product you need. No one is. We're another cog in the wheel 
that should be your overall security program. We think we're a better cog than the equivalents though of course! :)


> All my previous points are obviously my opinion and can be argued
> either way, and I don't think there is a "right answer" that fits
> everyone's views points on IDS/IPS. While I do not agree with
> everything Matt said, I think the article did explain his point of
> view and vision. Thanks for the interesting read.


Thanks. I like to rant, and I know I generalized a LOT in that article. But my overarching hope is that we all become 
more critical of the marketing hype, and keep in mind that everything we buy and deploy is just one part. None of them 
are complete, you have to look at the gaps between and make sure you're doing the best to have overlap to get you 
closest to 100%.

Matt


----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc




------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users