Re: lots of monkeys staring at a screen....security?

[Gadi Evron <ge () linuxbox org>]

On Fri, 27 Oct 2006, Joanna Rutkowska wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Dave Korn wrote:
> /.../
> >   Second point is: defense in depth.  It's an extra barrier.  You don't /not/
> > run an AV just because someone can write a custom virus it won't detect.  You
> > run simple and automated systems that can deal with the 90% of threats that
> > are easily managed in order to free up valuable /human/ resource to look into
> > the 10% that really do need to be understood.  It does /work/; it's just that,
> > when working, it only has a limited role to fill and is not a
> > one-stop-shop-one-size-fits-all-be-all-and-end-all-turnkey-security-solution.
>
> Nobody says it needs to be a one-size-fits-all solution - it's just that
> there is a difference between something which is capable of
> detecting/preventing only a bunch of *known* exploits vs. something
> which is capable of preventing a known *class* of attacks...
>
> joanna.

Enough people here know about how IDS's don't live up to nearly any
expectations, or how they.. do? I personally don't believe in them in any
way, I would implement them once I am done with a lot of other security
measures.

Now, if I am to look at what they give me vs. another box for compromising
which sits in a critical location... I am not sure what choice I'd make.

For some reason, people equate Intrusion Detection to IDS devices. IDS
devices are signature based and try to detect bad behaviour using, erm, a
sniffer or equivalent.

Intrusion detection is everything which will help detect an intrusion. IDS
won't unless it's too late, and keep you busy while you're at it.

        Gadi.

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave