RE: RE: Cisco CTR

["Teicher, Mark (Mark)" <teicher () avaya com>]

The SIM market as stated before is still very immature.  The log
analysis mailing list discusses the details of this very topic.  The
value of the product is based on whether an organization understands how
to ascertain the value of implementing such an application.  As most of
the applications have to provide real value to an organizations'
security posture.  
NIDS, NIPS, HIDS, HIPS, Host Integrity, AV.  What is the benefit of them
all.  A security solution is comprised of multiple applications that
provide overall value.
As to my opinion or my thoughts, I evaluate products based on the
information I am provided from the vendor, the documentation and
designers.  If all the output of the products provide management the
correct information, then the products are ok.  
If a product has massive errors in the documentation, hard to implement,
and difficult to use, then isn't a real value in the application.
Some companies try to persuade organizations that their product is
better in a feature versus feature comparison but yet really understand
what it means to be able to deploy to 5,000 users, 10,000 users or
150,000 users under a network environment outside of a test lab.  
The developers who post to this list have been in the industry long
enough to understand what it takes to design security software for a
enterprise class organization, but some companies who claim to produce
Enterprise Security Software don't have a "CLUE".  It is very nice to
play with all the bells and whistles but if it prevents the end user
from utilizing common applications then it is time to conduct thorough
research.

/hope that answers your question
/m

-----Original Message-----
From: liranil () optonline net [mailto:liranil () optonline net] 
Sent: Friday, November 28, 2003 8:02 AM
To: Teicher, Mark (Mark)
Cc: Bohling James CONT JBC; John Petropoulos; Rob Shein; Gary Flynn;
focus-ids () securityfocus com
Subject: Re: RE: Cisco CTR


Mark,

Thanks for your input.
I have heard about Intellitactics a lot....
I still have some really hard time understanding the value of using such
a product , which I preceive as a log aggregator, to add real value to
my security posture managment. 
The SIM providers has no security knowledge or "smart engines" to
correlate based on substantial security knowledge and experience.

BTW, The have great ways to present their results....

I am not talking on Intellitactics soley , I am talking on all of this
SIM market ; Archside, guardednet , etc. Mark , What do you think about
it?

----- Original Message -----
From: "Teicher, Mark (Mark)" <teicher () avaya com>
Date: Wednesday, November 26, 2003 12:47 pm
Subject: RE: Cisco CTR

> IMHO, Intellitactics is in a different class of products. I have used 
> the rule correlation engine for mapping events in syslog to Windows 
> Event viewer. Kiwi Syslog for Windows can help one in a pinch or who 
> has limited IT budget, but again a different product and not a NIDS, 
> HIDS, NIPS, NIDS, etc
>
> /m
>
> -----Original Message-----
> From: Bohling James CONT JBC [james.bohling () JBC JFCOM MIL]
> Sent: Wednesday, November 26, 2003 7:08 AM
> To: John Petropoulos; Rob Shein; Gary Flynn
> Cc: Liran Chen; focus-ids () securityfocus com
> Subject: RE: Cisco CTR
>
>
> Intellitactics may help and may not.  The Intellitactics is only
> as good
> as your sensors (IDS, FW, Syslog, Host based systems, etc).  It is a
> manager or correlator of disparate network and host based sensors it
> does nothing on the active side unless you install the Incident 
> manager
>
> Thank You,
> James T. Bohling, CCNA, Security+, MCP-Win2k
> Network Security Engineer - JBC CoE
> Joint C4ISR Battle Center (AMSEC)
> 116 Lake View Parkway
> Suffolk, VA 23435
> (W) 757-638.4032
> Web: www.jbc.jfcom.mil
> This email was produced and manufactured in America, and is a 
> one-of-a-kind original.
>
>
>
> -----Original Message-----
> From: John Petropoulos [jpetropoulos () jetnet ca]
> Sent: Friday, November 07, 2003 11:21 AM
> To: 'Rob Shein'; 'Gary Flynn'
> Cc: 'Liran Chen'; focus-ids () securityfocus com
> Subject: RE: Cisco CTR
>
> Considering the scanner knows what to look for...  So at least an
> updateon the IDS sensor, scanner, CTR, or whatever is going to be 
> needed.
> The fact is that there are many IDS alarms to go through and you don't
> want
> to see anything that isn't going to be a waste of your time.   I would
> recommend any product that helps reduce the amount of IDS alarm
> management, but I will also issue this one warning, make sure you 
> have a
> way of knowing that there is an attack in progress even if the IDS
> doesn't alert b/c of CTR.  Examples that may help achieve this: Net
> Forensics and Intellitactics or a conjunction of network & host-based
> ids with vulnerability analysis engine or the list just goes on...
>
>
>
> -----Original Message-----
> From: Rob Shein [shoten () starpower net]
> Sent: Thursday, November 06, 2003 5:56 PM
> To: 'Gary Flynn'
> Cc: 'Liran Chen'; focus-ids () securityfocus com
> Subject: RE: Cisco CTR
>
>
> Yes, but nobody patches it THAT quickly.  CTR acts immediately,
> not a
> half-hour later...it would have started scanning by the time the 
> hackerat the other end notices that he has a shell...
>
> > -----Original Message-----
> > From: Gary Flynn [flynngn () jmu edu]
> > Sent: Thursday, November 06, 2003 5:58 PM
> > To: Rob Shein
> > Cc: 'Liran Chen'; focus-ids () securityfocus com
> > Subject: Re: Cisco CTR
> >
> >
> >
> >
> > Rob Shein wrote:
> >
> > > I think this largely relates to the earlier discussion
> > about how there
> > > is a difference between a "false positive" and an actual
> > attack that
> > > fails to succeed.  Ask yourself this: are you going to want to
> know
> > > about all attacks or just those that have a chance of success?
> If
> > > someone throws IIS attacks at your apache web server, do
> > you want to
> > > know about it...or do you want to wait until they start using
> > > apache-compatible exploits?
> > >
> > > There's a good summary of what CTR does here:
> > > http://www.cisco.com/en/US/products/sw/secursw/ps5054/
> >
> > Another thing to think about - some folks have a habit of
> patching the
>
> > hole they came in through. Just because a vulnerability scan
> shows no
> > vulnerability it does not mean an attack was unsuccessful.
> >
> > --
> > Gary Flynn
> > Security Engineer - Technical Services
> > James Madison University
> >
> > Please R.U.N.S.A.F.E.
> > http://www.jmu.edu/computing/runsafe
>
>
> -------------------------------------------------------------------
> -----
> ---
> Network with over 10,000 of the brightest minds in information
> securityat the largest, most highly-anticipated industry event of 
> the year.
> Don't miss RSA Conference 2004! Choose from over 200 class 
> sessions and
> see demos from more than 250 industry vendors. If your job touches
> security, you need to be here. Learn more or register at
> http://www.securityfocus.com/sponsor/RSA_focus-ids_031023 
> and use priority code SF4.
> -------------------------------------------------------------------
> -----
> ---
>
> -------------------------------------------------------------------
> -----
> ---
> Network with over 10,000 of the brightest minds in information
> securityat the largest, most highly-anticipated industry event of 
> the year.
> Don't miss RSA Conference 2004! Choose from over 200 class 
> sessions and
> see demos from more than 250 industry vendors. If your job touches
> security, you need to be here. Learn more or register at
> http://www.securityfocus.com/sponsor/RSA_focus-ids_031023 
> and use priority code SF4.
> -------------------------------------------------------------------
> -----
> ---
>
>
> -------------------------------------------------------------------
> -----
> ---
> -------------------------------------------------------------------
> -----
> ---


---------------------------------------------------------------------------
---------------------------------------------------------------------------