Re: Definition of Zero Day Protection

[Ranjeet Shetye <ranjeet.shetye2 () zultys com>]

Lets say that Worm.A has been mutated into Worm.A1, and that protection
against Worm.A also happens to protect against Worm.A1 .

Is this Zero Day Protection with respect to Worm.A1 ? Marketing would say
"Yes". Its an additional checkbox that they can tick while selling to a
client. (Technically, it could be considered a very weak form of Zero Day
Protection)

An engineer would probably apply more stringent standards before he/she
claimed zero-day protection. An engineer would probably envision Zero
Day Protection to be reasonable protection against an unknown agent that
has not been previously studied. Complete protection from such unknown agents
would be the "cool" zero day protection that we all aim for.

Lets just say that Marketing standards are weaker than Engineering standards
cos the driving forces are different i.e. customer-sales-driven versus
technology-driven.

Ranjeet.

* Teicher, Mark (Mark) (teicher () avaya com) wrote:
> Marketing ploy??  You mean marketing people don't state the truth about
> Zero Day Protection and how it works ??
>
> /mark
>
> -----Original Message-----
> From: Carey, Steve T GARRISON [mailto:steven-carey () us army mil] 
> Sent: Monday, August 09, 2004 11:08 AM
> To: Teicher, Mark (Mark)
> Cc: Seanor, Joseph (Joe); focus-ids () securityfocus com
> Subject: RE: Definition of Zero Day Protection
>
> My own personal opinion, based on 7 years of experience in intrusion
> detection, is that it is a marketing ploy.  Only way to ensure Zero Day
> Protection is to use a 'suite' of IDS tools and have an analyst looking
> at those logs 24/7 to find the Zero Day Exploit.  
>
> Vendors can state they prevent Zero Day Exploits but to do that you can
> also stop legitimate traffic.  Maybe sometime in the future that can
> happen, but not today.
>
> Steve Carey
>
> --------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from CORE
> IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
> --------------------------------------------------------------------------

-- 
Ranjeet Shetye
Senior Software Engineer
Zultys Technologies
Ranjeet dot Shetye at Zultys dot com
http://www.zultys.com/
 
The views, opinions, and judgements expressed in this message are solely those of
the author. The message contents have not been reviewed or approved by Zultys.


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------