IDS mailing list archives
RE: How to choose an IDS/FW MSS provider
From: Jason Baeder <jason_baeder () yahoo com>
Date: Thu, 17 Mar 2005 08:28:14 -0800 (PST)
I just couldn't resist wandering down this off-topic path ;-) --- Andrew Plato <andrew.plato () anitian com> wrote:
Thus my point - while seeing the details of a signature is fascinating to security geeks, it is not terribly important to the vast majority of IT admins.
That's true. However, as a security geek who is at the top of the escalation path, signatures are more than a fascination. Like Kjetil Dahl-Hansen I would like the option to know more about what triggered an alert. Sure, the junior analysts may not care about sigs, and the security admins may not care about sigs, but when one of them points to an alert and asks me, "Is this something I should be concerned about?", I care. For me it's not a matter of "trusting" the vendor's signatures; it's a matter of understanding how those signatures react to the network's day-to-day traffic. With SiteProtector I find myself yelling Jerry-Maguire-like at the computer screen, "Show me the data! Show me the data!" If an IDS console shows the signature and the raw data (like, say, sguil), in the long run this saves time and money. With better alert assessment at the console, fewer alerts are passed to the general network/system admin population for vetting. Of course, this only works when you have knowledgeable people at the console.
As such, I don't think the ability to see signature specs is an important measure of the value of an IPS/IDS product.
If I was in the business of selling IDS to customers to manage themselves, I wouldn't put that criteria at the top of the list either. I understand completely why one of my predecessors recommended that my current client deploy SiteProtector. It _is_ something they can use, understand, and maintain when my employer's contract ends, we leave, and the SiteProtector stays behind. The SOC crew that will take over may not care for the inner workings of IDS alerts, and they'll probably be content to open a ticket on an alert, pass it to the operations folks, and wait for them to vet it. Jason Baeder __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- Re: How to choose an IDS/FW MSS provider, (continued)
- Re: How to choose an IDS/FW MSS provider Prashant Khandelwal (Mar 24)
- Re: How to choose an IDS/FW MSS provider Adam Powers (Mar 19)
- RE: How to choose an IDS/FW MSS provider Chris Harrington (Mar 19)
- RE: How to choose an IDS/FW MSS provider KoƧ.net (Mar 19)
- Re: How to choose an IDS/FW MSS provider Mark Teicher (Mar 19)
- Re: How to choose an IDS/FW MSS provider Martin Roesch (Mar 19)
- Re: How to choose an IDS/FW MSS provider Mark Teicher (Mar 24)
- Re: How to choose an IDS/FW MSS provider Devdas Bhagat (Mar 28)
- Re: How to choose an IDS/FW MSS provider Martin Roesch (Mar 19)
- RE: How to choose an IDS/FW MSS provider Nigel Lewis (Mar 19)
- RE: How to choose an IDS/FW MSS provider Sergey V Soldatov (Mar 19)
- RE: How to choose an IDS/FW MSS provider Jason Baeder (Mar 19)
- Re: How to choose an IDS/FW MSS provider fuijdancer (Mar 23)
- Re: How to choose an IDS/FW MSS provider fuijdancer (Mar 23)
- Re: How to choose an IDS/FW MSS provider fuijdancer (Mar 24)