Snort mailing list archives
Re: [Emerging-Sigs] Matt Jonkman in the new Hakin9
From: Jason Wallace <jason.r.wallace () gmail com>
Date: Tue, 1 Feb 2011 11:58:24 -0500
Nice article, but I don't think I'd agree with a lot of it's content. "[ ... ]NO security product is 100%. I’d argue that most security tools at the absolute best will get about 70% of your badness." -- I understand the point being made with that statement (and I agree with it), but anytime a vendor (or potential vendor) puts a number or percentage to a statement the first thing I ask for is their data set. In my opinion, that statement would have been better served as "will get most but not all of your badness." "[ ... ] NSS I think focuses far too much on hitting a signature for every CVE out there while leaving malware and other issues off to the side." -- I do not work for NSS, but I can see a good reason for this method of comparison. Even if they added samples from the top 100 malware threats to their testing, that test would be valid for a limited amount of time. Malware moves fast. 60 days later their test results would be questionable. Tying testing to specific vulnerabilities (vulnerabilities...not exploits) improves the shelf life of their results. "An effective IDS ruleset HAS to cover malware." -- In my opinion, I[DP]S is not the answer to malware. "Many of those will not happen while the computer is on your network [ ... ]" That is why IDS has limited value when it comes to malware. I do not think IDS should ignore malware, but at most it should be seen as a second or third layer of protection. Patching, privilege reduction, and content filtering _at the asset level_ combined with user education will always be better primary levels of defense then IDS for this type of threat. An infected asset (on or off your network) constitutes a failure in your security program. That failure should initiate some sort of action/response. If the user was off-site when the infection occurred (and ~85% of our malware infections occur off-site, and yes I have that data) there is no direct action I can take from a network based IDS perspective to prevent a recurrence of that infection. If it is not directly actionable, it should not be considered a primary defense layer. If it is not a primary defense then it does not HAVE to cover it. Coverage would, at that point, be a value add. "You can have high throughput, reliable, secure, manageable and inexpensive. All of those exist, but not at the same time." -- That is not true, at least that is not true all of the time. The only real wildcard there is "inexpensive." That is only a wildcard because it is based on the organizations point of view. At the small private .edu I use to work for "inexpensive" meant something very different than it did at the multi-billion dollar company I worked for at a different time. I would say the solution we have in place where I currently work meets all 5 of those categories from our point of view. Is it perfect? No. No solution will ever be perfect. But it meets the high expectations I require from an IPS solution. It would not, however, be considered inexpensive at the .edu I mentioned previously. When I find areas that need to be improved, I let the vendor know. Their responsiveness to those issues plays a role in whether they continue to be our solution or not. The biggest issue I had with that article (until I dug deeper) was this... "I believe we need to as consumers realign what we read into those marketing phrases, and reconsider what we should allow to be acceptable for the rhetoric." [ ... ] "We’ve just gone through launch, and have spent a lot of time developing our marketing slang. We purposely chose to use the term comprehensive to describe our ruleset." [ ... ] "We did not choose to use the term Complete. I don’t think any security product can nor should give the impression that they’ll catch everything." Sounds great, but while the main page of the ET Pro web site (which will set many potential customer's initial impression) is entitled "the comprehensive ruleset" the first paragraph on the ET PRO website however is titled "Complete Coverage." That put me off a little bit until I read the "the rules > coverage" page which does use "comprehensive" as opposed to "complete." Purposeful rhetoric? No, of course not, but that inconsistency immediately stood out when I went from the article directly to the main page of the ET Pro website. All my previous points are obviously my opinion and can be argued either way, and I don't think there is a "right answer" that fits everyone's views points on IDS/IPS. While I do not agree with everything Matt said, I think the article did explain his point of view and vision. Thanks for the interesting read. thx, Wally ------------------------------------------------------------------------------ Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Matt Jonkman in the new Hakin9 Castle, Shane (Jan 31)
- Re: [Emerging-Sigs] Matt Jonkman in the new Hakin9 Matthew Jonkman (Jan 31)
- Re: [Emerging-Sigs] Matt Jonkman in the new Hakin9 Will Metcalf (Jan 31)
- Re: [Emerging-Sigs] Matt Jonkman in the new Hakin9 Dale Handy (Jan 31)
- Re: [Emerging-Sigs] Matt Jonkman in the new Hakin9 Michael Lubinski (Jan 31)
- Re: [Emerging-Sigs] Matt Jonkman in the new Hakin9 Joel Esler (Jan 31)
- Re: [Emerging-Sigs] Matt Jonkman in the new Hakin9 Matthew Jonkman (Jan 31)
- Re: [Emerging-Sigs] Matt Jonkman in the new Hakin9 Michael Lubinski (Jan 31)
- Re: [Emerging-Sigs] Matt Jonkman in the new Hakin9 Matthew Jonkman (Jan 31)
- Re: [Emerging-Sigs] Matt Jonkman in the new Hakin9 Jason Wallace (Feb 01)
- Re: [Emerging-Sigs] Matt Jonkman in the new Hakin9 Matthew Jonkman (Feb 02)
- Re: [Emerging-Sigs] Matt Jonkman in the new Hakin9 Martin Holste (Feb 02)
- Re: was--Matt Jonkman in the new Hakin9--now detecting infections John York (Feb 03)
- Re: was--Matt Jonkman in the new Hakin9--now detecting infections Matthew Jonkman (Feb 03)
- Re: was--Matt Jonkman in the new Hakin9--now detecting infections Marshall Bartoszek (Feb 04)
- Re: was--Matt Jonkman in the new Hakin9--now detecting infections Jefferson, Shawn (Feb 03)
- Re: was--Matt Jonkman in the new Hakin9--now detecting infections John York (Feb 03)
- Re: [Emerging-Sigs] Matt Jonkman in the new Hakin9 Will Metcalf (Jan 31)
- Re: [Emerging-Sigs] Matt Jonkman in the new Hakin9 Matthew Jonkman (Jan 31)
- Re: [Emerging-Sigs] Matt Jonkman in the new Hakin9 Jason Wallace (Feb 03)
- Re: [Emerging-Sigs] Matt Jonkman in the new Hakin9 Martin Holste (Feb 03)