Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: [Dailydave] News, dumbug, prediction rebuttals.
From: David J. Bianco (biancojlab.org)
Date: Tue Jan 03 2006 - 08:25:17 CST
Anton Chuvakin wrote:
>>The same thing will happen in OSS. You're starting to see it in
>>Sguil, which will only get better.
> IMHO, Sguil follows a wrong model, since it requires a smart analyst
> in front of the console, something that most companies likely won't
> afford. But this is a discussion for another time and another place
> (although I do want to have it at some point! :-) Maybe Mr Bejtlich
> would like to argue this here or elsewhere)
Don't confuse sguil with a SIM. SIM implies a level of aggregation
and automation that is not appropriate for this type of Network
Security Monitoring (NSM) tool. Although there are superficial
similarities, they're not intended for the same purpose.
Sguil is simply a research tool for a number of specialized databases
(starting with NIDS, session and pcap data). It relies on a trained
analyst simply because it's not possible to do otherwise. The Bad Guys
are smart, and their capacity for underhandedness far exceeds the
ability of software to detect or respond. Trained security personnel are
indispensable not only for their ability to detect misuse, but also
for their reasoning skills and their investigatory capacity. These
are the sorts of operations sguil is designed to support.
If you want to talk about following the wrong model, trying to
replace trained security personnel with a software solution is
pretty high up on the list.