Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Re: [Dailydave] lots of monkeys staring at a screen....security?
From: Ron Gula (rgulatenablesecurity.com)
Date: Sat Oct 28 2006 - 06:57:42 CDT
Thomas Ptacek wrote:
> I am waiting for someone to tell me the story about how an IDS saved
> their bacon.
Before I even thought about writing Dragon, we used ISS RealSecure and
regularly caught a few internal users who were doing internal probes and
attempting to gain access to other servers they should not have been. I
was surprised at how effective NIDS monitoring was (this was late 1990s)
that we caught people trying to exploit things like Cold Fusion, that
older Compaq manager bug and so on.
When I finally did the Dragon IDS, for a year or two, we were tracking
customers who had either been able to discover internal hackers and fire
them or who had to open up ongoing investigations because there was a
set of remote folks trying to penetrate their network.
Comments in general:
- anomaly algorithms are just different forms of signatures; both can be
bypassed and there are good/bad algorithms
- even if your IDS totally sucks, you still might be from a business
vertical where the auditors require you to run something
- even if your IDS totally sucks, for the general internal user
population, it is a deterrent.
- even if your IDS (IPS) totally sucks, if your IT guys believe in it,
they will use it as an excuse to delay patching since they are "protected"
- an attack and a backdoor which involves an encrypted shell may or may
not be detected by a NIDS. Depends on the attack and the NIDS. There are
still many idiot hackers who use some sort of cool attack, cool
encrypted shell and then set up an IRC server on the box.
So having said that, today in 2006, I still see a lot of value in NIDS
for monitoring, but if that is all that one does and doesn't take into
account vulnerabilities, firewall logs, proxy logs, host logs, .etc,
then there is a lot that can be missed.
Ron Gula, CTO
Tenable Network Security
Dailydave mailing list