OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: TripWire (WAS: Re: Host IDS)
From: Greg Shipley (gshipleyNEOHAPSIS.COM)
Date: Thu Nov 02 2000 - 19:57:12 CST

On Tue, 31 Oct 2000, Gene Kim wrote:

> I'm beginning to become increasingly fervent in my belief that Tripwire (and
> other integrity solutions) should be put into a category, fully outside
> "intrusion detection". Anyone who has had to defend servers knows that
> Tripwire has a place in a security architecture, complementary to NIDS and
> HIDS. (The danger is that people may inadverdently skip integrity
> altogether, thinking that they're covered because they've implemented a NIDS
> and HIDS solution.)
>
> I think the critical taxonomy lies in the fact that it's integrity vs.
> anomoly detection. (i.e., "is it the same as yesterday" versus "is this
> something that is characteristic of misuse or an intrusion")
>
> To roll up in one sentence, I view IDS as early warning detection, and
> integrity as damage assessment and recovery. I use both, because both are
> essential.
>
> My question: Is there a danger in stepping out of the high-sizzle area of
> "intrusion detection"? We all think it sounds so sexy. :-) (Note AIDE
> stands for "advanced intrusion detection environment"... And the original
> Tripwire papers did say that Tripwire was originally designed for "intrusion
> detection")

Gene,

As a frequent contributor to Network Computing, I get to see things from
all angles (which is not always good). Take this for whatever it's worth,
but when I wear my press/media hat, I get BOMBARDED with PR and marketing
people and some really, well, quite stupid press releases.

Internal to NWC we sort of approach marketing and public relations people
from two angles. Angle one - what they are TRYING to pitch. Angle two -
what reality is. Based on this approach we have a good number of laughs,
some hilarious internal threads when PR mail merge programs blow up, and
some overall great material when it comes to blowing people shit. :) If
anyone on this list reads Fritz Nelson's column, they know that the
vendors get their fare share of black eyes for being stupid.

What *I* have received as a "press guy" over the past year is an
overwhelming amount of PR garbage using the phrase "intrusion detection."
I mean, it's in everything from web-log parsers to stupid little Win98
apps that have blinky lights and WAV files. And to the PR and marketing
agents' credit, a lot of people have bought into this hype. Heck, look at
what some of the other mags put out - wasn't it "SCMagazine" that
"reviewed" NetProwler, Sniffer Pro, and Sybergen Secure Desktop in the
same article? *smirk* :)

Ah, but I digress.

Now, while I try to do my best when writing to cut through the hype, heck,
in the end it's just me and my opinion. Ok - so with all of that said,
what *I* have tried to do is draw a line between something that serves as
an "intrusion detection tool" and an "intrusion detection system." IMHO,
even the NT event log can be used for intrusion detection purposes. So by
all means, IMHO Tripwire should embrace that buzzword head-on. But I
agree with you that the Tripwire product, in its current form, doesn't fit
as an Intrusion Detection SYSTEM (IDS).

This of course opens me up to debates around the use of the word "system,"
but, hey, it's a start. In the end, I think what is really important is
how Tripwire pitches its own product. If your marketing and PR team
starts trying to spin it as an alternative to traditional IDS, yeah, IMHO
that's wrong. If they make clear what it does, and what it doesn't do,
hell, more power to you.

Am I making any sense?

So maybe start working on carving out the "intrusion detection tool"
space? What's a sexier word for "tool?" Or, wait, maybe you could work
the term "appliance" in there somewhere? *grin* </sarcasm>

Good luck,

-Greg