tag:blogger.com,1999:blog-4088979.post4325351170544832752..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: VizSec and RAID Wrap-UpRichard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger8125tag:blogger.com,1999:blog-4088979.post-82722291742540265672008-10-02T03:24:00.000-04:002008-10-02T03:24:00.000-04:00I didn't realize you were there. I would have enjo...I didn't realize you were there. I would have enjoyed meeting in person. I'm guessing your comments about when people turn to visualization were based on the panel I ran regarding applied uses. I'm curious if you agreed or disagreed with our comments.<BR/>Your comment on Netflow seems to map to some of the things Lurene and Rich and Ron said.tobyhttps://www.blogger.com/profile/02492929922686624574noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-30811064894997995432008-10-01T04:56:00.000-04:002008-10-01T04:56:00.000-04:00Hi,There seems to be a lot of skepticism towards ...Hi,<BR/>There seems to be a lot of skepticism towards academic security research amongst the security industry and practitioners. However, I don't think only the academics are to be blamed. For instance, when working with intrusion detection it is awkwardly hard to get some real data to use for testing. Most often companies don't want to share there real traffic data for any reason. Even if they can anonymize it.<BR/><BR/>Since there is only one (as I know of) open dataset (MIT DARPA) for testing IDSs it is almost impossible to compare with previous research. If anybody could provide an up to date realistic test dataset on a continuous basis I think a lot research in intrusion detection could be improved. <BR/><BR/>In case of improving the state of intrusion prevention I think we also would need some kind of a common test bed where people could test their algorithms/systems; maybe online. <BR/><BR/>Just some thoughts.<BR/><BR/>By the way, Richard, since RAID was a disappointment, what research would you like to see done in intrusion detection?Tomashttps://www.blogger.com/profile/00715178706455192275noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-21988428244026526912008-09-30T14:54:00.000-04:002008-09-30T14:54:00.000-04:00I smell blood in the water....I'll try to be brief...I smell blood in the water....<BR/><BR/>I'll try to be brief but this has always been a pet peeve of mine. IPS is subject to the same criticisms that IDS is, but it's worse, because it's inline. Tuning is always the crux of the problem. If enterprises find it too difficult to appropriately staff their SOC with people capable of tuning IDS, how can you possibly make the claim that it can be done for IPS. <BR/><BR/>If you don't tune out the false positives on an IDS, you have have extra noise and impact the performance of the whole system preventing the maximum utility. The same is not true for IPS. You actually can *introduce* harm to your environment by not actively analyzing and tuning out false positives that are blocking traffic.<BR/><BR/>How many old uricontent matching rules are floating around out there in closed source rulesets that are matching modern legitimate traffic? What about the liability factors associated with closed source IPS rules generating false positives that are dropped by the default policies? I'd love to hear the lawyers start discussing that issue. I imagine the big players that hang their hat on ever increasingly sized IPS's will deny all responsibility and just point to their contract language.<BR/><BR/>I consider this the unspoken Achilles heel of IPS that some analysts haven't had the courage to address.<BR/><BR/>Perhaps it's time to trumpet the Hippocratic Oath for Network Security Management? <BR/><BR/>"First, do no harm."<BR/><BR/>p.s. I was disappointed with RAID this year.orekdmhttps://www.blogger.com/profile/04416003749813394754noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-15029038707893611722008-09-28T10:16:00.000-04:002008-09-28T10:16:00.000-04:00This comment has been removed by a blog administrator.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-36453276672379989522008-09-27T14:09:00.000-04:002008-09-27T14:09:00.000-04:00Hey Alex, please email me (taosecurity at gmail do...Hey Alex, please email me (taosecurity at gmail dot com). I'd like to talk Splunk on FreeBSD 7.x and integrating NSM data into Splunk. Thank you.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-6330849639434583902008-09-27T14:05:00.000-04:002008-09-27T14:05:00.000-04:00Richard,I think you have made a good assumption. ...Richard,<BR/><BR/>I think you have made a good assumption. It is highly unlikely that pundits, disconnected managers, product marketers, etc. have any insight into conditions in the operational "trenches". But from their perspective, who wants to know what the defender/responder thinks? They rarely have any influence on architecture or policy decisions.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-2777145297584286212008-09-27T00:25:00.000-04:002008-09-27T00:25:00.000-04:00I would venture the following assumption: most eve...I would venture the following assumption: most everyone who criticizes the need for IDS, or what I would call attack indication systems, are not doing any active network defense, dealing with intrusions, or trying to detect if their protective/resistive measures have failed. In other words, the critics are disconnected managers, pundits, analysts, reporters, certifiers/accreditors, auditors, and so on. Does anyone really think it is possible to sit back and expect your defensive systems to stop everything?Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-76091478871919893252008-09-26T22:32:00.000-04:002008-09-26T22:32:00.000-04:00Richard, I would just point out that attacks are ...Richard, I would just point out that attacks are constant. I am telling you now. There, I saved you millions in spending on IDS. <BR/><BR/>The RBN is attacking, the Chinese government is attacking. <BR/><BR/>Are IDS logs something to investigate Monday morning after 48 hours of attacks? Do you advocate 24X7 monitoring as well? <BR/><BR/>I remember addressing the RAID conference at Carnegie Mellon a month after finally publishing my thoughts on the ineffectiveness of IDS. The audience seemed like they wanted to throw tomatoes at me! <BR/><BR/>Where is the "Recent Advances in Intrusion Prevention" conference? That would be worth going to. <BR/><BR/>-StiennonSecurity Leaders Grouphttps://www.blogger.com/profile/13345287430589597890noreply@blogger.com