RE: Custom defense

[Ron Gula <rgula () tenablesecurity com>]

I think the conversation has been pretty good so far, but I wanted
to add a few thoughts in a few areas.

- I'm seeing the SIM vendors (expert system guys) make the same
  mistakes the NIDS vendors made in the late 90s and early 00s.
  These are logging way too much data such that your underlying
  data store collapses and writing algorithms which don't scale
  across any dataset outside of a lab or out of two months of
  installation.

- I have yet to see an AI/heuristic/human-brain type algorithm
  be applied to packets, sessions, logs, .etc which didn't take
  a fairly sophisticated person to interpret the logs. And if you
  are going to model someone's mind, make sure you get a curious
  kid who is 3-4 years old and not a 35 yr old intellectual ;)

- There is no difference between signature based NIDS and the
  application-deviation protocol checkers. At the end of the day,
  if you know the check, you can avoid it.

- What I would like to see more of is use of products like Niksun
  and NetIntercept. These products are "packet vaulters" and
  maximize a huge benefit from NIDS which is normally under
  emphasized - deterrence to the insider.

Ron Gula, CTO
Tenable Network Security

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave