RE: Definition of Zero Day Protection

----- Original Message ----- 
From: "Teicher, Mark (Mark)" 
Date: Mon, 9 Aug 2004 13:14:45 -0600 
To: "Drew Simonis" , 
Subject: RE: Definition of Zero Day Protection 

> Drew, 
>
> What host based products would fit this category based on the definition 

I know that Cisco tries to position their "Cisco Security Agent" product
in the 0 day blocking space, as it uses behavior blocking.  I've also seen
Symantec Manhunt (NIDS, but...) claiming to offer 0 day detection based on
protocol detection.  I don't think Symantec Host IDS offers the sort of 
behavior blocking yet, but it does support white listing to restrict
application execution, which would offer some 0 day protection.  I am not
familiar with other offerings.

> ?? Do they really work ?? 

As mentioned, do we consider them working if, at 100% malicious detection,
they lump in 20% non-malicious false positive?  (of course, I am making these
numbers up).  I think, until the FP rate is reduced drastically, this sort
of blocking technology (including IPS) is more marketing than mainstream.
I don't trust the products to do what they say, and only what they say.

-Ds

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to 
learn more.
--------------------------------------------------------------------------