Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: How to choose an IDS/FW MSS provider

from [Jason Baeder] Network Security [Permanent Link]
Subject: RE: How to choose an IDS/FW MSS provider
Date: Thu, 17 Mar 2005 08:28:14 -0800 (PST) 
I just couldn't resist wandering down this off-topic path ;-)

--- Andrew Plato <andrew.plato@anitian.com> wrote:


Thus my point - while seeing the details of a signature is
fascinating
to security geeks, it is not terribly important to the vast majority
of
IT admins. 


That's true.  However, as a security geek who is at the top of the
escalation path, signatures are more than a fascination.  Like Kjetil
Dahl-Hansen I would like the option to know more about what triggered
an alert.  Sure, the junior analysts may not care about sigs, and the
security admins may not care about sigs, but when one of them points to
an alert and asks me, "Is this something I should be concerned about?",
I care.  For me it's not a matter of "trusting" the vendor's
signatures; it's a matter of understanding how those signatures react
to the network's day-to-day traffic.  

With SiteProtector I find myself yelling Jerry-Maguire-like at the
computer screen, "Show me the data!  Show me the data!"  If an IDS
console shows the signature and the raw data (like, say, sguil), in the
long run this saves time and money.  With better alert assessment at
the console, fewer alerts are passed to the general network/system
admin population for vetting.  Of course, this only works when you have
knowledgeable people at the console.


As such, I don't think the ability to see signature specs
is
an important measure of the value of an IPS/IDS product. 


If I was in the business of selling IDS to customers to manage
themselves, I wouldn't put that criteria at the top of the list either.
 I understand completely why one of my predecessors recommended that my
current client deploy SiteProtector.  It _is_  something they can use,
understand, and maintain when my employer's contract ends, we leave,
and the SiteProtector stays behind.  The SOC crew that will take over
may not care for the inner workings of IDS alerts, and they'll probably
be content to open a ticket on an alert, pass it to the operations
folks, and wait for them to vet it. 

Jason Baeder


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: How to choose an IDS/FW MSS provider, Sergey V Soldatov
Next by Date:  Re: How to choose an IDS/FW MSS provider, Martin Roesch
Previous by Thread:  RE: How to choose an IDS/FW MSS provider, Sergey V Soldatov
Next by Thread:  Re: How to choose an IDS/FW MSS provider, fuijdancer
Indexes:  [Date] [Thread] [Top] [All Lists]