IMHO comparing pure play havior detection to IPS is
like comparing apples and oranges.
NADS appears to be more similar to the old sniffer
technology with the added feature of /possibly/ giving
better clues as to the cause of the anomaly from a
security perspective whereas the old Network General
style explains from network problem perspective.
Protocol anomaly at least looks more promising in the
IPS space as the action capability is there. In my
experience, it definitely takes time baselining... but
once baslined, it could be a valuable tool (again when
the action component - read IPS - is added).
That whole Gartner prophecy of "IDS is dead" was
referring to the idea that detection by itself is just
not enough. Maybe behavior detection (NADS) might be
good for forensics... but I'll take IPS wherever I can
get it thank you. If one can't afford IPS... then I
guess going the forensics only route is better than
nothing. But even then, pure-play behavior-based
solutions leaves the gap of not detecting known bad
stuff.
btw... even Lancope has signatures (however outdated
they may be)... so even Lancope realizes the value of
signatures in the security tool box.
Regards,
Hassan Karim, CISSP
--- Joseph Hamm <jhamm@lancope.com> wrote:
Fact is, anomaly detection is so rare that it's
almost unexistant in
the commercial products, except for limited forms
of "protocol anomaly detection" and for Arbor's
peakflow technology.
Not true! The only reason this space hasn't gotten
as much attention
over the last few years is cause everyone was busy
buying signature IDS
and now IPS solutions.
Pure Network Anomaly Detection players:
Arbor
Lancope
Mazu
Q1 Labs
(All of these have been around for several years
despite the lack of
industry attention to this space. Am I missing any
new ones?)
Also, for a recent article on network anomaly
detection systems (NADS),
check out this month's Information Security Magazine
(cover story). The
NADS space (this is only the latest acronym used to
describe this group
of products), is starting to get more attention and
press coverage. You
will also find some articles that call these
products NBAD (Network
Behavior Anomaly Detection) solutions.
Many security companies can detect "anomalies" in
some form. Almost
every security vendor has the word "anomaly" in
their marketing
literature. You need to understand what they mean
by an "anomaly" and
how they detect them.
"protocol anomaly detection" and "network anomaly
detection" are two
different things although detecting network
anomalies can include
protocol anomalies as well. An IPS is a point
solution, usually has
limited network visibility (unless you spend a
fortune and deploy them
everywhere), and can only perform protocol anomaly
detection (from what
I've seen). In order to have the best NADS, you
need complete network
visibility and an understanding of what is "normal"
on your network.
Rolling out NADS generally requires less appliances
than IPS (read less
cost) because one box can gather network info from
multiple SPAN ports,
network taps, or get NetFlow/sFlow feeds from remote
routers/switches.
Kind regards,
Joe
Joe Hamm, CISSP
Senior Security Engineer
Lancope, Inc.
jhamm@lancope.com
404.644.7227 (cell)
770.225.6509 (fax)
Lancope - Security through Network Intelligence(tm)
StealthWatch(tm) by Lancope, a next-generation
network security
solution, delivers behavior-based intrusion
detection, policy
enforcement and insightful network analysis. Visit
www.lancope.com.
-----Original Message-----
From: Stefano Zanero
[mailto:s.zanero@securenetwork.it]
Sent: Monday, August 29, 2005 6:01 PM
To: Daniel Cid; Focus-Ids Mailing List
Subject: Re: IPS comparison
Daniel Cid wrote:
This "anomaly" detection will only detect 0-day
exploits for known
vulnerabilities.
A zero-day exploit is a curious marketing thing. You
suddenly redefine a
difficult problem (catching zero-days) as a rather
simpler problem
(create signatures that actually describe the
vulnerability, which is
what any signature worth your licensing cost should
do).
So, presto!, you can rush up and put out some rather
nice marketing
material on it.
Fact is, anomaly detection is so rare that it's
almost unexistant in the
commercial products, except for limited forms of
"protocol anomaly
detection" and for Arbor's peakflow technology.
Best,
Stefano Zanero
---------------------------
Secure Network S.r.l.
www.securenetwork.it
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with
real-world attacks from
CORE IMPACT.
Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
Send instant messages to your online friends http://uk.messenger.yahoo.com
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
