Honestly, I have never found "network anomaly detection (NADS)" to be a
tremendously valuable technology for most organizations. It is
definitely not a strong zero-day detector, although with the stars
aligned I am sure it could be.
If networks were built and managed to exact specifications, I could
understand how network anomaly detection has merit. But in the hundreds
of networks I have seen, very few of them are very clean. Most of them
are filthy with a constant onslaught of "anomalies.'
You give the example of a DNS server suddenly firing up and sending out
requests. For every potential bad thing that could indicate, there are
at least as many normal, acceptable and totally legitimate reasons such
an event would happen. Thus when a NADS fires off an alert about this
(or blocks it), there are just as many reasons to ignore it as there are
to pay attention to it. As such, the IT admins are likely going to turn
off that detection as soon as they get a dozen or so false positives.
Whatever benefit that feature had, is then irrelevant.
One thing I have learned in my travels installing IPS/IDS for 6+ years
now is that 95% of the admins out there pay very little attention to the
deluge of data that comes from IPS/IDS technologies. Its just too much
data. Its too hard to separate the wheat from the chaff. As such, most
adopt the attitude of "stop bad, allow good, log the rest." And
therefore, tons of "might be" events are just going to get ignored.
Moreover, baselining these networks is also rarely useful. Baselining
only works if your network actually stays within its baseline fairly
regularly. Of the networks I've seen, most would routinely break their
own baselines. Moreover, its very easy for "bad stuff" to stay within
the baseline, especially if the baseline has been tweaked and tuned to
the point of irrelevance in order to stop the deluge of events.
So, while there may be a place for NADS, it would have to be intermixed
with traditional IPS signature matching to be really effective and
useful. And if the biggest plus of your product is just NADS, then the
IPS is probably just tacked on to be competitive in the market. As such,
organizations would be better off getting an a top of the line IPS, not
a NADS that happens to have an IPS thrown in.
-----------------------------------------------
Andrew Plato, CISSP
President/Principal Consultant
Anitian Enterprise Security
-----------------------------------------------
-----Original Message-----
From: Adam Powers [mailto:apowers@lancope.com]
Sent: Tuesday, August 30, 2005 3:02 PM
To: Ron Gula; Focus-Ids Mailing List
Subject: Re: IPS comparison
- I agree that "anomaly detection" != "zero day" detection. Just
because
my DNS server starts to connect to all the other hosts on my
network,
doesn't mean it has got a worm on it.
This is why most of today's *successful* anomaly detection technologies
incorporate a learning or "behavioral" component that overcomes this
kind of problem. Take StealthWatch for instance. When a new DNS server
comes online, StealthWatch looks at the flows being generated by the
server, figures out what the server is and how it's behaving, then
applies the appropriate algorithms given the contextual awareness of the
server's learned behaviors.
In a nutshell:
1. New host detected.
2. Let's watch it for a bit and figure out what it's up to.
3. Now that we know what the machine is and does, apply the proper
anomaly detection techniques to the traffic generated by the host.
Let's study your DNS example...
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
