SPAM: -------------------- Start SpamAssassin results ---------------------- SPAM: This mail is probably spam. The original message has been altered SPAM: so you can recognise or block similar unwanted mail in future. SPAM: See http://spamassassin.org/tag/ for more details. SPAM: SPAM: Content analysis details: (6.2 hits, 5 required) SPAM: Hit! (0.5 points) Possibly-forged 'Received:' header found SPAM: Hit! (0.7 points) BODY: Contains a line >=199 characters long SPAM: Hit! (2 points) Received via a relay in relays.osirusoft.com SPAM: [RBL check: found 10.75.236.63.relays.osirusoft.com., type: 127.0.0.4] SPAM: Hit! (3 points) DNSBL: sender is Confirmed Spam Source SPAM: SPAM: -------------------- End of SpamAssassin results --------------------- --EXCITEBOUNDARY_000__f8f250586e94a4dd565e1dc3bfabf0c1 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit I gotta jump in here to point out that a vendor is in business to sell you something you think you need, and a good vendor (read: salesperson) will spin the status quo as not good enough, but, "I have what you really need." If I were to walk into Anitian, or any other security vendor, and lay out my security plan as a once a month, or even once a week log review, along with NIDS/HIDS that notifies me daily of "suspicious" activity, someone's not doing their job if they tell me that that's sufficient, and there's nothing more I should be doing. My bet is you would describe my monitoring plan as inadequate, and that you have one that would allow me to sleep better at night. My point is 2-fold: there's always someone willing to convince you they have something better that you need, and, if you don't want to have to defend your product, don't try to push it on a list where most people know better. Andrew Plato wrote:> >So the end-user is monitoring the IDS?> > ! >The point being that *someone* had better be monitoring the IDS in real> >time, or else it is not worth having.> Nobody can monitor an IDS in real-time. Not even a 24/7/365 shop. They just> have some guy sitting in a data-center somewhere. He watches a console.> When a red light comes on, he sends you a page. He doesn't reach into> your network and fix the machine. He doesn't do anything but TELL you> there is a problem after it has happened. And most of the 24/7/365 shops> I have looked into, don't even provide analytical support. They just > read off> the information from the IDSs vendor's help file.> > Our service isn't designed to be real-time. Its a regular maintenance and> management of the information. Its also can include a lot of services> 24/7/365 shops cannot do, like vulnerability scanning, on-site forensics,> system patching, etc. Stuff that does not require 24/7/365 coverage.> > Our service also focuses ! intensely on analysis. Reviewing the data and> making deci! sions based on what we see.> > > > Our service was designed to offer these places> > > expert help and peace of mind. To make sure everything is running and> > > working at optimal efficiency and capability.> > >> > Here's the problem:> > > * If you are providing real-time 24/7 monitoring (as many outsourced> > security monitoring companies do) then you are providing effective> > IDS value to a customer that lacks the expertise to have in-house> > analysts.> > * But if you are only doing the outsourced monitoring every week or> > so, then either the unskilled end-user is monitoring the IDS, or> > (worse) no one is monitoring the IDS. In this case, both the> > service and the IDS are of NO VALUE. They are a pure feel-good> > decoration.> The purpose of an IDS is not to give you instantaneous recovery from an >! ; intrusion.> The purpose of an IDS is to give insight and information about what is > happening on> a network. While in a perfect world, these systems would be constantly > monitored> by a trained person - that is simply beyond what many organizations can > afford.> > Monitoring and collecting information about network activities has value > provided> it is analyzed and fed back into some kind of decision matrix. An IDS has> no value when it is not monitored AT ALL. But regular monitoring and > analysis> is what gives it value. And most 24/7/365 shops do no analysis at all. > They just> alert. We are providing the expert analysis that can arm IT admins with the> facts they need to make intelligent decisions about their network's > security. > > > Exactly: all this does is generate peace of mind, without any actual> > security value.> > Wrong. We can catch subtle attacks and issues before they beco! me a problem.> We can spot strange behavior that would go ! totally unnoticed to an untrained> IT admin and then arm them with the information to make a decision about> how to handle that.> > They can then make an informed decision about how to better secure their > network> based on FACTS not obnoxious rantings and ravings from security gurus. > > By my definition, that is security value.> > > To be clear, I'm not just bashing IDS as useless. Just pointing out that> > IDS is useless unless it is accompanied by human 24x7 monitoring, which> > you can either do your self, or outsource.> > > Now-and-then monitoring of IDS is not useful, because the attacker can> > do a great deal of damage before you notice it. Including change the IDS> > logs.> Very few firms have the resources to do 24/7/365 monitoring. Its simply too> expensive. An now-and-then analysis is better than none at all. At least > the> systems are being watched regularly.> > Besid! es, we do a lot more than merely monitor. There is IDS tuning, > optimization,> signature updating, and general analysis to insure the system is running> optimally and spitting out relevant information and not just gobs of > false positives.> > I think there is value in this, my customers find it valuable, and I > don't expect> you would find it valuable, because its not intended for you.> > -----------------------------------> Andrew Plato, CISSP> President / Principal Consultant> Anitian Corporation> > (503) 644-5656 office> (503) 201-0821 cell> http://www.anitian.com <http://www.anitian.com/>> ------------------------------------> > ------------------------------------------------ Changed your e-mail? Keep your contacts! Use this free e-mail change of address service from Return Path. Register now! --EXCITEBOUNDARY_000__f8f250586e94a4dd565e1dc3bfabf0c1 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: 7bit <table cellpadding=10 cellspacing=0 border=0 width=100% bgcolor=white><tr height=200><td width=100%><font size=2 color=black><DIV>I gotta jump in here to point out that a vendor is in business to sell you something you think you need, and a good vendor (read: salesperson) will spin the status quo as not good enough, but, "I have what you really need." </DIV><DIV> </DIV><DIV>If I were to walk into Anitian, or any other security vendor, and lay out my security plan as a once a month, or even once a week log review, along with NIDS/HIDS that notifies me daily of "suspicious" activity, someone's not doing their job if they tell me that that's sufficient, and there's nothing more I should be doing. My bet is you would describe my monitoring plan as inadequate, and that you have one that would allow me to sleep better at night. </DIV><DIV> </DIV><DIV>My point is 2-fold: there's always someone willing to convince you they have something better that you need, and, if you don't want! to have to defend your product, don't try to push it on a list where most people know better.</DIV><DIV> </DIV><DIV> </DIV><DIV>Andrew Plato wrote:<BR>> >So the end-user is monitoring the IDS?<BR>> <BR>> >The point being that *someone* had better be monitoring the IDS in real<BR>> >time, or else it is not worth having.<BR>> Nobody can monitor an IDS in real-time. Not even a 24/7/365 shop. They just<BR>> have some guy sitting in a data-center somewhere. He watches a console.<BR>> When a red light comes on, he sends you a page. He doesn't reach into<BR>> your network and fix the machine. He doesn't do anything but TELL you<BR>> there is a problem after it has happened. And most of the 24/7/365 shops<BR>> I have looked into, don't even provide analytical support. They just <BR>> read off<BR>> the information from the IDSs vendor's help file.<BR>> <BR>> Our service isn't designed to be real-time. Its a regular maintenance a! nd<BR>> management of the information. Its also can includ! e a lot of services<BR>> 24/7/365 shops cannot do, like vulnerability scanning, on-site forensics,<BR>> system patching, etc. Stuff that does not require 24/7/365 coverage.<BR>> <BR>> Our service also focuses intensely on analysis. Reviewing the data and<BR>> making decisions based on what we see.<BR>> <BR>> > > Our service was designed to offer these places<BR>> > > expert help and peace of mind. To make sure everything is running and<BR>> > > working at optimal efficiency and capability.<BR>> > ><BR>> > Here's the problem:<BR>> <BR>> > * If you are providing real-time 24/7 monitoring (as many outsourced<BR>> > security monitoring companies do) then you are providing effective<BR>> > IDS value to a customer that lacks the expertise to have in-house<BR>> > analysts.<BR>> > * But if you are only doing the outsourced monitoring every week or<BR>> ! > so, then either the unskilled end-user is monitoring the IDS, or<BR>> > (worse) no one is monitoring the IDS. In this case, both the<BR>> > service and the IDS are of NO VALUE. They are a pure feel-good<BR>> > decoration.<BR>> The purpose of an IDS is not to give you instantaneous recovery from an <BR>> intrusion.<BR>> The purpose of an IDS is to give insight and information about what is <BR>> happening on<BR>> a network. While in a perfect world, these systems would be constantly <BR>> monitored<BR>> by a trained person - that is simply beyond what many organizations can <BR>> afford.<BR>> <BR>> Monitoring and collecting information about network activities has value <BR>> provided<BR>> it is analyzed and fed back into some kind of decision matrix. An IDS has<BR>> no value when it is not monitored AT ALL. But regular monitoring and <BR>> analysis<BR>> is what gives it value. An! d most 24/7/365 shops do no analysis at all. <BR>> They ju! st<BR>> alert. We are providing the expert analysis that can arm IT admins with the<BR>> facts they need to make intelligent decisions about their network's <BR>> security. <BR>> <BR>> > Exactly: all this does is generate peace of mind, without any actual<BR>> > security value.<BR>> <BR>> Wrong. We can catch subtle attacks and issues before they become a problem.<BR>> We can spot strange behavior that would go totally unnoticed to an untrained<BR>> IT admin and then arm them with the information to make a decision about<BR>> how to handle that.<BR>> <BR>> They can then make an informed decision about how to better secure their <BR>> network<BR>> based on FACTS not obnoxious rantings and ravings from security gurus. <BR>> <BR>> By my definition, that is security value.<BR>> <BR>> > To be clear, I'm not just bashing IDS as useless. Just pointing out that<BR>> > IDS is useless unless it is accompani! ed by human 24x7 monitoring, which<BR>> > you can either do your self, or outsource.<BR>> <BR>> > Now-and-then monitoring of IDS is not useful, because the attacker can<BR>> > do a great deal of damage before you notice it. Including change the IDS<BR>> > logs.<BR>> Very few firms have the resources to do 24/7/365 monitoring. Its simply too<BR>> expensive. An now-and-then analysis is better than none at all. At least <BR>> the<BR>> systems are being watched regularly.<BR>> <BR>> Besides, we do a lot more than merely monitor. There is IDS tuning, <BR>> optimization,<BR>> signature updating, and general analysis to insure the system is running<BR>> optimally and spitting out relevant information and not just gobs of <BR>> false positives.<BR>> <BR>> I think there is value in this, my customers find it valuable, and I <BR>> don't expect<BR>> you would find it valuable, because its not intended for you.<B! R>> <BR>> -----------------------------------<BR>> ! Andrew Plato, CISSP<BR>> President / Principal Consultant<BR>> Anitian Corporation<BR>> <BR>> (503) 644-5656 office<BR>> (503) 201-0821 cell<BR>> <A href="http://www.anitian.com">http://www.anitian.com> <<A href="http://www.anitian.com/">http://www.anitian.com/>><BR>> ------------------------------------<BR>> <BR>> </DIV><DIV> </DIV></font></td></tr></table><p><hr>Changed your e-mail? Keep your contacts! Use this free e-mail change of address service from Return Path. <a href="http://ae.excite.com/adclick/CID=00004fe770d73a7100000000/AREA=COMMUNICATIONS.EMAIL/SITE=excite/AAMSZ=1x1/POS=returnpath" target=_blank>Register now!</a> --EXCITEBOUNDARY_000__f8f250586e94a4dd565e1dc3bfabf0c1--
This archive was generated by hypermail 2b30 : Thu Aug 29 2002 - 23:39:32 PDT