I have not wanted to jump on this bandwagon, but here are my 2 cents. Lets say I am a small company with 10 to 150 employees and I know that the internet is a "dangerous" place and I have valuable data on my internal systems. Since my company has a very small IT budget (or no budget) because the powers that be do not want to spend money on technology. Are most of you saying that this small company should just go without any IDS or firewall because they do not have the money for it? Or you would all of you agree that something is better than nothing? Then what is the problem with Anitians solution. I would rather see ALL company's have some form of firewall/IDS in place than to have nothing at all. Even if they were only monitored once a week or month, it is better to know that you have been had a week later than to never find out and wonder one Monday morning when you come in to work all of your data has been deleted. In my opinion if all companies had a firewall/IDS in place and a competent person monitoring the activities the internet would not be filled up with as much junk (SPAM, servers hosting IRC and FTP sites they do not know about, etc.). For example my company was called in to a client for the first time and their server was hosting someone else's website and a IRC chat room. This had been going on for some time and they did not realize it until we alerted them. This would not have happened for as long as it did if they had someone watching it, and probably not at all if the patches were in place. I would say that Anitians solution would have be perfect for these companies. Nick Murphy -----Original Message----- From: Michael Rauscher To: crime@private Sent: 8/29/02 10:49 PM Subject: Re: CRIME Checkpoint versus Sonicwall I gotta jump in here to point out that a vendor is in business to sell you something you think you need, and a good vendor (read: salesperson) will spin the status quo as not good enough, but, "I have what you really need." If I were to walk into Anitian, or any other security vendor, and lay out my security plan as a once a month, or even once a week log review, along with NIDS/HIDS that notifies me daily of "suspicious" activity, someone's not doing their job if they tell me that that's sufficient, and there's nothing more I should be doing. My bet is you would describe my monitoring plan as inadequate, and that you have one that would allow me to sleep better at night. My point is 2-fold: there's always someone willing to convince you they have something better that you need, and, if you don't want! to have to defend your product, don't try to push it on a list where most people know better. Andrew Plato wrote: > >So the end-user is monitoring the IDS? > > >The point being that *someone* had better be monitoring the IDS in real > >time, or else it is not worth having. > Nobody can monitor an IDS in real-time. Not even a 24/7/365 shop. They just > have some guy sitting in a data-center somewhere. He watches a console. > When a red light comes on, he sends you a page. He doesn't reach into > your network and fix the machine. He doesn't do anything but TELL you > there is a problem after it has happened. And most of the 24/7/365 shops > I have looked into, don't even provide analytical support. They just > read off > the information from the IDSs vendor's help file. > > Our service isn't designed to be real-time. Its a regular maintenance a! nd > management of the information. Its also can includ! e a lot of services > 24/7/365 shops cannot do, like vulnerability scanning, on-site forensics, > system patching, etc. Stuff that does not require 24/7/365 coverage. > > Our service also focuses intensely on analysis. Reviewing the data and > making decisions based on what we see. > > > > Our service was designed to offer these places > > > expert help and peace of mind. To make sure everything is running and > > > working at optimal efficiency and capability. > > > > > Here's the problem: > > > * If you are providing real-time 24/7 monitoring (as many outsourced > > security monitoring companies do) then you are providing effective > > IDS value to a customer that lacks the expertise to have in-house > > analysts. > > * But if you are only doing the outsourced monitoring every week or > ! > so, then either the unskilled end-user is monitoring the IDS, or > > (worse) no one is monitoring the IDS. In this case, both the > > service and the IDS are of NO VALUE. They are a pure feel-good > > decoration. > The purpose of an IDS is not to give you instantaneous recovery from an > intrusion. > The purpose of an IDS is to give insight and information about what is > happening on > a network. While in a perfect world, these systems would be constantly > monitored > by a trained person - that is simply beyond what many organizations can > afford. > > Monitoring and collecting information about network activities has value > provided > it is analyzed and fed back into some kind of decision matrix. An IDS has > no value when it is not monitored AT ALL. But regular monitoring and > analysis > is what gives it value. An! d most 24/7/365 shops do no analysis at all. > They ju! st > alert. We are providing the expert analysis that can arm IT admins with the > facts they need to make intelligent decisions about their network's > security. > > > Exactly: all this does is generate peace of mind, without any actual > > security value. > > Wrong. We can catch subtle attacks and issues before they become a problem. > We can spot strange behavior that would go totally unnoticed to an untrained > IT admin and then arm them with the information to make a decision about > how to handle that. > > They can then make an informed decision about how to better secure their > network > based on FACTS not obnoxious rantings and ravings from security gurus. > > By my definition, that is security value. > > > To be clear, I'm not just bashing IDS as useless. Just pointing out that > > IDS is useless unless it is accompani! ed by human 24x7 monitoring, which > > you can either do your self, or outsource. > > > Now-and-then monitoring of IDS is not useful, because the attacker can > > do a great deal of damage before you notice it. Including change the IDS > > logs. > Very few firms have the resources to do 24/7/365 monitoring. Its simply too > expensive. An now-and-then analysis is better than none at all. At least > the > systems are being watched regularly. > > Besides, we do a lot more than merely monitor. There is IDS tuning, > optimization, > signature updating, and general analysis to insure the system is running > optimally and spitting out relevant information and not just gobs of > false positives. > > I think there is value in this, my customers find it valuable, and I > don't expect > you would find it valuable, because its not intended for you.> > ----------------------------------- > ! Andrew Plato, CISSP > President / Principal Consultant > Anitian Corporation > > (503) 644-5656 office > (503) 201-0821 cell > http://www.anitian.com <http://www.anitian.com> < http://www.anitian.com/ <http://www.anitian.com/> > > ------------------------------------ > > _____ Changed your e-mail? Keep your contacts! Use this free e-mail change of address service from Return Path. Register now! <http://ae.excite.com/adclick/CID=00004fe770d73a7100000000/AREA=COMMUNIC ATIONS.EMAIL/SITE=excite/AAMSZ=1x1/POS=returnpath>
This archive was generated by hypermail 2b30 : Fri Aug 30 2002 - 08:55:27 PDT