Re: When to do something about detected attacks (was Re: how to do...)

From: Sheila Or Bob (depends on who is writing0 (shsrmsat_private)
Date: Wed Apr 15 1998 - 16:57:21 PDT

Next message: Ke Huang: "SunScreen EFS"

Previous message: Aleph One: "Re: Intrusion Detection"
Maybe in reply to: Jeff Sedayao: "When to do something about detected attacks (was Re: how to do...)"
Next in thread: d: "Re: When to do something about detected attacks (was Re: how to do...)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Dan!

d wrote:
> 
> I was going to lurk, but no sooner do I sign up, someone says...
><<snip>>
> It'd be hard to think of a reasonable sounding statement about security
> that I disagree with more - "If you don't know what you will do with data,
> don't collect it."  I apologize if someone has already discussed this,
> but...
> 
> One of my biggest criticisms of IDS's, security scanners, and security
> programs in general is that they look for security problems, rather than
> gathering information and process it with a security mindset.  The
> problem, as I see it, is that people try to solve the problem by knowing
> what the answer is before they start... and sure enough, they get their
> answer (if fortunate), but learn zero, and the tool generally turns out
> to be very limited, and worse yet, stays that way.
>SNIP to save bandwidth<<

Ahhh! you coerced me out of lurk mode!
One of the ongoing discussions I had with a coworker concerned how you
develop a profile - a user profile, a system profile. a network profile,
as a means of determining what "normal" behavior is. We talked about
using a content addressable memory type of approach.  But first we had
to gather data - in an attempt to find a norm.  Gathering data was a key
point - we could not say what was relevant!  We needed it all.  We
figured that if we looked at the data thru different "filters" we might
find our interpertation of the data would change as we figured out what
to look for.  We figured we needed to keep data around for awhile, maybe
a long while.  We would be able to go back and look for nuggets in the
data.  Is this forensics?  Is this IDS?  I think so !!  But maybe I am
just a pack rat, with my uVaxen and PRO 380!  But, it sure sounds like
data mining.  Can we apply "data mining" techniques with some sort of
security policy filter to the data we capture for an IDS?  I think so. 
I think some products can do this.

>From my perspective, the points raised in this IDS discussion have been
great!  Keep it up!!
thanks!
bob

-- 
real address is shsrms at erols dot com
The Herbal Gypsy and the Tinker.

Next message: Ke Huang: "SunScreen EFS"
Previous message: Aleph One: "Re: Intrusion Detection"
Maybe in reply to: Jeff Sedayao: "When to do something about detected attacks (was Re: how to do...)"
Next in thread: d: "Re: When to do something about detected attacks (was Re: how to do...)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:54:59 PDT