On Tue, Nov 04, 2003 at 06:39:11AM -0700, Bruce Potter wrote: > ...incoming... hmm... bring on flashbacks to the foo camp. i'm busy as hell today, but you had to push all the buttons, didn't ya :) ...and i'm already in a salty mood today *grin* > I'll bite on this. How much money/effort (ie: more money) had an > organization spent on IDS in order to detect nimda? I mean, medium size > org ($500MM in revenue a year) probably spent $120k on licencing, hardware > and man power in a year to do Network IDS the Vendor Way... at least > $120k. If the same org also had machines a year out of date on patches > (or even _4 months_, it doesn't matter) don't you think that money would > have been better spent on patching the machines? and I don't just mean > tactically patching boxes, but rather coming up with an automated patching > process, testing requirements for patching production machines, etc... i mostly disagree here. in all practicality, you can 'win' more by throwing money at IDS's than at patching solutions. my reasons for saying this: with IDS's, you need a small group of geeks to build, deploy, maintain and monitor. the human costs are low and easy to manage. with a patching solution as you've described, there's no chance in hell of getting even a medium sized org (as you've defined medium) onto the same page wrt to evening agreeing on an approach with the same amount of $$ it'd take to put IDS sensors everywhere. of course that's a little exaggerated, but the point is, getting buy-in for a patching solution is TOUGH because it touches every person in the org and plenty of folks have historically gotten screwed by, say, a crappy hotfix, and are now gonna resist until placated (which takes even more $$). so all in all, i ain't buying the money argument. > Now in an _incredibly_ uncontrolled environment (ie: Tina's nightmare, a > university), and IDS is an effective traffic cop. You can't really > control student and faculty workstations and your only hope is detection > and response. That is just a fact of life in a university. but in a > corporate environment, there's no excuse. You can use the hammer of thor > to control workstations.... patch or be owned > > Seriously, how many zero-day worms have there been? <crickets chirping> > I'm sure there will be one some day, but the current rack of IDS's will be > just as blind to it as your admins. Keeping machines current on patch > levels ensure that your standard issue network IDS will be absolutely > useless. > > ...putting on the asbestos suit after that comment... i'm not gonna flame, but i am gonna point out a gross over-simplification that you're using to bind your point together. any IDS system, in the hands of a reasonable clueful engineer, is a powerful generalized network monitoring tool and NOT a brain dead kiddie-detector. if you think about it, when you deploy IDS, you gotta look at where the traffic on your network goes and you tap in sensors so as to make sure you see it all. when you look at IDS infrastructure as this abstract set of machines that see everything on you network, is pretty obvious it can be used for far more than just peeking at the douche-bag in accounting that has a blaster-infected pc. > In short, if you spend your IDS budget on figuring out how to do patching > right and mabye even for some external auditing of your network, you'll > probably not see many valid hits on your IDS. > <snip> > At the end of the day, when I've patched my servers and workstations, I've > pretty much put the script kiddie attacks to bed. What I really start to > care about is directed attacks against my custom code... attacks directly > targeted at my business. My firewall will let port 80 through to my > webservers.. it won't stop it. And my IDS has NO idea how my web app > works, so it doesn't care. i think our point may be a little short sighted. i'd wager dollars to donuts that the majority of folks in security at a medium to large org would tell you patching machines isn't a task, it's a process. you're NEVER completely patched. it's just too damn tough to get 100% coverage, so instead you create a patching and auditing process to make sure you keep your org in the higher percentile. so what do you do when you have a worm/general-malware and you're only 99% patched? just guess which 100 out of your 10,000 machines are infected? as for directed attacks, you still get alot of use out of IDS. for the 'expert' hackers that attack you, you're in trouble. IDS ain't gonna help too much. but for EVERY other directed attack, IDS will help. you find a web app that got own3d something, you put in an IDS sig for that attack. your point assumes that at that stage all your attackers have divined that you patched it up on all of your machines and they'll never attempt it ever again. in my experience, that's clearly a crock. attackers almost ALWAYS attempt some of their old tricks and an IDS will dutifully report the attempts along with all the info you'd need to tell law- enforcement the story. > It always amazes me how much money an organization will spend on IDS > without having the slightest clue what is really running in their > datacenters and what a targeted attack would even look like. i think i halfway agree with you here. but get this: with IDS deployed, you can easily put in a passive fingerptinting tool on each sensor and know that ALL your traffic will get tagged and within a day, you'll have your inventory done ;) another big point of mine pertaining to IDS is their use as policy enforcers. if you wanna make a policy that says 'no one shall use telnet in the clear', you better be able to back it up. the quickest way to having everyone ignore your policy is to not enforce it. with IDS, you've got the ability to monitor for a wide variety of crappola that may violate policy. then you can go deliver religion to some SAs rather than let them snicker at all your policies since 'they'll never find out'. in fact, i'd wager that if they get away without you enforcing the more mundane policies, they're not gonna care much about trying to adhere to your patching policy. .... but i'll spare you my theory that IDS makes patching process effective > Anyhoo, I'm ranting. I better stop... why does it seem like we're always arguing about this :) pravir chandra. -- Pravir Chandra | You can't run an army without profanity; Email: chandra@private | and it has to be eloquent profanity. An PGP ID: 338E16E4 | army without profanity couldn't fight CE60 0E10 9207 7290 06EB | it's way out of a piss-soaked paper bag. 5107 4032 63FC 338E 16E4 | -- General George S. Patton _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Tue Nov 04 2003 - 14:06:21 PST