Re: [logs] Re: [TSG] intrusion detection and log analysis [was: book advice]

From: Bennett Todd (bet@private)
Date: Tue Nov 04 2003 - 10:34:40 PST

  • Next message: Eric Fitzgerald: "RE: [logs] Monitoring Windows Security Events"

    2003-11-04T08:39:11 Bruce Potter:
    > How much money/effort (ie: more money) had an organization spent
    > on IDS in order to detect nimda? [...] If the same org also had
    > machines a year out of date on patches (or even _4 months_, it
    > doesn't matter) don't you think that money would have been better
    > spent on patching the machines?
    
    It's not an either/or thing.
    
    Yup, an enterprise can and should blow a couple hundred grand and
    get some IDS out there. Been there, done that, got good value out of
    it.
    
    Yup, an enterprise should commit some couple hundred grand (if they
    use no Windows) to solve the patching problem completely. If you
    have a bad Windows infestation, plan on spending millions on
    combined manpower and loss-of-service, every year, and you'll still
    have machines left unpatched for months or years, for some patches.
    
    > Seriously, how many zero-day worms have there been? <crickets
    > chirping> I'm sure there will be one some day, but the current
    > rack of IDS's will be just as blind to it as your admins.
    
    Depends on the IDS. Check out what Mazu Networks is doing, they make
    a convincing case that they can robustly detect and alert on ---
    even automatically block, if you wish to enable it --- a zero-day
    worm. They do an awful lot more, too; as a network configuration
    maintenance and audit tool it's pretty impressive. Sadly, it costs.
    Boy does it cost.
    
    > In short, if you spend your IDS budget on figuring out how to do
    > patching right and mabye even for some external auditing of your
    > network, you'll probably not see many valid hits on your IDS.
    
    A budget that's luxurious for IDS is pitifully inadequate for
    patching. Big enterprises routinely plan in the neighborhood of $50K
    to test and deploy a single patch across their Windows systems.
    
    -Bennett
    
    
    

    _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis



    This archive was generated by hypermail 2b30 : Tue Nov 04 2003 - 14:11:02 PST