We had a good discussion this morning in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 #snort-gui channel on irc.freenode.net. I was on my usual soap box complaining that no commercial tools provide all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 data I need to implement Network Security Monitoring, while developers and employees of a certain well-known intrusion detection system didn't understand why cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir product didn't meet my needs.
Sguil author Bamm Visscher cut through cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 argument with a very astute summary. He basically said that IDS developers want "Immaculate Detection" while NSM practitioners want "Immaculate Collection."
Bamm is exactly right. From my experience I know that no detection product is 100% accurate, and that even good alerts require investigation to see what is happening and what else might be happening. IDS developers are rightly trying to improve cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 quality of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir products, but many people interpret cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir avoidance of NSM collection as a sign it isn't necessary. In ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r words, detection can be so good that you never need to investigate. I know some IDS developers don't agree with this misplaced notion but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y argue it's too expensive to collect cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sorts of data I advocate. I argue that it's too expensive (in terms of damage to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 enterprise) not to collect that NSM data.
I think we will see commercial solutions during cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 next 1-3 years that will give me cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NSM data I need to detect and respond to intrusions. Already network forensic appliance vendors are publishing APIs that can be called by IDS/IPS/SIM/SEM/SIEM/etc. products for access to network traffic collected independently of any alerting mechanism. This is a great development and I can't wait to see this sort of arrangement in production.
Subscribe to:
Post Comments (Atom)
1 comment:
Richard,
Many admins seem to be as scared of NSM type tools, as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are of intrusions. They are not sure if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y can secure cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NSM data itself from abuse.
A funny incident with a CIO during a presentation on a future release.
We) ..So, you can do deep monitoring on your entry points into your corporate network. Pick out suspect streams, objects like images, files, voice, video, scripts, decrypt on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fly by loading server certs, ..
Them) Umm. We actually want to detect if such a malicious tool is running.
We) WTF?
Post a Comment