IMHO comparing pure play havior detection to IPS is like comparing apples and oranges.
NADS appears to be more similar to the old sniffer technology with the added feature of /possibly/ giving better clues as to the cause of the anomaly from a security perspective whereas the old Network General style explains from network problem perspective. Protocol anomaly at least looks more promising in the IPS space as the action capability is there. In my experience, it definitely takes time baselining... but once baslined, it could be a valuable tool (again when the action component - read IPS - is added). That whole Gartner prophecy of "IDS is dead" was referring to the idea that detection by itself is just not enough. Maybe behavior detection (NADS) might be good for forensics... but I'll take IPS wherever I can get it thank you. If one can't afford IPS... then I guess going the forensics only route is better than nothing. But even then, pure-play behavior-based solutions leaves the gap of not detecting known bad stuff. btw... even Lancope has signatures (however outdated they may be)... so even Lancope realizes the value of signatures in the security tool box. Regards, Hassan Karim, CISSP --- Joseph Hamm <[EMAIL PROTECTED]> wrote: > >Fact is, anomaly detection is so rare that it's > almost unexistant in > the commercial products, except for limited forms > >of "protocol anomaly detection" and for Arbor's > peakflow technology. > > Not true! The only reason this space hasn't gotten > as much attention > over the last few years is cause everyone was busy > buying signature IDS > and now IPS solutions. > > Pure Network Anomaly Detection players: > Arbor > Lancope > Mazu > Q1 Labs > (All of these have been around for several years > despite the lack of > industry attention to this space. Am I missing any > new ones?) > > Also, for a recent article on network anomaly > detection systems (NADS), > check out this month's Information Security Magazine > (cover story). The > NADS space (this is only the latest acronym used to > describe this group > of products), is starting to get more attention and > press coverage. You > will also find some articles that call these > products NBAD (Network > Behavior Anomaly Detection) solutions. > > Many security companies can detect "anomalies" in > some form. Almost > every security vendor has the word "anomaly" in > their marketing > literature. You need to understand what they mean > by an "anomaly" and > how they detect them. > > "protocol anomaly detection" and "network anomaly > detection" are two > different things although detecting network > anomalies can include > protocol anomalies as well. An IPS is a point > solution, usually has > limited network visibility (unless you spend a > fortune and deploy them > everywhere), and can only perform protocol anomaly > detection (from what > I've seen). In order to have the best NADS, you > need complete network > visibility and an understanding of what is "normal" > on your network. > > Rolling out NADS generally requires less appliances > than IPS (read less > cost) because one box can gather network info from > multiple SPAN ports, > network taps, or get NetFlow/sFlow feeds from remote > routers/switches. > > Kind regards, > Joe > > Joe Hamm, CISSP > Senior Security Engineer > Lancope, Inc. > [EMAIL PROTECTED] > 404.644.7227 (cell) > 770.225.6509 (fax) > > Lancope - Security through Network Intelligence(tm) > StealthWatch(tm) by Lancope, a next-generation > network security > solution, delivers behavior-based intrusion > detection, policy > enforcement and insightful network analysis. Visit > www.lancope.com. > > > -----Original Message----- > From: Stefano Zanero > [mailto:[EMAIL PROTECTED] > Sent: Monday, August 29, 2005 6:01 PM > To: Daniel Cid; Focus-Ids Mailing List > Subject: Re: IPS comparison > > Daniel Cid wrote: > > This "anomaly" detection will only detect 0-day > exploits for known > > vulnerabilities. > > A zero-day exploit is a curious marketing thing. You > suddenly redefine a > difficult problem (catching zero-days) as a rather > simpler problem > (create signatures that actually describe the > vulnerability, which is > what any signature worth your licensing cost should > do). > > So, presto!, you can rush up and put out some rather > nice marketing > material on it. > > Fact is, anomaly detection is so rare that it's > almost unexistant in the > commercial products, except for limited forms of > "protocol anomaly > detection" and for Arbor's peakflow technology. > > Best, > Stefano Zanero > --------------------------- > Secure Network S.r.l. > www.securenetwork.it > > ------------------------------------------------------------------------ > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it with > real-world attacks from > CORE IMPACT. > Go to > http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 > to learn more. > ------------------------------------------------------------------------ > > > ------------------------------------------------------------------------ > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it > with real-world attacks from CORE IMPACT. > Go to > http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 > to learn more. > ------------------------------------------------------------------------ > > Send instant messages to your online friends http://uk.messenger.yahoo.com ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
