On Fri, Jun 26, 2009 at 4:14 PM, Stefano Zanero<[email protected]> wrote: >>> Not for nothing but #2 is exactly what Sourcefire's been doing since >>> 2004. Sorry for the commercial but I think I've been pretty outspoken >>> on this topic since 2000 or so... > >> Well, I guess I have to pipe in also, then. Cisco is doing the same. Read >> my book "Security Monitoring with CS-MARS" for more info. > > Sorry Marty, sorry Gary, I love both products, but they are not even > close to realizing what Greg asked for :)
They may not even be close to being able to detect if an attack was actually successful but they're tremendously better than the status quo. It's pretty easy to look at the Verizon data and see that: a) People can't tune their sensors. b) People can't do even basic analysis of the event loads that result. c) People don't know what's on their networks and how its configured or how its changing which makes a) virtually impossible. Automated tuning reduces the data loads up front and also makes the sensors harder to evade when done properly. Back-end impact analysis tremendously improves the signal to noise ratio which in turn makes the event loads something that humans can deal with. > Of course, they do reduce "false positives/noncontextual > alerts/whatevers", and so they are to be commended, but knowing "if the > attack has been successful" is actually way beyond anybody's capability, > short of a crystal sphere :) Exactly, but then again perfect is the enemy of good enough. I prefer to give people solutions that make their quality of life better today than do nothing because it's not perfect. Marty -- Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616 Sourcefire - Security for the Real World - http://www.sourcefire.com Snort: Open Source IDP - http://www.snort.org ----------------------------------------------------------------- Securing Your Online Data Transfer with SSL. A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe. http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194
