February 18, 2006

Intrusion Detection Systems in 2006

Filed under: Uncategorized — Raffael Marty @ 12:32 pm

Can you tell that I was travelling again? Gives me a chance to catch up with the security magazines that pile up on my desk. And I keep getting disappointed. Well, there were a couple of good articles I read. One from Ed Skoudis about how to secure yourself against spyware. But most of the articles are horrible.

The first thing I found is in the Information Security Magazine. Somebody had a comment about Ed Skoudis and Mike Poor’s article on “IPS: Reloaded”. This person claims that in the old world, IDSs signatures had to be tuned, but in the new world of IPSs, that’s not necessary anymore. In his words: “IPS should not be judged with old IDS standards”. So what does this guy think IPSs do different than IDSs? Do you really think that for example the CISCO IPS is a completely new product and is not based on the old CISCO IDS code at all? What about all the other IPSs? I can guarantee you that you will have to spend as much time (if not more) to tune IPS signatures as you had to spend tuning your IDS. If IPS really had the magic sauce, why would IDSs not adopt that? Forget it!

In fact, this brings me to another thought that I had while I was walking the floor at the RSA conference in San Jose this week. There are all these new companies that I have never heard of. They are presenting solutions for all kinds of problems, ranging from insider threat detection to identity management. I spent quite some time trying to understand what they are doing. What I have seen is quite disappointing. Take an insider threat management company and check what they are doing. Well, they can detect credit card records on the wire, alert you on transmissions of social security numbers (SSN) or patient health records. Sounds great. But do you know what they are doing? Right. They basically take a NIDS sensor, apply some signatures which look for SSNs or credit card numbers. In fact, one of the companies showed me their signature definition and this is what you had to enter to detect an SSN:

\d\d\d-\d\d-\d\d\d\d

Wow! Have they ever heard of regular expressions? What about:

\d{3}-\d{2}-\d{4}

This was not their worst example! Anyways. My point is that there are all these new companies that claim amazing technology, but if you look under the hood, you realize that we had the technology for YEARS! Refurbish your NIDS and you are in great shape! Why have the NIDS vendors not jumped on the wagon? I don’t know. By the way, it’s not just the insider threat companies, but also other companies. One of them sniffs the wire and decodes all kinds of application protocols to attribute user identities to IP transactions. Again, I can solve the same problem with a Sniffer. I don’t even need a NIDS for that! [Believe me, I have tried it!]

Granted, there are some new and cools things. For example companies that let you register documents and then they detect them on the wire in any variation. For example, I register my word document. Now if someone takes the document and takes a pragraph out of it or pastes it into Excel, they are still capable of detecting that the document is on the wire. That’s pretty cool!

1 Comment »

  1. Back in my day, we didn’t have \d. We had to use [0-9] and we were happy. ;)

    Comment by Adam — February 21, 2006 @ 4:18 pm

RSS feed for comments on this post. | TrackBack URI

Leave a comment

XHTML ( You can use these tags): <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> .