Ayoi’s

Yeah, to be honest, I dun really envy my Bosses job. Even though I just involve only a small portion of it, I can imagine what it would be in that position. With those budgeting, review reports, strategic planning, implementation plan, action plan, all those management thingy requires a different mindset and skills all together (and yeah, to implement those plans is another tough challenge that they need to face). Lol by looking on how wifey handling her job and the stress that comes with it is another lesson learned for me tho. Hehehe.

http://a.abcnews.com

Anyway, if the plan MATERIALIZE, I have to start thinking on how to perform on those tasks. Of cause now I only realized how valuable are the management subjects that I’ve learned during my ICSA days. Anyway whether the plan materialize or not, I still do what I think I have to do (:P) as from my view, if there’s nothing significant happened NOW, at the end of the day I will be the SUPERMAN (need to do everything maa). Materialize or not, those are the challenge that I need and have to face. Fingers crossed and hopefully I can achieve all my targets and plan.

http://www.greatday.com

Does Monitoring still relevant if they going to implement IPS?

That’s one of the questions posed by my big Boss that really attract my attention to answer ( As usual my Big Boss always give a series of good topics  for our discussion which I really appreciate. It makes my brain working and somehow I do feel that I gained something valuables from these type of discussions even thought via emails)

So this is my reply

Interesting question tho. Of cause as one of the believers that Prevention Eventually Fails, I believe that the existence of IPS should never reduce the importance of detection. (Anyway before it can prevent, it has to detect first

Bejtlich says that Prevention Eventually fails because of the characteristics of the Intruders which are they are unpredictable and some of them are smarter than the defender.
Marcus Ranum says that Security is when people stops doing something stupid and from his thought “tell me what is so “deep” about knowing how to block 31 attacks ?” Even though that article is more on DPI capabilities in firewalls  but IMHO it is similar as perimeter security devices that incorporate IPS function.

And this is my thought;

Security is a process of reducing the risk to the acceptable level. This risk reduced by fulfilling the security process which is Assessment, protection, detection and response. Not long ago Organizations used to say that their network is secure when they have firewalls installed, and then when people realized that Firewalls only dealing with layer 2,3 and 4, IDS was introduced as an early warning detection system. And some smart guys think “if we can detect, why not we prevent the attacks as well?” Hence IPS was introduced in the market. IPS is more like giving those perimeter security devices views on what is happening above layer 5. And of cause, IPS like its predecessor IDS relies most of its detection/prevention mechanism on known attacks Signature based rules. Whether the signature is capturing the exploit or vulnerability is another issue.

Totally depending on this perimeter security devices (IPS/Firewalls/Proxy etc) is not a wise idea. Why? How can you prevent any attacks from unpredictable and smarter attackers? How to prevent any attacks that targeted to non-published attacks vector and vulnerabilities?

OK I can hear that some of you arguing that in case of 0-dayz attacks, event IDS will failed to produce alerts. Now lets discuss a lil bit about Detection,

For Detection process, it consists of Collection, Identification, Validation and Escalation. Let me point on Collection process. There are reasons why of having alert data, session data,  statistical data and full content data is the most ideal way of collecting network based information to assist analyst in Identification process. Anyway we also must aware that  Collecting  everything is Ideal but problematic  BUT to quote from  Taosecurity

“The advantage of collecting as much data as possible is the creation of options. Collecting full content data gives the ultimate set of options, like replaying traffic through an enhanced IDS signature set to discover previously overlooked incidents. Rich data collections provide material for testing people, policies, and products. Network-based data may provide the evidence to put a criminal behind bars.”

and

“NSM’s answer to the data collection issue is to not rely on a single tool to detect and escalate intrusions. While a protocol analyzer like Ethereal is well suited to interpret a dozen individual packets, it’s not the best tool to understand millions of packets. Turning to session data or statistics on the sorts of ports and addresses is a better way to identify suspicious activity.”

Lets imagine 3 scenario

Without IDS
An attacker attacks using 0-dayz exploits exploiting 0-dayz vulnerabilities on a workstation. Bypassed the firewalls, and the attack patterns didn’t match any rules in IPS and no blocking actions. The victim complaints and all we can do is patch and proceed. But we never know what actually happens.

With IDS without proper Collection Process
An attacker attacks using 0-dayz exploits exploiting 0-dayz vulnerabilities on a workstation. Bypassed the firewalls, the attack patterns didn’t match any rules in IPS so no blocking actions, the attack patterns didn’t match any rules in IDS and no alerts triggered. The victim complaints and all we can do is patch and proceed. But we never know what actually happens.

With IDS with proper Collection Process
An attacker attacks using 0-dayz exploits exploiting 0-dayz vulnerabilities on a workstation. Bypassed the firewalls, the attack patterns didn’t match any rules in IPS so no blocking actions and the attack patterns didn’t match any rules in IDS and no alerts triggered. The victim complaints and we can start investigate with the available data. Update the signatures and perhaps feed it to IPS and IDS plus the  information gathered can be used for  legal purposes

Detection Engine perhaps the main component in IDS. Its alerts will be the main indicators of suspicious events either occurred (compromised),  ongoing (exploitation), or will happen (vulnerability scanning) depending on the phases of compromise. For an analyst to perform his Identification process ( whether to categorize the suspicious event into normal or malicious) he needs all available resources or information to help his analysis. The main problem with IDS is the rate of false positives. The only ways to reduce it is by fine tuning our rules to suit our client environment and of cause we require our client inventory lists covering the assets that we monitor. It is easy to defend or monitor something that you know and aware.

I never say that we should abandon IPS nor any preventive measures. Like what I’ve stated before that Security is about reducing the risk of being compromised, we have to incorporate all security measures that perhaps may deter any potential intruders or attackers from launching or continue with his attacks. I dun believe in depending on one security product or only one security measure as for anyone who believe that his network is secured because having such and such products implemented in his network, he only manage his security based on belief and not by facts which in the end will fail spectacularly.

And of cause, Why a building that has biometric enabled access doors, access cards and security guards still needs CCTV?

Quite long eh? Anyway I would be grateful if any of you guys have any other opinions on this matter.

p/s: I’ve censored any sensitive/confidential statement tho