Apr 09 2008
RSA 2008: Brian Smith, TippingPoint
Brian Smith, Chief Architect of TippingPoint takes a few minutes to talk about the different priorities of an IDS versus an IPS, and about the possible convergence of markets like firewall and NAC.
Archive for the 'IDS' Category
Jul 16 2007
You’ve got to appreciate truth in advertising
I use Gmail as my central email repository and usually the spam filters they use are pretty good. But lately they’ve been a little overly aggressive, so I have to comb through to make sure no legitimate email is being caught accidentally. There’s not a lot that’s misidentified, but there’s enough to make it worth the few minutes a day it takes to double-check the spam folder.
I’ve been amazed at some of the subject lines I see, as well as what I see in the preview of the email. There’s no way I’m going to click on any of them to find out what else is in the spam, because it’s just not worth the risk. But I do have to say that my favorite subject line so far is “Thanks for contributing to our financial success”. It’s honest and straight forward even if it is just an attempt to rip off people around the globe.
On a side note, I used to clean out my spam folder every couple of days, but in March I started letting them accumulate and get deleted automatically when they’ve aged 30 days. It’s been interesting watching the number of spams spike and drop. At one point I had gathered nearly 9000 spams in a 30 day period, which works out to an average of 300 spams a day. Personally, that means about 60% of my email is spam, a far lower percentage of spam than most people see. I guess being subscribed to ten or so mailing lists had to have some benefit.
Mine is just a single data point, compared to the millions some anti-spam vendors get to see. But I like having a personal high water mark to compare to what the vendors are reporting. I’m not a spam expert, so it’s interesting to see new spam subjects that companies like F-secure report. Anyone else out there keep track of the spam they receive for fun?
Technorati Tags: security, spam, McKeay
Jul 10 2007
Using charities to test stolen cards
This makes sense in a twisted way: scammers are using charities to test stolen credit cards. As the post points out, they’re using charities because most banks aren’t going to flag a donation, since it’s something most people only do on special occasions and it’s hard to create a behavioral monitoring program that could catch this as being an unusual activity with any accuracy.
Apr 19 2007
Very interesting analysis of Sourcefire’s plan
Sourcefire has announced that the company will be expanding into a lot of new security specialties beyond Intrusion Detection and Intrusion Prevention. I think it’s a very good move for them and builds on their existing strengths, but only time will tell if it’s going to be a successful strategy. Over at SearchSecurity Nick Selby has written an interesting analysis of the Sourcefire move. I understand it a lot better having read the article.
Sourcefire’s strength has always been in analyzing network traffic, since that’s what IDS boils down to. They got a lot more in depth with their software when they introduced RNA. Adding anomaly detection, vulnerability assessment (passive or active, I wonder) and network access control is just extending that expertise even further. And, as the article notes, they’ve already got a foothold any many, many networks, which isn’t going to hurt them in the least.
Technorati Tags: security, snort, sourcefire
Apr 17 2007
Ron Gula, CTO Tenable Security at RSA
| Slowly but surely I’m getting the video from RSA edited and posted. I talked to Ron Gula a number of times before, but this was the first time I’d ever gotten to meet him face to face. Given that Ron was the creator of the Dragon IDS, one of the first commercial IDS’s I’d ever used, I was more than a little bashful when we talked off camera. Now adays he’s much better known as the CTO and CEO of Tenable Network Security and having one of the most technical security blogs on the Internet (I think Richard Bejtlich beats him, but only by a hair).
By the way, as an explanation for one of the comments I made during the interview, Larry Ellison from Oracle shunned RSA and sent one of his underlings in to give his presentation at the last moment. What a good way to show your support for the security community. |
Technorati Tags: security, mckeay, Ron Gula, Tenable Network Security, Tenable
Mar 08 2007
An article on Intrusion Detection, sort of
Rich McIver sent me an email notifying me that there is a new article on Intrusion Detection over at the IT Security site. I started reading the article and liked it, until I got to the part where it defines how an Intrusion Detect System works; at this point, the artice seemed to be less a definition of IDS and more a definition of Network Admissions Control, without the blocking technology. The first point of the definition is clearly a traditional IDS function, but the other eleven points on the list have more in common with NAC technology than they do with what I think of when I hear IDS or IPS. Rich, please tell me how I’m misreading this.
I’m all for the convergence of technologies, otherwise I would never have become the Product Evangelist for Cobia. And I can’t think of too many technologies that are a more natural fit for convergence than IDS and NAC. Convergence is the coming wave in technology, there are too many different tools that each have seperate interfaces, individual management consoles and just don’t communicate what they know with other, complimentary tools. Having all of the different tools on your network tied together to provide the most comprehensive view of the network makes sense on so many levels that it has to happen, and any company that doesn’t already realize this probably won’t be at RSA in a couple of years. I think the traditional IDS will probably start to fade from the market place in the near future, either morphing into or being subsumed by NAC.
Maybe I’m missing the point of this article. I think it may be an attempt to redefine the definition of Intrusion Detection and broaden it to include more than just traditional IDS systems. Otherwise I don’t see how a product like Nmap could have made it onto the list. But if you’re going to try to redefine an industry standard term, than argue for the new definition, don’t try to pass it off as a basic explanation of the original term.
Technorati Tags: security, Martin McKeay, Intrusion Detection
Jan 22 2007
Snort is looking for beta-testers and giving away schwag
Ya’ know, if I still played with Snort as much as I used too, I’d be all over this. Not that I’d be able to turn in any bugs, but I’d still have fun playing with the new version. If you are an avid Snort user and can find bugs, you might get some free stuff. Let me know what it is if you make it.
Snort 2.7 beta 1 is now available for download and testing!
FEATURE HIGHLIGHTS:
* Target-based stream reassembly, including handling of TCP data
overlaps and anomalous TCP header flags on a per-destination basis. 11
different target-based policies are supported. See README.stream5 for
specific configuration options for operating system targets.
* UDP session tracking
* Option to emulate Stream4 flushing behaviour
* Stream5 replaces BOTH Stream4 & Flow — should disable both of
these when Stream5 is enabled.BE A BETA TESTER:
Help us make Snort a better technology and get some free Snort
stuff! Since we are all looking to make Snort better, please feel free
to drop us a line and let us know you’re testing. We want to be sure we
have as much coverage as possible. Please submit bugs, questions, and
feedback to snort-beta@sourcefire.com. Credible bug submissions will be
rewarded with Snort goodies.Get the files at http://www.snort.org/dl
/prerelease/
Technorati Tags: security, mckeay, snort, IDS
Jan 15 2007
Research on: TippingPoint
I’m starting to take some notes for my interviews at RSA, and I’ll be throwing out some quick links as I find them. Here are a few of the links I’ve found on TippingPoint.
- TippingPoint leans into network threats - I thought it was interesting to find this on Core’s site.
- Tipping’s IPS Provides Unrivaled Platform - Just a touch of hyperbole there. (Note: I had to look up hyperbole to make sure I was using it correctly)
- TippingPoint Home Page
- Upchuck, Shrubbery, Bumps-in-the-wire & Alan does the “Shimmy” - Chris Hoff always delivers good stuff, but be prepared to invest a few minutes.
- A bump in the wire is a …. bump in the dark - Alan’s comment that awoke Chris Hoff.
That’s a few minutes worth of reading for you.
Technorati Tags: security, McKeay, TippingPoint
Nov 07 2006
Cited in Search Security article on the Sourcefire IPO
Bill Brenner quoted me a couple times for a Search Security article on the possible Sourcefire IPO. Richard Bejtlich was also quoted in the article, but he was looking at the financials more than I was. I’m just confident that Sourcefire know’s that the community support is largely responsible for their success. Richard’s also looking at how much money they made or loss, which is probably more important to an IPO.
Technorati Tags: security, McKeay, Sourcefire, Bejtlich
Sep 01 2006
The target was material for phishing attacks
According to the SFGate, the intrusion that AT&T reported earlier this week was not aimed at stealing credit card information, it was aimed at providing the raw data to allow the crackers to perform targetted phishing attacks on a massive scale. By seeding an email with information gathered from AT&T’s database, the phishers can add a level authenticity that makes even some of the most suspicious people on the Internet accept an email as authentic.
This is just one more reason to never respond directly to any request from a merchant or bank that comes to you in the form of an email. As always, if you think an email alert is real, open a browser window and manually type in your bank’s URL, never click on the link in the email.
Technorati Tags: security, McKeay, AT&T, phishing