Personally,nowadays I’m less satisfied with running traditional IDS like Snort because I really have no idea how effective it is at actually finding anything. It’s still important as a kind of “security blanket” – In some companies it’s important to demonstrate you’ve done all you can if there is an incident, but it can contribute to a false sense of security (could this be part of Sony’s problem which besides the landmark hacking in the news today has a long history of various networking and coding incidents?)
Thank you very much, Tsu. I sort of agree from the Network Security Professional (which I’m not) point of view - I’m just a user. But we did have one corporate run in with a virus (or something) which shut down the company for a few days. Back in those days, folks used to turn off their Norton Antivirus to gain performance. I never turned mine off because of paranoia - so my computer actually caught the virus and sequestered it so I was protected. Most folks were not. So my motto now is to use all available background protection systems. Snort is basically an antivirus-like-thing that listens to the network, which McAffe does not. The more senses you have, the better. Also, Krebs mentioned the Snort signature of the bot which emptied Sony. That’s a pretty big vote on Snort, in my eyes.
So, my personal 2-pronged strategy today is
- Using Big Data type tools (Hadoop type) to collect and analyze data. Only this kind of data collection can store the enormous amounts of data for adequate detection and analysis, no traditional normalized database can hold this kind of quantity and perform search/analysis adequately. The problem today is that although you can search for anything you want to, that requires fore-knowledge. If you <really> want to extract information about the data you need to perform analysis and today the tools are in the process of being built, nothing is really ready for prime time yet. But, we’re getting there… similar analysis discovering financial fraud going over a decade or more of historical data can be re-applied to network analysis. The diff between this and something like snort is that you might or might not write rules, you can also ask the analysis engine to mine for new patterns (rules) on its own.
- Nowadays, I put more faith in pen(atration) testing. This requires knowledge and deep understanding of the network, content on the network and applications (services). From that, you can do targeted investigations for vulnerabilities. Instead of sniffing and filtering all network traffic, the pen tester methodically hardens parts of the network.
I’m not saying that snort should not be used, it’s a practical solution for those on a budget and maybe also a good backstop for things that may be overlooked. At least if it catches something in progress you hopefully would catch the problem in a timely manner instead of discovering what has happened only after your entire company has been emptied like Sony.
TSU
I think this is a great idea, but I have nowhere near enough technical skills to do this. I’m a scientist, not IT. I am guessing this is what my IT department is doing. If I never find anything with Snort, that is great! But after taking graduate level classes in crypto and cybercrime, I realized it would be remiss of me not to run Snort on LANs I access. So I content myself with being backstop and maybe, just maybe, finding that one small thing which was overlooked.
I remember reading about hadoop. It came up in our cyberecrime class. But the bad guys are now doing “big data” and corporate organization - whereas the McAffe’s are still stuck doing essentially the same things they did in the 90’s. The main goal for Snort is my home LAN, but if I can figure out how to get it going, I’d prolly run it on the work LAN also. That’s how torpig was found, yes? (small time folks stumbling onto something unknown). My main goal is to avoid being botted/rootkitted - and that sort of thing is most likely coming to Linux in a big way in the future, although I’ve seen recent writeups that the bad guy’s tactics seem to be shifting again… this time toward money-starved server systems and abandoned IPs.
A battle is a-brewing. We need a good way to deny resources to the bad guys before they get so big that they take over the key organizations. History has shown over and over that denial of resources is a good way to “contain” the bad guys’ ability to do bad.
Patricia