<div dir="ltr">I'm guessing that the intent is to be the "detection" component of the Trusted Internet Connection (TIC) (<a href="http://taosecurity.blogspot.com/2007/12/feds-plan-to-reduce-then-monitor.html">http://taosecurity.blogspot.com/2007/12/feds-plan-to-reduce-then-monitor.html</a>), in which the mandate is to protect all federal assets, especially the federal desktop environment. Even if DHS has different goals, I think that this group could do a great service by providing the TIC's protection geared toward the client-side, and I think for most sectors, that's where the most imminent threats lie. Again, I'm certainly not saying that defending servers is out of scope, just that IDS has historically been about defending servers as the primary goal, with clients secondary, and I think that needs to be reversed now.<br>
<br>--Martin<br><br><div class="gmail_quote">On Sat, Oct 18, 2008 at 9:31 PM, Andre Ludwig <span dir="ltr"><<a href="mailto:aludwig@packetspy.com">aludwig@packetspy.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
I doubt the intent of the DHS is to simply do good, they are most likely<br>
much more focused on producing technology that allows them to<br>
detect/mitigate/prevent attacks against critical components. This of<br>
course means detecting attacks that fly below the threshold of detection<br>
for todays technology. If it comes to "doing good" or detecting state<br>
sponsored attacks against critical components (think custom attacks<br>
against unknown vulns), i'm going to go out on a limb and say they would<br>
rather protect the critical component vs the enduser.<br>
<br>
What you are discussing still has value and merit but im not so sure it<br>
is what should be focused on, but of course I am not the person to<br>
decide such things.<br>
<font color="#888888"><br>
Andre<br>
</font><div><div></div><div class="Wj3C7c"><br>
<br>
Rob, grandpa of Ryan, Trevor, Devon & Hannah wrote:<br>
> Question: what are we making? Oh, yeah, I read the blurb: "The OISF has been<br>
> chartered and funded to build a next-generation intrusion detection and prevention<br>
> engine. This project will consider every new and existing technology, concept and<br>
> idea to build a completely open source licensed engine."<br>
><br>
> OK, we're making an IDS. But I think we need to be more specific. In particular,<br>
> we need to answer the question of "who."<br>
><br>
> Since the DHS has provided money, I suspect there would be an automatic<br>
> assumption that this is a heavy-duty device intended for use to protect major<br>
> servers and nodes in the critical information infrastructure. (Whatever that<br>
> means.) This kind of thing is built by professionals, for professionals. Trained<br>
> people.<br>
><br>
> However, given the current computing environment, I think it would be relatively<br>
> easy to make a case that such a device is not going to do all that much good. That<br>
> a more accessible device, intended for "Grannyx" users, would actually do more to<br>
> protect the infrastructure. After all, it isn't major nodes on the net that make up<br>
> botnets, it's the little guys. Protect them, and you reduce the threat. This is the<br>
> "low hanging fruit" for the blackhats, so protecting that crop is going to give us<br>
> the greatest benefit for the commitment of resources.<br>
><br>
> This makes a difference. Not, perhaps, in terms of questions about multithreading<br>
> analysis streams using graphics co-processors. But certainly in most other areas.<br>
><br>
> We've talked about extensibility. If we create a standard template or format for<br>
> signatures, the "who" makes a difference. Professionals need a warning and a<br>
> packet. Grannyx users need a warning, no packet, a clear explanation of what and<br>
> how important, and a recommended course of action. Makes a difference to the<br>
> template.<br>
><br>
> In terms of my recommendation of a paran-o-meter, it makes a difference.<br>
> Actually, I see huge debates over initial settings: do we keep it low to keep from<br>
> crying wolf, or keep it high to keep people as safe as possible. But one thing that<br>
> should be done is make the paranoia settings not-quite-obvious up front, so that<br>
> somebody needs to know a little about the implications before they start fiddling<br>
> with settings.<br>
><br>
> Heck, if it's a professional device, we don't need to worry about the interface at<br>
> all. If it's for Granny, we definitely do.<br>
><br>
> It also makes a difference in terms of the technology to be included. If it is for<br>
> professionals, we can throw in everything. If for Granny, we need to make a<br>
> careful choice about maximum protection for minimum performance drain.<br>
><br>
> ====================== (quote inserted randomly by Pegasus Mailer)<br>
> <a href="mailto:rslade@vcn.bc.ca">rslade@vcn.bc.ca</a> <a href="mailto:slade@victoria.tc.ca">slade@victoria.tc.ca</a> <a href="mailto:rslade@computercrime.org">rslade@computercrime.org</a><br>
> I'm getting so absent-minded that sometimes in the middle of<br>
> <a href="http://victoria.tc.ca/techrev/rms.htm" target="_blank">victoria.tc.ca/techrev/rms.htm</a> <a href="http://blogs.securiteam.com/index.php/archives/author/p1/" target="_blank">blogs.securiteam.com/index.php/archives/author/p1/</a><br>
> _______________________________________________<br>
> Discussion mailing list<br>
> <a href="mailto:Discussion@openinfosecfoundation.org">Discussion@openinfosecfoundation.org</a><br>
> <a href="http://lists.openinfosecfoundation.org/mailman/listinfo/discussion" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/discussion</a><br>
><br>
><br>
<br>
_______________________________________________<br>
Discussion mailing list<br>
<a href="mailto:Discussion@openinfosecfoundation.org">Discussion@openinfosecfoundation.org</a><br>
<a href="http://lists.openinfosecfoundation.org/mailman/listinfo/discussion" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/discussion</a><br>
</div></div></blockquote></div><br></div>