[Discussion] What are we making?

Sun Oct 19 02:31:49 UTC 2008

I doubt the intent of the DHS is to simply do good, they are most likely 
much more focused on producing technology that allows them to 
detect/mitigate/prevent attacks against critical components.  This of 
course means detecting attacks that fly below the threshold of detection 
for todays technology.  If it comes to "doing good" or detecting state 
sponsored attacks against critical components (think custom attacks 
against unknown vulns), i'm going to go out on a limb and say they would 
rather protect the critical component vs the enduser.

What you are discussing still has value and merit but im not so sure it 
is what should be focused on, but of course I am not the person to 
decide such things.

Andre

Rob, grandpa of Ryan, Trevor, Devon & Hannah wrote:
> Question: what are we making?  Oh, yeah, I read the blurb: "The OISF has been 
> chartered and funded to build a next-generation intrusion detection and prevention 
> engine. This project will consider every new and existing technology, concept and 
> idea to build a completely open source licensed engine."
>
> OK, we're making an IDS.  But I think we need to be more specific.  In particular, 
> we need to answer the question of "who."
>
> Since the DHS has provided money, I suspect there would be an automatic 
> assumption that this is a heavy-duty device intended for use to protect major 
> servers and nodes in the critical information infrastructure.  (Whatever that 
> means.)  This kind of thing is built by professionals, for professionals.  Trained 
> people.
>
> However, given the current computing environment, I think it would be relatively 
> easy to make a case that such a device is not going to do all that much good.  That 
> a more accessible device, intended for "Grannyx" users, would actually do more to 
> protect the infrastructure.  After all, it isn't major nodes on the net that make up 
> botnets, it's the little guys.  Protect them, and you reduce the threat.  This is the 
> "low hanging fruit" for the blackhats, so protecting that crop is going to give us 
> the greatest benefit for the commitment of resources.
>
> This makes a difference.  Not, perhaps, in terms of questions about multithreading 
> analysis streams using graphics co-processors.  But certainly in most other areas.
>
> We've talked about extensibility.  If we create a standard template or format for 
> signatures, the "who" makes a difference.  Professionals need a warning and a 
> packet.  Grannyx users need a warning, no packet, a clear explanation of what and 
> how important, and a recommended course of action.  Makes a difference to the 
> template.
>
> In terms of my recommendation of a paran-o-meter, it makes a difference.  
> Actually, I see huge debates over initial settings: do we keep it low to keep from 
> crying wolf, or keep it high to keep people as safe as possible.  But one thing that 
> should be done is make the paranoia settings not-quite-obvious up front, so that 
> somebody needs to know a little about the implications before they start fiddling 
> with settings.
>
> Heck, if it's a professional device, we don't need to worry about the interface at 
> all.  If it's for Granny, we definitely do.
>
> It also makes a difference in terms of the technology to be included.  If it is for 
> professionals, we can throw in everything.  If for Granny, we need to make a 
> careful choice about maximum protection for minimum performance drain.
>
> ======================  (quote inserted randomly by Pegasus Mailer)
> rslade at vcn.bc.ca     slade at victoria.tc.ca     rslade at computercrime.org
>         I'm getting so absent-minded that sometimes in the middle of
> victoria.tc.ca/techrev/rms.htm blogs.securiteam.com/index.php/archives/author/p1/
> _______________________________________________
> Discussion mailing list
> Discussion at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/discussion
>
>   