[Discussion] What are we making? -- FUNDING
Matt Jonkman
jonkman at jonkmans.com
Sun Oct 19 16:17:20 UTC 2008
Very good question. Comments inline:
Rob, grandpa of Ryan, Trevor, Devon & Hannah wrote:
> Question: what are we making?
> OK, we're making an IDS. But I think we need to be more specific. In particular,
> we need to answer the question of "who."
>
> Since the DHS has provided money, I suspect there would be an automatic
> assumption that this is a heavy-duty device intended for use to protect major
> servers and nodes in the critical information infrastructure. (Whatever that
> means.) This kind of thing is built by professionals, for professionals. Trained
> people.
I should explain how we got to this point and in our funding. It'll shed
a lot of light.
A year or more ago Victor, Will and I had the idea that we wanted to do
more with Snort than we could. Not just faster or more complex
signatures, but very different ideas. Like what we've all been talking
about on the list to date.
We wanted to modify Snort originally, but contributing to it is a
significant challenge, as these would be a major change to it's
development goals. Now snort 3 is on the table. Snort and Snort 3 are
Sourcefire products, and they SHOULD be. SF dumps huge money into
development and they need that money to buy them a tool that will 100%
satisfy their commercial needs. Which it should. SF is a company and has
always been generous to the community. But they don't owe us anything,
nor we them (unless you're a customer of theirs, then you may owe them
something :) ).
Very few of the things we wanted to go after were going to be immediate,
or possibly ever, commercially interesting. What I mean by "commercially
interesting" is that if you invest 500k in coding feature X there will
be a 10 million dollar return selling it over 5 years. Thus the 500k
investment is worthwhile considering the risk of failing to produce
feature X.
So we sat on the ideas for a bit not having the means to go forward, but
eventually when the emerging threats grants came through to keep that
project alive we got to know the folks that had money to grant out.
Eventually we got our ideas heard by our guy at DHS. He liked the ideas
and here we go. (a year later after some "interesting" bureaucracy :) )
I want to make clear what this grant is. Knowing how we got here helps,
but knowing what the grant is for is more important. That blurb in the
press release "The OISF has been chartered and funded to build a
next-generation intrusion detection and prevention engine" is true. And
that's about all we were chartered to do! Literally. That's a cut and
paste from the paperwork.
Let me explain that further. We weren't contacted by DHS to go out and
build product X to satisfy a need for Einstein II, or any other gov't
tool. We were not asked to go out and explore the feasibility of
technology or idea X by DHS and bring back a paper on it.
We approached DHS with our ideas. We talked to only one person there, a
very forward thinking program manager with a research grant budget he is
supposed to apply to good things. He liked our ideas, didn't modify or
change them, and has set us loose with the budget we asked for!
Sorry for the long winded way to get here, but I thought it important
that the community understands the intent of DHS. Their intent was to
let us as a community explore these ideas and produce a new way to do
approach network security. If the resulting engine helps DHS (and other
gov't agencies) I'm sure they'll adopt it. But we're not building
anything specifically FOR them, or anyone. We've got resources to use
for us, the community in general. Our mandate is essentially to "go do
something good, send in your receipts when you're done".
I hope that helps explain what we're up to, and why it's so important
that we get all of our ideas out there.
Making this a separate thread as I'd like to talk about other things as
well...
Matt
>
> However, given the current computing environment, I think it would be relatively
> easy to make a case that such a device is not going to do all that much good. That
> a more accessible device, intended for "Grannyx" users, would actually do more to
> protect the infrastructure. After all, it isn't major nodes on the net that make up
> botnets, it's the little guys. Protect them, and you reduce the threat. This is the
> "low hanging fruit" for the blackhats, so protecting that crop is going to give us
> the greatest benefit for the commitment of resources.
>
> This makes a difference. Not, perhaps, in terms of questions about multithreading
> analysis streams using graphics co-processors. But certainly in most other areas.
>
> We've talked about extensibility. If we create a standard template or format for
> signatures, the "who" makes a difference. Professionals need a warning and a
> packet. Grannyx users need a warning, no packet, a clear explanation of what and
> how important, and a recommended course of action. Makes a difference to the
> template.
>
> In terms of my recommendation of a paran-o-meter, it makes a difference.
> Actually, I see huge debates over initial settings: do we keep it low to keep from
> crying wolf, or keep it high to keep people as safe as possible. But one thing that
> should be done is make the paranoia settings not-quite-obvious up front, so that
> somebody needs to know a little about the implications before they start fiddling
> with settings.
>
> Heck, if it's a professional device, we don't need to worry about the interface at
> all. If it's for Granny, we definitely do.
>
> It also makes a difference in terms of the technology to be included. If it is for
> professionals, we can throw in everything. If for Granny, we need to make a
> careful choice about maximum protection for minimum performance drain.
>
> ====================== (quote inserted randomly by Pegasus Mailer)
> rslade at vcn.bc.ca slade at victoria.tc.ca rslade at computercrime.org
> I'm getting so absent-minded that sometimes in the middle of
> victoria.tc.ca/techrev/rms.htm blogs.securiteam.com/index.php/archives/author/p1/
> _______________________________________________
> Discussion mailing list
> Discussion at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/discussion
--
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------
PGP: http://www.jonkmans.com/mattjonkman.asc
More information about the Discussion
mailing list