Intrusion Detection recommendations

J. Oquendo joquendo at e-fensive.net
Fri Feb 13 20:43:00 UTC 2015


On Fri, 13 Feb 2015, Mel Beckman wrote:

> JO,
> 
> IDS to meet PCI or HIPAA requirements is "regulatory grade". It meets specific notification and logging requirements. SNORT-based systems fall into this category. 
> 

<ramble>tl;dr (even I don't read what I write)

You failed to see the snark in "military grade" crypto
comment. This thought process is what causes many
organizations to fail repeatedly. Relying on what the herd
says. PCI, HIPAA, FINRA, FISMA, and all of the other
regulatory guidelines, standards, baselines, and mandates
spew from the manufacturing industry's ISO (BS pick your
poisonous acronym). Call it SADHD (or Security ADHD) but I
don't get why everyone keeps running around like dogs
chasing their tails. 

Let's look at HIPAA where everyone is scrambling to replace
Windows based on the word of the herd. Here is the rule:

"Unsupported and unpatched environments are vulnerable to
security risks. This may result in an officially recognized
control failure by an internal or external audit body,
leading to suspension of certifications, and/or public
notification of the organization's inability to maintain
its systems and customer information"

Do you chuck Windows XP? It'd be easier to in theory but not
in practice, however NO ONE EVER SAID: "thou shall chuck XP"
(http://www.hhs.gov/ocr/privacy/hipaa/faq/securityrule/2014.html)

"The Security Rule was written to allow flexibility for
covered entities to implement security measures that best
fit their organizational needs. The Security Rule does
not specify minimum requirements for personal computer
operating systems"

Organizations keep relying on half-decent guidelines for
remedies to their problems. By you thinking that you are
going to plop in any "regulatory grade" *anything* and find
security, you are doing not only yourself a huge disservice,
but also to your clients. These pieces of technology (IPS,
IDS, FWs, HIPS, NIPS, etc) are only capable of doing what
you tell them to. Neither the Payment Card Industry, NIST,
or even the President of your country (or Premier, or
whatever else) should be telling you how to secure your
organization. YOU need to know the ins and outs, take the
proper steps and THEN use these technologies when you're
done with your risk assessments. 

If you're relying solely on what others tell you is
"regulatory-grade" or "military-grade" or any other kind of
grade, your bound to be right up there with Target, Anthem,
Citi, JP Morgan Chase, <snip>a wikipedia-length list of
compromised companies</snip>.

When doing pentesting work, I fill up IPS and IDS with so
many false positives, the analysts are FORCED to ignore the
results while I shimmy my shiny right on by. I know based on
experience what someone is going to do when they see a
kabillion alerts light up their dashboard.

http://seclists.org/incidents/2000/Aug/277

The approach: "Let me cater to what they say I should do"
versus: "Let me figure out what my organization does, needs
to do, and how to get to the proper point" is mind boggling.
I wish there were a statistical database of compromised
companies, and the tools they used, frameworks they followed,
and regulatory nonsense they needed to comply with was listed.
Most of these regulatory mandates are based off of half-baked
models that are partially good when followed thoroughly.
However, they are ONLY partially good when an organization
goes beyond the normal banter: "thou shall apply this" - Does
not mean: plop in an IPS and call it a day. For the most part
though, this practice of half-baked security will continue,
vendors will make bucketloads of money, consumers of IPS/IDS
devices will still complain how much the product sucks, and
I as a pentester... I stay happy as it keeps me steadily
enjoying Five Guys' burgers

</ramble>

-- 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM

"Where ignorance is our master, there is no possibility of
real peace" - Dalai Lama

0B23 595C F07C 6092 8AEB  074B FC83 7AF5 9D8A 4463
https://pgp.mit.edu/pks/lookup?op=get&search=0xFC837AF59D8A4463



More information about the NANOG mailing list