Intrusion Detection recommendations
Mel Beckman
mel at beckman.org
Sat Feb 14 01:06:04 UTC 2015
tl;dr
dc
-mel
> On Feb 13, 2015, at 1:13 PM, "J. Oquendo" <joquendo at e-fensive.net> wrote:
>
>> On Fri, 13 Feb 2015, Mel Beckman wrote:
>>
>> JO,
>>
>> IDS to meet PCI or HIPAA requirements is "regulatory grade". It meets specific notification and logging requirements. SNORT-based systems fall into this category.
>
> <ramble>tl;dr (even I don't read what I write)
>
> You failed to see the snark in "military grade" crypto
> comment. This thought process is what causes many
> organizations to fail repeatedly. Relying on what the herd
> says. PCI, HIPAA, FINRA, FISMA, and all of the other
> regulatory guidelines, standards, baselines, and mandates
> spew from the manufacturing industry's ISO (BS pick your
> poisonous acronym). Call it SADHD (or Security ADHD) but I
> don't get why everyone keeps running around like dogs
> chasing their tails.
>
> Let's look at HIPAA where everyone is scrambling to replace
> Windows based on the word of the herd. Here is the rule:
>
> "Unsupported and unpatched environments are vulnerable to
> security risks. This may result in an officially recognized
> control failure by an internal or external audit body,
> leading to suspension of certifications, and/or public
> notification of the organization's inability to maintain
> its systems and customer information"
>
> Do you chuck Windows XP? It'd be easier to in theory but not
> in practice, however NO ONE EVER SAID: "thou shall chuck XP"
> (http://www.hhs.gov/ocr/privacy/hipaa/faq/securityrule/2014.html)
>
> "The Security Rule was written to allow flexibility for
> covered entities to implement security measures that best
> fit their organizational needs. The Security Rule does
> not specify minimum requirements for personal computer
> operating systems"
>
> Organizations keep relying on half-decent guidelines for
> remedies to their problems. By you thinking that you are
> going to plop in any "regulatory grade" *anything* and find
> security, you are doing not only yourself a huge disservice,
> but also to your clients. These pieces of technology (IPS,
> IDS, FWs, HIPS, NIPS, etc) are only capable of doing what
> you tell them to. Neither the Payment Card Industry, NIST,
> or even the President of your country (or Premier, or
> whatever else) should be telling you how to secure your
> organization. YOU need to know the ins and outs, take the
> proper steps and THEN use these technologies when you're
> done with your risk assessments.
>
> If you're relying solely on what others tell you is
> "regulatory-grade" or "military-grade" or any other kind of
> grade, your bound to be right up there with Target, Anthem,
> Citi, JP Morgan Chase, <snip>a wikipedia-length list of
> compromised companies</snip>.
>
> When doing pentesting work, I fill up IPS and IDS with so
> many false positives, the analysts are FORCED to ignore the
> results while I shimmy my shiny right on by. I know based on
> experience what someone is going to do when they see a
> kabillion alerts light up their dashboard.
>
> http://seclists.org/incidents/2000/Aug/277
>
> The approach: "Let me cater to what they say I should do"
> versus: "Let me figure out what my organization does, needs
> to do, and how to get to the proper point" is mind boggling.
> I wish there were a statistical database of compromised
> companies, and the tools they used, frameworks they followed,
> and regulatory nonsense they needed to comply with was listed.
> Most of these regulatory mandates are based off of half-baked
> models that are partially good when followed thoroughly.
> However, they are ONLY partially good when an organization
> goes beyond the normal banter: "thou shall apply this" - Does
> not mean: plop in an IPS and call it a day. For the most part
> though, this practice of half-baked security will continue,
> vendors will make bucketloads of money, consumers of IPS/IDS
> devices will still complain how much the product sucks, and
> I as a pentester... I stay happy as it keeps me steadily
> enjoying Five Guys' burgers
>
> </ramble>
>
> --
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> J. Oquendo
> SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM
>
> "Where ignorance is our master, there is no possibility of
> real peace" - Dalai Lama
>
> 0B23 595C F07C 6092 8AEB 074B FC83 7AF5 9D8A 4463
> https://pgp.mit.edu/pks/lookup?op=get&search=0xFC837AF59D8A4463
More information about the NANOG
mailing list