This stuff called NBA (network behaviour analysis) has been around for years (but CW thinks it’s new…..read on) and while I acknowledge the intelligence of guys who build these systems….from a programming perspective only, and what could be, they have gone relatively no where in the last 6 years….ie; think heuristic antivirus technology…..big talk circa 1995 and where today? Any difference?
The following quote from this story in Computerworld, stupidly titled “NBA: Your last line of defence” pretty much inadvertently says it all: (If we solved this problem described below in the quote, the technology would be redundant anyway!) (Addition: this CW link seems to no longer work so go to Network World for the story)
“As with all solutions of this type, there are false positives,” says Sourcefire customer Jason L. Stradley, director of security architecture at TransUnion in Chicago. “Dealing with false positives successfully is based on several components. First is to have a platform that can learn certain things on its own and combine that with a capability of being taught other things by an operator. The other components are not technological, but procedural.”
In order to get the most out of any security monitoring solution, adds Stradley, organizations must have a process to analyze all events, including false positives. Then, they must have the discipline to work with the system to tune it. When an event causes an alert to be generated by the system, it’s very likely that event will be something outside of the norm and it should be investigated as soon as possible. Without this organizational discipline, implementation of any product will fail.”
Gees, this takes it beyond the already neglected IDS/IPS/Firewalls and suggests, well, lets really complicate it further and spend more money uselessly and pretend we’re actually doing something really good here!
Good luck to the vendors of these products but lets be serious……give me a case study of where the investment here has paid off. The whole article is an insult to the intelligence of any half smart/decent IT Security Manager.
There are just so many reasons why this does and will not work anywhere that you could dedicate pages to explaining it….but it’s not worth wasting my time. Surely Google has a shitload of pages why heuristic virus detection has never worked……same thing in principle! I can’t even be bothered to confirm that because I am sure it’s there….but knock yourself out.
Haha. I like it.
Instead of using things like firewalls(they’re too _rigid_ anyway!) and proxies to block and filter all traffic, and because we don’t know what’s plugged in and how it works, (and it’d be actual work to find out), let’s just get this system to alert/intervene if something NEW happens. YAY. Awesome. No need to get rid of the 10/8 internal networks, now, guys. To the pub!
The products that claim to do the same thing at a protocol level are impressive, too. It’s amazing how a network appliance can understand hundreds, if not thousands of protocols, without introducing new vulns into your infrastructure. Even though very few pieces of software can correctly interpret the handful of protocols they’re designed to use.
Security certainly is going to be fixed soon.
Delusional vendor response to the new link posted;
http://www.networkworld.com/community/node/22840#comment-174938
Who are they deluding?
“Complete visibility allows customers to get ahead of the problems before they become a serious issue,” says Paul Stamp, principal analyst at Forrester Research. “Difficult behaviors to detect, such as walk-in worms, configuration failures, and spiteful insider attacks are prime examples of an NBA’s efficiency.”
He adds, “After firewalls and appropriate processes for tuning, analysis and remediation are deployed; it’s left to the NBA tools to identify these threats. With NBA technology, a clearer visibility into ‘normal’ is automatically computed and available, but it also alerts users when the ‘abnormal’ occurs.”
–
What on earth is a “walk-in worm”? Configuration “failures” – that’s pretty meaningless and vague. Needs more acronyms please Mr. Marketing!
Blahhh…. I’d like to find out where all these babbling morons get their ridiculous doublespeak. Every time I read a mainstream security article lately, I seem to learn about a new category of ill-defined and yet oh-so-critical threats (with scary acronyms) that are all the rage in the hacker underground… apparently…
I’m yet to see any “walk-in worm” tools appear on any hacker sites. Maybe I’m just out of the loop..
IMO these snakes are practically creating the threats out of thin air, generating hype and fear, confusing and misdirecting with nonsensical jingo and meaningless bizspeak, and then offering up another mess of acronyms and buzzwords to counter these convoluted and contrived non-threats for like $100 a seat.
It all appears to have little to do with the realities of modern hacking/hackers… rather its more likely the typical US style of dumbed-down infomercial sales techniques we see creeping into every industry… the problem -> reaction -> solution, fear -> spend -> feelgood methods that work so amazingly well on these robotic TV-spoiled “educated” know-nothings who are now, increasingly / tragically, falling back-asswards into positions of influence over the purse-strings of big business.
” Well hey, this chatty security salesmen is awfully smart and sure knows lots of big words! I would be far too embarrassed to stop him mid-sentence and ask him just what the fuck a “heuristic behavioural analysis engine” does that makes it worth more than hiring a couple of skilled sec admins for a year or two… I’m probably supposed to know what all these things stand for… argh!! More acronyms and complex nerd-words to memorize!@ when will it end!? Argh my brain hurts… please, just stop with the crazy moon-language… here! just take my money so I can tick off this box and be done with the whole security thing for a while! argh! please! just take it! ”
Is it time for those of us who actually have an insight into the underground to start calling these jerks on their bullshit? Or do we just give up and start throwing in a free set of steak knives with every pentest sold? Just three easy payments of $99.95! Buy now and pay nothing until January 2009! Don’t let your network get “pwned” this Summer! Order your introductory KiddyStop E-Defender Security Kit now using your credit card and we’ll send you this free Blackhat(tm) wine cooler bag and matching parasol, so you’ll be keeping your cool … when things really start to heat up! Tired of being a newbie? Become a cluebie! KiddyStop!
The response to the story from the vendor chief technology strategist is what you would expect. Related post:
http://beastorbuddha.com/2007/10/16/integrity-of-annoucing-new-silver-bullets/#comments
JM, lol… I believe we need to call a spade a spade and be forward with our opinions. Gees, we see it every day at clients and no doubt you do also knowing who you are. Why did you buy that? Security person: “We don’t know”…decision came from elsewhere!