Home > Information Security Magazine > Features > A Safe Bet?
EMAIL THIS LICENSING & REPRINTS
Information Security Magazine

  CURRENT ISSUE  
  FEATURES  
  COLUMNS  
  HOT PICK & PRODUCT REVIEWS  
  ARCHIVES  
  SUBSCRIBE/RENEW  
  

A Safe Bet?
by Paul Proctor
Issue: Aug 2005
printer-friendly
licensing & reprints
< PREV PAGE   |   1  |   2  |   3  |   4  |   NEXT PAGE  >
NAD: The Real Deal

Network anomaly detection has been around for a few years, and the concept of anomaly detection in network defense even longer. The following debunks a few myths surrounding NAD:

Myth

Automated profiling/modeling/training eliminates tuning.

Automated response capabilities to enable containment, like

pushing ACLs to network infrastructure, can protect against threats.

NAD catches hard-to-detect insider misuse that cannot be addressed by firewalls and IPS.

NAD detects zero-day exploits.

NAD is the last line of defense.

Reality

It doesn't eliminate it; it changes the nature of the tuning from which signatures should be enabled to which anomalies you choose to highlight and address.

Automated response features are present, but — as was the case with early adopters of IPS products — most operators are reluctant to turn on automated response because of the high potential for false positives. While NAD produces interesting intelligence, the collected data is better suited for investigative rather than automated responses.

Technically, yes, but it's subject to the limitations of determining which anomalies are really important. NAD doesn't substantially affect the difficulty of detecting and addressing malicious insiders.

NAD detects infections and helps organizations contain them before they spread, which could be argued as the only really effective way to deal with zero-day attacks. There's no magic that understands zero-day exploits any better than any other technology.

This may be true. As a decision-support system, NAD helps organizations address the impacts of various attacks and behaviors on their network.

Not Really an IPS
To understand the value and limitations of NAD technology, it helps to understand the differences between it and a traditional IDS/IPS. NADS are more complementary than competitive solutions to the signature-based technologies. While the systems have the ability to trigger automated responses and/or blocking like IDS/IPS, they're used most frequently to create a presentation of the network traffic that allows a security manager with good contextual knowledge of his network to identify otherwise elusive behavior. They can be thought of as a last line of defense when preventive tools like firewalls and IPSes fail to stop real-time exploitation of vulnerabilities. And, they can be used to detect new applications, behavior and devices for investigation.

The most significant difference between NADS and IPS/IDS is the class of attacks each addresses. An IPS primarily detects (and possibly blocks) attacks that can be predefined. The size and comprehensiveness of the attacks that can be blocked is dependent on many factors, such as placement of the sensors and quality of the signatures.

Despite vendor claims to the contrary, NAD is primarily an investigative technology. While it has the potential to detect zero-day and other stealthy attacks, confidence in its results remains a problem in enabling automated response mechanisms. This isn't unlike the early versions of IDS/IPS products, which weren't reliable enough to enable automated responses. In this light, NAD is best used to detect, investigate and manually address suspected incidents and problems.

Herein lies its advantage and differentiation from IDS/IPS: NADS may not be able to automatically detect and block with the confidence of an IPS signature, but neither can an IDS/IPS help an organization if the enabled signature set misses something. This is where NAD shines.

One company reported installing a NAD product after Nimda hit its network, penetrated 70 percent of its servers and took four days to bring under control. With NAD firmly in place, the company was then hit by the MyTob virus. The system discovered MyTob on five PCs within a few minutes of the first infection, and sysadmins manually blocked ports to contain the virus. This is a typical success story with NADS, where they provide early warning and investigation to isolate the problem, but aren't used for automated response.

In addition to detecting ongoing attacks, NADS can work with policy compliance or vulnerability management applications to monitor and prevent incidents. For instance, NADS can detect machine-to-machine connections, unauthorized applications and processes, protocol and port usage, misconfigured systems, network traffic loads and bandwidth consumption.

< PREV PAGE   |   1  |   2  |   3  |   4  |   NEXT PAGE  >




TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us
SEARCH :     Advanced Search | Site Index Powered by: Search Powered by Google

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




All Rights Reserved, Copyright 2003 - 2008, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts