[Dailydave] What EINSTEIN isn't. (Sheesh)

Thomas Quinlan tom at thomasquinlan.com
Fri Jan 29 10:22:29 EST 2016 

I've not been doing anything for the government for some years now, but 
it (Einstein) was very effective for some of the things we really did 
need it for while I was doing those things. We didn't have access 
directly, but the guys at US-CERT who did knew what they were doing and 
so did we and it was one of those things to look back on proudly.



On 29 Jan 2016, at 14:01, Dave Aitel wrote:

> http://www.defenseone.com/technology/2016/01/us-homeland-securitys-6b-firewall-has-more-few-frightening-blind-spots/125528/
>
> Let me quote from this weirdly wrong article here:
> "EINSTEIN relies on patterns of attacks, called signatures, to spot
> suspicious traffic, but it does not scan for 94 percent of commonly 
> known
> vulnerabilities or check web traffic for malicious content
> <http://www.gao.gov/assets/680/674829.pdf>."
>
> I wanted to correct some craziness I saw in DefenseOne
> this morning. Apparently it is quite difficult to figure out
> what EINSTEIN is for, and the technology is complex, so I'm going
> to clarify matters PURELY AS AN OUTSIDER.
>
> To sum up the article, for people who don't want to read it: Someone 
> is
> complaining that the EINSTEIN system does not function as a giant 
> perfect
> Intrusion Prevention System (IPS) for the whole Government! Keep in 
> mind,
> we already know AV, IPS and IDS and related technologies VERY MUCH 
> DON'T
> WORK AT SCALE!
>
> First of all: There is not enough memory in the world to hold the 
> state
> machines you would need to track all the TCP connections going to all 
> the
> Government networks in the world. The developers of EINSTEIN are *not
> stupid* enough to think they're going to build a big Palo Alto box. 
> Nor do
> they want to be in the business of writing thousands of IPS 
> signatures, all
> of which are probably a giant waste of time.
>
> Instead, EINSTEIN allows the Government to do analysis across 
> individual
> intrusions, detecting where attackers go when they laterally move 
> from,
> say, OPM, to the State Department.
>
> Just to sum it up:
> “Regarding zero day exploits,” Homeland Security officials stated 
> “there is
> no way to identify them until they are announced,” the report 
> states. Once
> they are disclosed, DHS can mold a signature to the attack pattern and 
> feed
> it into EINSTEIN.
>
> If you tie that to the feed obviously coming from the NSA, you have
> something very very useful. Much more useful than an IPS would be. It 
> is
> about situational awareness and response, not protection. It still 
> needs
> testing, but of a very different sort.
>
> -dave
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunityinc.com
> https://lists.immunityinc.com/mailman/listinfo/dailydave

More information about the Dailydave mailing list