[Dailydave] What EINSTEIN isn't. (Sheesh)
Dave Aitel
dave.aitel at gmail.com
Fri Jan 29 09:01:47 EST 2016
http://www.defenseone.com/technology/2016/01/us-homeland-securitys-6b-firewall-has-more-few-frightening-blind-spots/125528/
Let me quote from this weirdly wrong article here:
"EINSTEIN relies on patterns of attacks, called signatures, to spot
suspicious traffic, but it does not scan for 94 percent of commonly known
vulnerabilities or check web traffic for malicious content
<http://www.gao.gov/assets/680/674829.pdf>."
I wanted to correct some craziness I saw in DefenseOne
this morning. Apparently it is quite difficult to figure out
what EINSTEIN is for, and the technology is complex, so I'm going
to clarify matters PURELY AS AN OUTSIDER.
To sum up the article, for people who don't want to read it: Someone is
complaining that the EINSTEIN system does not function as a giant perfect
Intrusion Prevention System (IPS) for the whole Government! Keep in mind,
we already know AV, IPS and IDS and related technologies VERY MUCH DON'T
WORK AT SCALE!
First of all: There is not enough memory in the world to hold the state
machines you would need to track all the TCP connections going to all the
Government networks in the world. The developers of EINSTEIN are *not
stupid* enough to think they're going to build a big Palo Alto box. Nor do
they want to be in the business of writing thousands of IPS signatures, all
of which are probably a giant waste of time.
Instead, EINSTEIN allows the Government to do analysis across individual
intrusions, detecting where attackers go when they laterally move from,
say, OPM, to the State Department.
Just to sum it up:
“Regarding zero day exploits,” Homeland Security officials stated “there is
no way to identify them until they are announced,” the report states. Once
they are disclosed, DHS can mold a signature to the attack pattern and feed
it into EINSTEIN.
If you tie that to the feed obviously coming from the NSA, you have
something very very useful. Much more useful than an IPS would be. It is
about situational awareness and response, not protection. It still needs
testing, but of a very different sort.
-dave
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20160129/71dfff83/attachment.html>
More information about the Dailydave
mailing list