Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

The beginnings of a collaborative approach to IDS

Published: 2008-11-25
Last Updated: 2008-11-25 21:05:05 UTC
by Andre Ludwig (Version: 2)
0 comment(s)

Well I think since today has been a rather "busy" first day on the job I would add one more post.  This one covers a project that is under development at emergingthreats.net, that any IDS people should find very interesting.

http://doc.emergingthreats.net/bin/view/Main/SidReporter

From the above link we can get a good idea what sidreporter does.

SidReporter is the Emerging Threats Data Sharing Tool that allows users to report anonymously their local IDS/IPS event data. In return you will (soon) get an analysis of how your events compare to the whole, what you're missing, what trends are showing globally, and what you can do to tune your rulesets.

All data is reported in a non-source identifiable way using PGP to encrypt in transit. So your data can only be decrypted by you or the Emerging Threats data correlation process.

 

So why exactly is this so interesting?

A collaborative approach is what the security community is lacking, everyone has their own little views of problems/incidents. There really is no place to go to build a more unified and complex vision of what is going on.  This is more aptly described as resolution, where each company or security group only has a few pixels of an image.  As you begin to stitch together those various groupings of pixels you begin to see the larger picture.

 

Why should anyone care about collaboration and "visions"?

Good question, you don’t have to care at all. (I have a hunch if you are reading this you are at least interested in these matters)

 

Why should anyone participate?

Simple, with out aggregating more data (pixels in my horrible example above) we will never have a good idea of what attacks are taking place.  With out that type of knowledge the good guys will continue to fly blind, this of couse assumes that EmergingThreats continues to be open to sharing the data they collect and produce. While that has never been an issue in the past I felt it was worthy of pointing out.  I highly doubt that emerging threats will all of a sudden close ranks, in fact the second they do is the second ET (emerging threats) destroys its worth and value.

 

And now to the data that is being produced today.

http://emergingthreats.net/index.php/sidreporter-statistics.html

It is my understanding that Emerging Threats is still developing this page actively, so the way the data is displayed may change slightly over time. 

 

0 comment(s)
Diary Archives