I had an interesting and odd conversation with some folks today who were trying to determine how fast NIDS would identify potential attacker traffic that was innocent appearing. When I entered the debate, they were deep in conversation that centered around threshold settings in various IDS/IPS products and their recognition of port scanning. They seemed to be engrossed in how many connection attempts in a second should be considered malicious.
Eventually, they asked me about HoneyPoint and how many connections it takes for it to decide that traffic is malicious. I simply responded “One.” Finally, I explained that since HoneyPoints are psuedo-services and have no real reason for any traffic at all – that ANY CONNECTION to a HoneyPoint was by nature suspicious and we would alert. After about 15 minutes of discussion and further debate, I think I made believers out of them and they have all requested to demo the product for 90 days in their environment.
This is simply another way that HoneyPoint changes the IDS/IPS paradigm. It doesn’t really matter how MANY connections an attacker makes per second unless they are causing DoS on the network. IT REALLY MATTERS WHAT THEY ARE CONNECTING TO!
HoneyPoint can help you determine the criticality of even a single connection to a pseudo-service. You could take action then, or wait to see how things develop. If the attacker hits multiple HoneyPoints on a single host or multiple HoneyPoints on multiple hosts, you can determine what to do based on the risk of the behavior you see. If they begin to probe the HoneyPoints, you can likely very quickly determine what tools they are using, what they seem to be focusing on, etc. All of that helps you make better decisions and to craft smarter, more effective responses.
So, the bottom line is this: As wierd a metric for comparison as port scanning thresholding may be, HoneyPoint can help you drop that number to 1. Using HoneyPoint smartly and effictively – you can secure your environment more rapidly, easily and with greater insight than other technologies. How is that for an unusual metric?