Re: [Fed-Talk] Death of signatures
Re: [Fed-Talk] Death of signatures
- Subject: Re: [Fed-Talk] Death of signatures
- From: Todd Heberlein <email@hidden>
- Date: Tue, 14 Feb 2012 09:17:40 -0800
On Feb 14, 2012, at 4:04 AM, William Cerniuk wrote:
> From a "truth in lending" perspective, this is from a conversation I had with a friend in the antivirus business. They call this feature "heuristic detection". It establishes a baseline of any app's activity and then when the app starts operating out of bounds, the user is flagged with a warning and the ability to stop the app from performing the out of bounds activity.
I had a similar conversation with the chief scientist of Symantec about a decade ago. He called this the "Yes, No, Maybe" problem. The problem largely being that most people do not have the skills to make the call, or if they do have the skills, they do not have the relevant additional information to make the call. and it just leaves them with a very uncomfortable feeling.
Eventually the user tends to turn off the feature or they become so accustomed to clicking "accept" that it does little good. How many people here ignore the alerts from their web browsers that the web site's certificate was signed by an unknown authority?
I wrote a pair of reports on this from my own personal experience from an alert from Symantec's firewall alerting me that our accounting computer was making a suspicious outbound connection. Trying to figure out why probably consumed a week of my time.
Why Anomaly Detection Sucks
http://www.netsq.com/Documents/WhyAnomalyDetectionSucks.pdf
Beyond the Anomaly: The Quest for the Underlying Cause
http://www.netsq.com/Documents/BeyondTheAnomaly.pdf
Todd
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden