IDS mailing list archives
Towards a sound IDS Value Methodology--was-->Gartner is Dead, nCircle, Fusion, asset-correlation...
From: "Arian J. Evans" <arian.evans () anachronic com>
Date: Thu, 21 Aug 2003 22:13:56 -0500
Hello! Thanks for listening to my cathartic IDS cleansing: Based upon several replies, I didn't communicate effectively where human and where software logic sh/would be applied in my proposed IDS methodology. Though I do think that Turbo Pascal offers us a few options that haven't been explored....let me clarify: # > 3. Asset Valuation: create a combined asset value (CAV) # > metric based upon # This is all very nice, but one of the major challenges here is that this # "value" is inherently manual input (or computable from manual input). # What's even worse, even the code to "program a human" to define such # values manually is not written yet :-) Its just too fuzzy. Once, for # example, I've heard an opinion that some BCP score or whatever can be used # there, but even this turned out to be ineffective. My main criticism is that today's security tools do not allow you to *define* and *compare* these essential metrics, regardless of how they are gathered and assigned. In the methodology I proposed, the majority of information gathering regarding asset value is manual. I don't see that changing in the near future. Assigning metrics is, and must be, manual to take into account all the variances one finds in different enterprises. There are things that can be done well automatically. Host discovery, vulnerability posture, and threat status (behavioral, signature, etc.) can all be effectively discovered by software. If that software allows one to define assets and assign appropriate organizational values (criticality, sensitivity=CAV)...said software can also effectively factor *one's* defined metrics against vuln posture and threat status. Assigning values to various vulnerabilities and attack sigs/threats is also a necessity, which many of today's software packages allow. Software can give one a combined analysis and help prioritize where one spends human eyeball time. I'd rather spend it discovering and making intelligent decisions about asset value than sifting through logs of IDS or Audit analysis data without context. *** Anton's objection that this is "Fuzzy" (ref: "Fuzzy Thinking" by USC Professor Bart Kosko, 1993) revolves around the difficulty and inherent subjectivity involved in gathering and quantifying asset value data. That's my/our problem, and I'm not asking software vendors to solve for this need. Yet. :~) However, arguing that a null value state is better than the values a human can assign is essentially the claim that: a) Human beings are likely to assign incorrect values to assets b) Assigning incorrect values to assets presents more risk than assigning no values to assets ------------------------------------------------------------------------------------------- c) Humans assigning value to assets presents more risk than assigning no values to assets My claim was/is: a) HB can assign values to assets w/>50% accuracy. b) If asset value is assigned w/>50% accuracy, it will improve the value of comparatively analyzed threat and vulnerability data. ------------------------------------------------------------------------------------------- c) HB can improve the quality of threat and vuln data by assigning value metrics to their assets, and performing comparative analysis. # Thus while some solutions do have the value field (such as for use in # various risk assessment algorithms), I suspect few of the... Anton, you are right: some solutions do have value-fields, but they are usually limited and not in the tools that do comparative analysis between the various types of data we are talking of here. At least, I'm not aware of someone who has a mature offering here... Marty made some excellent distinctions in his response regarding various value-qualifiers, and how to properly apply context. These deserve their own discussion. However, to start out with, I'll settle for simple sensitivity and criticality values. Threat vectoring, asset locations, etc. etc...we can build all that in good time... My methodology, which is primarily manual, I'll repeat, and ask for criticism and refinement: <snip> the primary things that need to happen are: 1. Asset Identification. 2. Asset Classification, with regards to Criticality and Sensitivity (very different). 3. Asset Valuation: create a combined asset value (CAV) metric based upon #2. 3. Security Event collection (NIDS, HIDS, SEMs, etc.). 4. Vulnerability Posture collection (ISS, Retina, Nessus, Qualys, whatever). 5. Security Event correlation with Vulnerability Posture and CAV. 6. Security Event metric generation, which is a combination of assigning value metrics to the security event, and factoring it against the vulnerability posture and CAV metrics of given asset(s). </snip> Thanks again, Arian J. Evans, Esquire Best Buy PC Technician CompTIA A+ Certified, 1997 note: Office XP breaks text-based emails by default. Uncheck "remove extra line breaks" in your email options to fix this ridiculousness. --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the worldÂs premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symanetc is the Diamond sponsor. Early-bird registration ends September 6 Visit: www.blackhat.com ---------------------------------------------------------------------------
Current thread:
- False positives, negatives and don't cares Martin Roesch (Aug 11)
- Re: False positives, negatives and don't cares Bennett Todd (Aug 11)
- Re: False positives, negatives and don't cares Martin Roesch (Aug 12)
- Re: False positives, negatives and don't cares Paul Schmehl (Aug 12)
- Gartner is Dead, nCircle, Fusion, asset-correlation--was-->False positives, negatives and don't cares Arian J. Evans (Aug 12)
- Re: Gartner is Dead, nCircle, Fusion, asset-correlation--was-->False positives, negatives and don't cares Mike Coliton (Aug 12)
- Re: Gartner is Dead, nCircle, Fusion, asset-correlation--was-->False positives, negatives and don't cares Martin Roesch (Aug 12)
- Re: Gartner is Dead, nCircle, Fusion, asset-correlation--was-->False positives, negatives and don't cares Anton A. Chuvakin (Aug 21)
- Towards a sound IDS Value Methodology--was-->Gartner is Dead, nCircle, Fusion, asset-correlation... Arian J. Evans (Aug 25)
- Re: Towards a sound IDS Value Methodology--was-->Gartner is Dead, nCircle, Fusion, asset-correlation... Anton Chuvakin (Aug 25)
- Re: False positives, negatives and don't cares Bennett Todd (Aug 11)