Towards a sound IDS Value Methodology--was-->Gartner is Dead, nCircle, Fusion, asset-correlation...

["Arian J. Evans" <arian.evans () anachronic com>]

Hello! Thanks for listening to my cathartic IDS cleansing:

Based upon several replies, I didn't communicate effectively
where human and where software logic sh/would be applied
in my proposed IDS methodology.

Though I do think that Turbo Pascal offers us a few options
that haven't been explored....let me clarify:

# > 3. Asset Valuation: create a combined asset value (CAV) 
# > metric based upon

# This is all very nice, but one of the major challenges here is that this
# "value" is inherently manual input (or computable from manual input).
# What's even worse, even the code to "program a human" to define such
# values manually is not written yet :-) Its just too fuzzy. Once, for
# example, I've heard an opinion that some BCP score or whatever can be used
# there, but even this turned out to be ineffective.

My main criticism is that today's security tools do not allow you to
*define* and *compare* these essential metrics, regardless of how
they are gathered and assigned.

In the methodology I proposed, the majority of information gathering
regarding asset value is manual. I don't see that changing in the
near future. Assigning metrics is, and must be, manual to take
into account all the variances one finds in different enterprises.

There are things that can be done well automatically. Host discovery,
vulnerability posture, and threat status (behavioral, signature, etc.)
can all be effectively discovered by software. If that software allows
one to define assets and assign appropriate organizational values
(criticality, sensitivity=CAV)...said software can also effectively
factor *one's* defined metrics against vuln posture and threat status.
Assigning values to various vulnerabilities and attack sigs/threats is
also a necessity, which many of today's software packages allow.

Software can give one a combined analysis and help prioritize where
one spends human eyeball time. I'd rather spend it discovering and
making intelligent decisions about asset value than sifting through
logs of IDS or Audit analysis data without context.

***

Anton's objection that this is "Fuzzy" (ref: "Fuzzy Thinking" by USC
Professor Bart Kosko, 1993) revolves around the difficulty and inherent
subjectivity involved in gathering and quantifying asset value data.

That's my/our problem, and I'm not asking software vendors to
solve for this need. Yet. :~)

However, arguing that a null value state is better than the values a
human can assign is essentially the claim that:

a) Human beings are likely to assign incorrect values to assets
b) Assigning incorrect values to assets presents more risk than
assigning no values to assets
-------------------------------------------------------------------------------------------
c) Humans assigning value to assets presents more risk than
assigning no values to assets

My claim was/is:

a) HB can assign values to assets w/>50% accuracy.
b) If asset value is assigned w/>50% accuracy, it will improve the
value of comparatively analyzed threat and vulnerability data.
-------------------------------------------------------------------------------------------
c) HB can improve the quality of threat and vuln data by assigning
value metrics to their assets, and performing comparative analysis.

# Thus while some solutions do have the value field (such as for use in
# various risk assessment algorithms), I suspect few of the...
 
Anton, you are right: some solutions do have value-fields, but they
are usually limited and not in the tools that do comparative analysis
between the various types of data we are talking of here.
 
At least, I'm not aware of someone who has a mature offering here...

Marty made some excellent distinctions in his response regarding
various value-qualifiers, and how to properly apply context. These
deserve their own discussion. However, to start out with, I'll settle
for simple sensitivity and criticality values. Threat vectoring, asset
locations, etc. etc...we can build all that in good time...

My methodology, which is primarily manual, I'll repeat, and ask for
criticism and refinement:

<snip>
the primary things that need to happen are:

1. Asset Identification.
2. Asset Classification, with regards to Criticality and Sensitivity (very different).
3. Asset Valuation: create a combined asset value (CAV) metric based upon #2.
3. Security Event collection (NIDS, HIDS, SEMs, etc.).
4. Vulnerability Posture collection (ISS, Retina, Nessus, Qualys, whatever).
5. Security Event correlation with Vulnerability Posture and CAV.
6. Security Event metric generation, which is a combination of assigning value
metrics to the security event, and factoring it against the vulnerability posture
and CAV metrics of given asset(s).
</snip>

Thanks again,

Arian J. Evans, Esquire
Best Buy PC Technician
CompTIA A+ Certified, 1997

note: Office XP breaks text-based emails by default. Uncheck
"remove extra line breaks" in your email options to fix this
ridiculousness.

---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, 
VA; the world’s premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symanetc is the Diamond sponsor.  Early-bird registration ends September 6 Visit: www.blackhat.com
---------------------------------------------------------------------------