IDS mailing list archives
Re: Gartner is Dead, nCircle, Fusion, asset-correlation--was-->False positives, negatives and don't cares
From: "Mike Coliton" <mcoliton () twmi rr com>
Date: Tue, 12 Aug 2003 12:46:32 -0400
Wasn't it Gartner the one who said that 50% of all Firewalls will be outsourced by 2005? ----- Original Message ----- From: "Arian J. Evans" <arian.evans () bigfoot com> To: "'Martin Roesch'" <roesch () sourcefire com> Cc: <focus-ids () securityfocus com>; <arian.evans () fishnetsecurity com> Sent: Tuesday, August 12, 2003 2:08 AM Subject: Gartner is Dead, nCircle, Fusion, asset-correlation--was-->False positives, negatives and don't cares
Marty, Apology for bounces; Bigfoot killed my account again for some unknown reason, so if you reply please leave my work address on the cc: line...thanks, # Just following up the "IDS is dead, etc" thread Before I get to the point, let's take Gartner in context. For a good chuckle, go back and read the "PC is Dead" and "Thin is In" Gartner reports from '98-'99 time period. By 2001, we are all replacing our PCs with Thin or NC computing. Anyone remember the big conferences in Florida aspisland.com had? Ooops, looks like that domain isn't what it used to be... Anyway, by Gartner prophecy...Citrix, Oracle NC, and Sun Java terms are the future. The PC is definitely dead, and we are all chasing the white unicorn of network computing (NC). Funny, it's 2003+1/2, and I use Citrix and I use Java and I still have all these damned PCs I use every day. Not a WYSE Winterm to be found around me... Or a nearby NC ASP. So let's chalk the Gartner thing up to awesome insight, and move on... # my thoughts about data quality and event value coming out of NIDS. Ohhh, *data quality* and *event value*, now we're talking... I think you're spot on about the confusion regarding false positives and non-security events, etc. I think a lot of us fully agree with you. I know _a_lot_ of people out there in the real world still don't
understand
this, and if they do, they don't have the time/skill to properly tune NIDS, correlate events, etc. etc. etc. The Gartner claim is essentially "IDS is dynamic and hard to make work; if we move this function to static perimeter access controls which most people manage successfully, things will be easier." There's a lot of problems with that claim, but I've got two big complaints about NIDS which Gartner didn't touch: 1. Lack of security event correlation to asset value. 2. Lack of value in an Enterprise using predominantly encrypted channels of communication (I just ran into this one in a big way). # Lots of vendors are taking a stab at building the necessary # software to apply this sort of context to that data coming out of NIDS Where is nCircle? They should be guru at this, having probably the oldest model for doing this. <sigh> (Hi John F., from the old UCU days...) I've spent a number of years caring and feeding for corporate networks including HIDS, NIDS, SEMs (netForensics, Pentasafe VLA, etc.) and I know all about the pain and frustration and worthless value of
aggregating
all this data but being able to assign no value to it without tons of
manual
analysis. It's easier to ignore and go play the patching game... So we have built an IDS deployment methodology at the organization I work for, that the majority of work comes way before deployment or IDS selection. (this is old hat to most of you, so I'll skip the details). Essentially, the primary things that need to happen are: 1. Asset Identification. 2. Asset Classification, with regards to Criticality and Sensitivity (very different). 3. Asset Valuation: create a combined asset value (CAV) metric based upon #2. 3. Security Event collection (NIDS, HIDS, SEMs, etc.). 4. Vulnerability Posture collection (ISS, Retina, Nessus, Qualys,
whatever).
5. Security Event correlation with Vulnerability Posture and CAV. 6. Security Event metric generation, which is a combination of assigning value metrics to the security event, and factoring it against the vulnerability posture and CAV metrics of given asset(s). Aside from nCircle, IDS vendors are just getting around to about 50% of this. ISS has Fusion, and Sourcefire will have RNA soon. The SEM vendors have been "correlating" events for some time, but no one seems to have taken the most important approach: Organizations need a smart, effective, and automatic way to correlate security events with *BOTH* the vulnerability posture and the actual value of the asset. The vast majority of host and network based audit tools, vuln scanners, NIDS, and SEMs give you slim to none ability to define a CAV and compare it to either vulnerability posture, or security events. And none give you both. How hard would it be to let one define assets and assign metrics in the central log aggregation database, and do some metric comparisons to put all three elements into perspective? Because that is what is really needed... After years of doing this manually, and often failing, I *feel* the need. And so do all of you out there still caring for and feeding your networks... Why didn't ISS build this function into Fusion? RDG? Maybe it's harder
than
I think. Too bad code I write looks like it came from a
pseudo-random-code-
-generator, or I'd take a stab at it myself. Marty? I know you can do this (and "this code will be faaast" :)). BTW// #4, above, has to be dynamic. In mid-to-large size Enterprises, the network often changes faster than the security/IDS team can keep up with. Manually tuning NIDS in respect to specific assets' vulnerability posture _does_not_scale_ at all. # I think that the data that ends up on the "cutting room floor" after
this
# contextualization process still has value for trending purposes and Well, that's another important point that deserves it's own discussion. We need a Security Event Management (SEM) list to discuss centralized log collection, aggregation, reporting and forensics... A far more immature space than NIDS, IMHO. # This why I believe that the Gartner guys are clueless, they don't even # have a conceptual framework in which to define the problem that they're # complaining about so they're obviously unable to conceive of a solution The PC is Dead! # Hope some of you found this useful! As always, thanks. As always, I went on too long, so I will save my discussion of the future of NIDS /and/ firewalls and protocol analyzers, etc. in an Enterprise using all encrypted channels for its own thread at a later date. Hopefully my Bigfoot account will be fixed by then, so I can joyously receive all the flames pointing out what an idiot I am... Good discussion, it's really helped me solidify my thoughts. Cheers, Arian J. Evans PS// caveat--since I started writing this tonight, Bennet already brought up nCircle and Scott Wimer brought up Mazu in another thread....(see my previous post today for more on network policy profilers....). --------------------------------------------------------------------------
-
Captus Networks - Integrated Intrusion Prevention and Traffic Shaping - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Ensure Reliable Performance of Mission Critical Applications Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.captusnetworks.com/ads/31.htm --------------------------------------------------------------------------
-
--------------------------------------------------------------------------- Captus Networks - Integrated Intrusion Prevention and Traffic Shaping - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Ensure Reliable Performance of Mission Critical Applications Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.captusnetworks.com/ads/31.htm ---------------------------------------------------------------------------
Current thread:
- False positives, negatives and don't cares Martin Roesch (Aug 11)
- Re: False positives, negatives and don't cares Bennett Todd (Aug 11)
- Re: False positives, negatives and don't cares Martin Roesch (Aug 12)
- Re: False positives, negatives and don't cares Paul Schmehl (Aug 12)
- Gartner is Dead, nCircle, Fusion, asset-correlation--was-->False positives, negatives and don't cares Arian J. Evans (Aug 12)
- Re: Gartner is Dead, nCircle, Fusion, asset-correlation--was-->False positives, negatives and don't cares Mike Coliton (Aug 12)
- Re: Gartner is Dead, nCircle, Fusion, asset-correlation--was-->False positives, negatives and don't cares Martin Roesch (Aug 12)
- Re: Gartner is Dead, nCircle, Fusion, asset-correlation--was-->False positives, negatives and don't cares Anton A. Chuvakin (Aug 21)
- Re: False positives, negatives and don't cares Bennett Todd (Aug 11)