re[2]: Intrusion Risk Assessment

[Ron Gula <rgula () tenablesecurity com>]

There are several systems available out there where the relationship 
between vulnerability
assessment (VA) and Intrusion detection/prevention is leveraged.

** ISS Site Protector can fuse ISS Scanner and ISS Real Secure information 
together such that
you can ignore events from ISS RealSecure that you are not vulnerable to.

** Several NIDS consider service banners for some of their attack checks. 
NFR and Intruvert
do this where possible.  Many of the NIDS (like Snort, Dragon and ISS) have 
signatures to
look for specific vulnerabilities as well.

** Our Lightning Console correlates Nessus vulnerabilities with ISS, Snort, 
Dragon and Bro
alerts such that end users only get alerts when their systems have a 
correlation of a known IDS
event and a vulnerability. (Sorry for the plug, but felt it was relevant)

** nCircle has an appliance that does VA/IDS correlation as well.

** Cisco recently acquired a company named Psionic which had a product that 
looked at logs
from ISS and Netranger and then quickly verify that the targeted systems 
were indeed vulnerable

There are probably more coming ...

(apologies to any vendor that I either forgot or misrepresented)

When I was involved with the Dragon IDS, I did not like any of the scoring 
systems that were
out there. I've seen a lot, and each is good for a specific environment. 
The two big problems
were setting up a scoring system for a given environment and getting rid of 
creeping false
positives. Because of this, I was really interested in writing signatures 
that looked for evidence
of a compromise or a successful attack. My thought was that you either had 
an attack or you
did not, because there was to much grey area in between. Integrating 
vulnerabilities together
with intrusion data is the first step.

Ron Gula, CTO
Tenable Network Security
http:\\www.tenablesecurity.com





At 04:52 PM 1/8/2003 +0000, Richard Bennison wrote:
> > The problem with this is, define "damage."  IDS systems are not aware of
> the nature of what they defend.  An IIS exploit might be utterly useless
> against an apache web server, but the IDS is not intrinically aware of
> which servers are apache and which are IIS.  Add to that the fact that
> such severity levels as "minor damage" or "minimal access to recover,"
> are dependent upon the information stored on a machine (which no current
> IDS could ever be cognizant of) as well as the role of that machine.
>  <
>
> Accounting for the string above, this is where the relationship between 
> vulnerability assessment (VA) and Intrusion detection/prevention (IDP) 
> becomes key. If a NIDS or HIDS is aware of the nature of the system(s) it 
> is protecting then it can respond relative to the liability of the system 
> to the attack.
>
> Apologies if this is answering the incorrect string....
>
> It is untrue that IDP cannot be cognizant of the systems protected, as 
> although you may not be able to respond relative to the box type, you can 
> respond based on patch liability or services running on the box i.e. IIS 
> attacks on Apache, if the IDP knows that the box is not running IIS (or is 
> running IIS patched) why would it need to block/report the attack. As such 
> if you impliment a VA/IDP interaction that scans systems and primes IDP to 
> react appropriately then a score may be applied to each attack per system. 
> There is a system out there that does this, let me know if you want more 
> details.
>
> Rich