Gartner is Dead, nCircle, Fusion, asset-correlation--was-->False positives, negatives and don't cares

From: Arian J. Evans (arian.evans_at_bigfoot.com)
Date: 08/12/03

  • Next message: JAVIER OTERO: "RE: IDS is dead, etc" 
    To: "'Martin Roesch'" <roesch@sourcefire.com>
Date: Tue, 12 Aug 2003 01:08:14 -0500

    Marty,

    Apology for bounces; Bigfoot killed my account again for some
    unknown reason, so if you reply please leave my work address on
    the cc: line...thanks,

    # Just following up the "IDS is dead, etc" thread

    Before I get to the point, let's take Gartner in context. For a good
    chuckle, go back and read the "PC is Dead" and "Thin is In" Gartner
    reports from '98-'99 time period. By 2001, we are all replacing our
    PCs with Thin or NC computing. Anyone remember the big conferences
    in Florida aspisland.com had? Ooops, looks like that domain isn't
    what it used to be...

    Anyway, by Gartner prophecy...Citrix, Oracle NC, and Sun Java terms
    are the future. The PC is definitely dead, and we are all chasing the
    white unicorn of network computing (NC).

    Funny, it's 2003+1/2, and I use Citrix and I use Java and I still have
    all these damned PCs I use every day. Not a WYSE Winterm to be
    found around me... Or a nearby NC ASP.

    So let's chalk the Gartner thing up to awesome insight, and move on...

    # my thoughts about data quality and event value coming out of NIDS.

    Ohhh, *data quality* and *event value*, now we're talking...

    I think you're spot on about the confusion regarding false positives
    and non-security events, etc. I think a lot of us fully agree with you.
    I know _a_lot_ of people out there in the real world still don't understand
    this, and if they do, they don't have the time/skill to properly tune
    NIDS, correlate events, etc. etc. etc.

    The Gartner claim is essentially "IDS is dynamic and hard to make
    work; if we move this function to static perimeter access controls which
    most people manage successfully, things will be easier."

    There's a lot of problems with that claim, but I've got two big complaints
    about NIDS which Gartner didn't touch:

    1. Lack of security event correlation to asset value.
    2. Lack of value in an Enterprise using predominantly encrypted
    channels of communication (I just ran into this one in a big way).

    # Lots of vendors are taking a stab at building the necessary
    # software to apply this sort of context to that data coming out of NIDS

    Where is nCircle? They should be guru at this, having probably the
    oldest model for doing this. <sigh> (Hi John F., from the old UCU days...)

    I've spent a number of years caring and feeding for corporate networks
    including HIDS, NIDS, SEMs (netForensics, Pentasafe VLA, etc.) and
    I know all about the pain and frustration and worthless value of aggregating
    all this data but being able to assign no value to it without tons of manual
    analysis. It's easier to ignore and go play the patching game...

    So we have built an IDS deployment methodology at the organization I
    work for, that the majority of work comes way before deployment or IDS
    selection. (this is old hat to most of you, so I'll skip the details).
    Essentially,
    the primary things that need to happen are:

    1. Asset Identification.
    2. Asset Classification, with regards to Criticality and Sensitivity (very
    different).
    3. Asset Valuation: create a combined asset value (CAV) metric based upon
    #2.
    3. Security Event collection (NIDS, HIDS, SEMs, etc.).
    4. Vulnerability Posture collection (ISS, Retina, Nessus, Qualys, whatever).
    5. Security Event correlation with Vulnerability Posture and CAV.
    6. Security Event metric generation, which is a combination of assigning
    value
    metrics to the security event, and factoring it against the vulnerability
    posture
    and CAV metrics of given asset(s).

    Aside from nCircle, IDS vendors are just getting around to about 50% of
    this.
    ISS has Fusion, and Sourcefire will have RNA soon. The SEM vendors have
    been "correlating" events for some time, but no one seems to have taken
    the most important approach:

    Organizations need a smart, effective, and automatic way to correlate
    security
    events with *BOTH* the vulnerability posture and the actual value of the
    asset.
    The vast majority of host and network based audit tools, vuln scanners,
    NIDS,
    and SEMs give you slim to none ability to define a CAV and compare it to
    either vulnerability posture, or security events. And none give you both.

    How hard would it be to let one define assets and assign metrics in the
    central
    log aggregation database, and do some metric comparisons to put all three
    elements into perspective? Because that is what is really needed...

    After years of doing this manually, and often failing, I *feel* the need.
    And
    so do all of you out there still caring for and feeding your networks...

    Why didn't ISS build this function into Fusion? RDG? Maybe it's harder than
    I think. Too bad code I write looks like it came from a pseudo-random-code-
    -generator, or I'd take a stab at it myself. Marty? I know you can do this
    (and
    "this code will be faaast" :)).

    BTW// #4, above, has to be dynamic. In mid-to-large size Enterprises, the
    network often changes faster than the security/IDS team can keep up with.
    Manually tuning NIDS in respect to specific assets' vulnerability posture
    _does_not_scale_ at all.

    # I think that the data that ends up on the "cutting room floor" after this
    # contextualization process still has value for trending purposes and

    Well, that's another important point that deserves it's own discussion.
    We need a Security Event Management (SEM) list to discuss centralized
    log collection, aggregation, reporting and forensics...

    A far more immature space than NIDS, IMHO.

    # This why I believe that the Gartner guys are clueless, they don't even
    # have a conceptual framework in which to define the problem that they're
    # complaining about so they're obviously unable to conceive of a solution

    The PC is Dead!

    # Hope some of you found this useful!

    As always, thanks. As always, I went on too long, so I will save my
    discussion of the future of NIDS /and/ firewalls and protocol analyzers,
    etc. in an Enterprise using all encrypted channels for its own thread
    at a later date. Hopefully my Bigfoot account will be fixed by then, so
    I can joyously receive all the flames pointing out what an idiot I am...

    Good discussion, it's really helped me solidify my thoughts. Cheers,

    Arian J. Evans

    PS// caveat--since I started writing this tonight, Bennet already brought
    up nCircle and Scott Wimer brought up Mazu in another thread....(see
    my previous post today for more on network policy profilers....).

    ---------------------------------------------------------------------------
    Captus Networks - Integrated Intrusion Prevention and Traffic Shaping
     - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
     - Automatically Control P2P, IM and Spam Traffic
     - Ensure Reliable Performance of Mission Critical Applications
    Precisely Define and Implement Network Security and Performance Policies
    **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
    Visit us at: http://www.captusnetworks.com/ads/31.htm
    ---------------------------------------------------------------------------

  • Next message: JAVIER OTERO: "RE: IDS is dead, etc"

    Relevant Pages