Re: Gartner is Dead, nCircle, Fusion, asset-correlation--was-->False positives, negatives and don't cares

• Previous message: Matt.Carpenter_at_alticor.com: "Re: Linux/*nix open source IDS"
• In reply to: Arian J. Evans: "Gartner is Dead, nCircle, Fusion, asset-correlation--was-->False positives, negatives and don't cares"
• Next in thread: Martin Roesch: "Re: Gartner is Dead, nCircle, Fusion, asset-correlation--was-->False positives, negatives and don't cares"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <arian.evans@bigfoot.com>, "'Martin Roesch'" <roesch@sourcefire.com>
Date: Tue, 12 Aug 2003 12:46:32 -0400

Wasn't it Gartner the one who said that 50% of all Firewalls will be
outsourced by 2005?
----- Original Message -----
From: "Arian J. Evans" <arian.evans@bigfoot.com>
To: "'Martin Roesch'" <roesch@sourcefire.com>
Cc: <focus-ids@securityfocus.com>; <arian.evans@fishnetsecurity.com>
Sent: Tuesday, August 12, 2003 2:08 AM
Subject: Gartner is Dead, nCircle, Fusion, asset-correlation--was-->False
positives, negatives and don't cares

> Marty,
>
> Apology for bounces; Bigfoot killed my account again for some
> unknown reason, so if you reply please leave my work address on
> the cc: line...thanks,
>
> # Just following up the "IDS is dead, etc" thread
>
> Before I get to the point, let's take Gartner in context. For a good
> chuckle, go back and read the "PC is Dead" and "Thin is In" Gartner
> reports from '98-'99 time period. By 2001, we are all replacing our
> PCs with Thin or NC computing. Anyone remember the big conferences
> in Florida aspisland.com had? Ooops, looks like that domain isn't
> what it used to be...
>
> Anyway, by Gartner prophecy...Citrix, Oracle NC, and Sun Java terms
> are the future. The PC is definitely dead, and we are all chasing the
> white unicorn of network computing (NC).
>
> Funny, it's 2003+1/2, and I use Citrix and I use Java and I still have
> all these damned PCs I use every day. Not a WYSE Winterm to be
> found around me... Or a nearby NC ASP.
>
> So let's chalk the Gartner thing up to awesome insight, and move on...
>
> # my thoughts about data quality and event value coming out of NIDS.
>
> Ohhh, *data quality* and *event value*, now we're talking...
>
> I think you're spot on about the confusion regarding false positives
> and non-security events, etc. I think a lot of us fully agree with you.
> I know _a_lot_ of people out there in the real world still don't
understand
> this, and if they do, they don't have the time/skill to properly tune
> NIDS, correlate events, etc. etc. etc.
>
> The Gartner claim is essentially "IDS is dynamic and hard to make
> work; if we move this function to static perimeter access controls which
> most people manage successfully, things will be easier."
>
> There's a lot of problems with that claim, but I've got two big complaints
> about NIDS which Gartner didn't touch:
>
> 1. Lack of security event correlation to asset value.
> 2. Lack of value in an Enterprise using predominantly encrypted
> channels of communication (I just ran into this one in a big way).
>
> # Lots of vendors are taking a stab at building the necessary
> # software to apply this sort of context to that data coming out of NIDS
>
> Where is nCircle? They should be guru at this, having probably the
> oldest model for doing this. <sigh> (Hi John F., from the old UCU days...)
>
> I've spent a number of years caring and feeding for corporate networks
> including HIDS, NIDS, SEMs (netForensics, Pentasafe VLA, etc.) and
> I know all about the pain and frustration and worthless value of
aggregating
> all this data but being able to assign no value to it without tons of
manual
> analysis. It's easier to ignore and go play the patching game...
>
> So we have built an IDS deployment methodology at the organization I
> work for, that the majority of work comes way before deployment or IDS
> selection. (this is old hat to most of you, so I'll skip the details).
> Essentially,
> the primary things that need to happen are:
>
> 1. Asset Identification.
> 2. Asset Classification, with regards to Criticality and Sensitivity (very
> different).
> 3. Asset Valuation: create a combined asset value (CAV) metric based upon
> #2.
> 3. Security Event collection (NIDS, HIDS, SEMs, etc.).
> 4. Vulnerability Posture collection (ISS, Retina, Nessus, Qualys,
whatever).
> 5. Security Event correlation with Vulnerability Posture and CAV.
> 6. Security Event metric generation, which is a combination of assigning
> value
> metrics to the security event, and factoring it against the vulnerability
> posture
> and CAV metrics of given asset(s).
>
> Aside from nCircle, IDS vendors are just getting around to about 50% of
> this.
> ISS has Fusion, and Sourcefire will have RNA soon. The SEM vendors have
> been "correlating" events for some time, but no one seems to have taken
> the most important approach:
>
> Organizations need a smart, effective, and automatic way to correlate
> security
> events with *BOTH* the vulnerability posture and the actual value of the
> asset.
> The vast majority of host and network based audit tools, vuln scanners,
> NIDS,
> and SEMs give you slim to none ability to define a CAV and compare it to
> either vulnerability posture, or security events. And none give you both.
>
> How hard would it be to let one define assets and assign metrics in the
> central
> log aggregation database, and do some metric comparisons to put all three
> elements into perspective? Because that is what is really needed...
>
> After years of doing this manually, and often failing, I *feel* the need.
> And
> so do all of you out there still caring for and feeding your networks...
>
> Why didn't ISS build this function into Fusion? RDG? Maybe it's harder
than
> I think. Too bad code I write looks like it came from a
pseudo-random-code-
> -generator, or I'd take a stab at it myself. Marty? I know you can do this
> (and
> "this code will be faaast" :)).
>
> BTW// #4, above, has to be dynamic. In mid-to-large size Enterprises, the
> network often changes faster than the security/IDS team can keep up with.
> Manually tuning NIDS in respect to specific assets' vulnerability posture
> _does_not_scale_ at all.
>
> # I think that the data that ends up on the "cutting room floor" after
this
> # contextualization process still has value for trending purposes and
>
> Well, that's another important point that deserves it's own discussion.
> We need a Security Event Management (SEM) list to discuss centralized
> log collection, aggregation, reporting and forensics...
>
> A far more immature space than NIDS, IMHO.
>
> # This why I believe that the Gartner guys are clueless, they don't even
> # have a conceptual framework in which to define the problem that they're
> # complaining about so they're obviously unable to conceive of a solution
>
> The PC is Dead!
>
> # Hope some of you found this useful!
>
> As always, thanks. As always, I went on too long, so I will save my
> discussion of the future of NIDS /and/ firewalls and protocol analyzers,
> etc. in an Enterprise using all encrypted channels for its own thread
> at a later date. Hopefully my Bigfoot account will be fixed by then, so
> I can joyously receive all the flames pointing out what an idiot I am...
>
> Good discussion, it's really helped me solidify my thoughts. Cheers,
>
> Arian J. Evans
>
> PS// caveat--since I started writing this tonight, Bennet already brought
> up nCircle and Scott Wimer brought up Mazu in another thread....(see
> my previous post today for more on network policy profilers....).
>
>
> --------------------------------------------------------------------------
-
> Captus Networks - Integrated Intrusion Prevention and Traffic Shaping
> - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
> - Automatically Control P2P, IM and Spam Traffic
> - Ensure Reliable Performance of Mission Critical Applications
> Precisely Define and Implement Network Security and Performance Policies
> **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
> Visit us at: http://www.captusnetworks.com/ads/31.htm
> --------------------------------------------------------------------------
-
>
>

---------------------------------------------------------------------------
Captus Networks - Integrated Intrusion Prevention and Traffic Shaping
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Ensure Reliable Performance of Mission Critical Applications
Precisely Define and Implement Network Security and Performance Policies
**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
Visit us at: http://www.captusnetworks.com/ads/31.htm
---------------------------------------------------------------------------

• Previous message: Matt.Carpenter_at_alticor.com: "Re: Linux/*nix open source IDS"
• In reply to: Arian J. Evans: "Gartner is Dead, nCircle, Fusion, asset-correlation--was-->False positives, negatives and don't cares"
• Next in thread: Martin Roesch: "Re: Gartner is Dead, nCircle, Fusion, asset-correlation--was-->False positives, negatives and don't cares"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]