RE: on NIDS/NIPS tuning

From: Gary Halleen (ghalleen) (ghalleen_at_cisco.com)
Date: 06/16/05

  • Next message: snort user: "NIPS/NIDS performance evaluation query" 
    Date: Thu, 16 Jun 2005 00:03:45 -0700
To: "Raffael Marty" <rmarty@arcsight.com>, "David Kee" <templeofprs@hotmail.com>

    Marty,

    I agree with you. A modern SIM, like Arcsight or Cisco MARS, is
    designed to perform this type of functionality, and works well for our
    customers. Obviously, tuning the events from the SIM is not optimal
    when deploying an IPS, but it is certainly worthwhile on most IDS
    installations. Customers are able to reduce workload with the
    centralized tuning approach a SIM affords. In addition, this tuning is
    valuable for more than just the IDS, but also firewall and other events.

    Gary
     

    -----Original Message-----
    From: Raffael Marty [mailto:rmarty@arcsight.com]
    Sent: Tuesday, June 14, 2005 2:24 PM
    To: David Kee
    Cc: focus-ids@securityfocus.com
    Subject: Re: on NIDS/NIPS tuning

    David,

    [Dislaimer: I work for a SIM vendor]

    I think today's SIMs should address your needs:

    > I am curious to know what SIM product can handle un-tuned IDS alerts
    > in addition to firewall logs, server logs, and application logs.

    If they provide an agent to parse those logs, this should not be a
    problem. I can only speak for my company where we have agents for all
    these types of sources and more (e.g., AV)

    > How accurate is the list of message ID's and the message parsing?

    As accurate as you want it. I consider it a bug if the fields you want
    parsed do not show up in our normalized event.

    > I doubt that there is
    > a SIM vendor that has a correlation engine that can handle a fraction
    > of the traffic in an average data-center or enterprise network.

    Well. It depends what kind of event load you have. I could start playing
    the numbers game here, but let me refrain from that. I can give you a
    better answer: If you find that one manager (that's what we call our
    server or collector or whatever) is not enough, you can deploy a
    multi-tier setup and roll-up events where needed.

    > Can they provide packaged reporting and alert management?

    Definitely.

    > Flat-file or relational database?

    I am assuming you talk about data storage. You probably won't find a SIM
    that uses flat-files to store the data. You are just missing too many
    features and don't get the performance you need to query.

    > Don't forget about your SOC operators who have to manage the message
    > queue and respond to all of the alerts.

    Event annotation, workflow, all there.

    > You can not just push
    > traffic to a SIM and have it magically (and accurately) generate some
    > golden nugget message.

    You can have it take action. And I know all the SIMs support this.

    > What are you using to gather vulnerability assessment information

    You import scanner information. There are adapters for vulnerability
    scanners. (foundstone, qualys, nessus, you name it)

    > and how is the SIM correlating against that information?

    This is where I can't make a statement about the other SIMs. I know that
    we cross-correlated the incoming events with the vulnerability they
    target and take that into account to come up with the final priority of
    the event.

    > Valid alerts need to be measured against the vulnerability of the
    > device/application (patch levels, hardening, etc).

    That's done in the priority calculation mentioned in the last section.

    Hope this helps...

            -raffy 

    -- 
Raffael Marty, GCIA, CISSP                    raffael.marty@arcsight.com
Senior Security Engineer                    Content Team @ ArcSight Inc.
5 Results Way            Cupertino, CA  95014             (408) 864-2662
------------------------------------------------------------------------
--
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
--
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------
  • Next message: snort user: "NIPS/NIDS performance evaluation query"

    Relevant Pages

    • RE: IDS event filtering
      ... AFAIK this is the best list on securityfocus for SIM. ... and incident handling lists appear to be moribund. ... Subject: IDS event filtering ... > CORE IMPACT. ...
      (Focus-IDS)
    • RE: on NIDS/NIPS tuning
      ... Most SIMs should be able to handle serious IDS load if you give ... As for tuning, I never said anything about not tuning, in fact you ... >I am curious to know what SIM product can handle un-tuned IDS ... >attacks from ...
      (Focus-IDS)
    • RE: on NIDS/NIPS tuning
      ... But when the SIM tool is thrown into the mix, ... the question becomes where to tune. ... If you tune what appears to be noise at the IDS, ... tuning out known FP's at the IDS should create a higher ...
      (Focus-IDS)
    • RE: on NIDS/NIPS tuning
      ... SIM vendor that has a correlation engine that can handle a fraction of the ... and respond to all of the alerts. ... >Where to tune is a very good question and not easily answered. ... >>default we tune the IDS. ...
      (Focus-IDS)
    • RE: [fw-wiz] RE: IDS (was: FW appliance comparison)
      ... word programming and give you the sign of the cross. ... The problem is that the SIM solutions don't know how to pick important ... data out of log files. ... is not really a failure of IDS - it's that the IDS designers made ...
      (Firewall-Wizards)