Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Gartner is Dead, nCircle, Fusion, asset-correlation--was-->False positives, negatives and don't cares
From: Arian J. Evans (arian.evansbigfoot.com)
Date: Tue Aug 12 2003 - 01:08:14 CDT
Apology for bounces; Bigfoot killed my account again for some
unknown reason, so if you reply please leave my work address on
the cc: line...thanks,
# Just following up the "IDS is dead, etc" thread
Before I get to the point, let's take Gartner in context. For a good
chuckle, go back and read the "PC is Dead" and "Thin is In" Gartner
reports from '98-'99 time period. By 2001, we are all replacing our
PCs with Thin or NC computing. Anyone remember the big conferences
in Florida aspisland.com had? Ooops, looks like that domain isn't
what it used to be...
Anyway, by Gartner prophecy...Citrix, Oracle NC, and Sun Java terms
are the future. The PC is definitely dead, and we are all chasing the
white unicorn of network computing (NC).
Funny, it's 2003+1/2, and I use Citrix and I use Java and I still have
all these damned PCs I use every day. Not a WYSE Winterm to be
found around me... Or a nearby NC ASP.
So let's chalk the Gartner thing up to awesome insight, and move on...
# my thoughts about data quality and event value coming out of NIDS.
Ohhh, *data quality* and *event value*, now we're talking...
I think you're spot on about the confusion regarding false positives
and non-security events, etc. I think a lot of us fully agree with you.
I know _a_lot_ of people out there in the real world still don't understand
this, and if they do, they don't have the time/skill to properly tune
NIDS, correlate events, etc. etc. etc.
The Gartner claim is essentially "IDS is dynamic and hard to make
work; if we move this function to static perimeter access controls which
most people manage successfully, things will be easier."
There's a lot of problems with that claim, but I've got two big complaints
about NIDS which Gartner didn't touch:
1. Lack of security event correlation to asset value.
2. Lack of value in an Enterprise using predominantly encrypted
channels of communication (I just ran into this one in a big way).
# Lots of vendors are taking a stab at building the necessary
# software to apply this sort of context to that data coming out of NIDS
Where is nCircle? They should be guru at this, having probably the
oldest model for doing this. <sigh> (Hi John F., from the old UCU days...)
I've spent a number of years caring and feeding for corporate networks
including HIDS, NIDS, SEMs (netForensics, Pentasafe VLA, etc.) and
I know all about the pain and frustration and worthless value of aggregating
all this data but being able to assign no value to it without tons of manual
analysis. It's easier to ignore and go play the patching game...
So we have built an IDS deployment methodology at the organization I
work for, that the majority of work comes way before deployment or IDS
selection. (this is old hat to most of you, so I'll skip the details).
the primary things that need to happen are:
1. Asset Identification.
2. Asset Classification, with regards to Criticality and Sensitivity (very
3. Asset Valuation: create a combined asset value (CAV) metric based upon
3. Security Event collection (NIDS, HIDS, SEMs, etc.).
4. Vulnerability Posture collection (ISS, Retina, Nessus, Qualys, whatever).
5. Security Event correlation with Vulnerability Posture and CAV.
6. Security Event metric generation, which is a combination of assigning
metrics to the security event, and factoring it against the vulnerability
and CAV metrics of given asset(s).
Aside from nCircle, IDS vendors are just getting around to about 50% of
ISS has Fusion, and Sourcefire will have RNA soon. The SEM vendors have
been "correlating" events for some time, but no one seems to have taken
the most important approach:
Organizations need a smart, effective, and automatic way to correlate
events with *BOTH* the vulnerability posture and the actual value of the
The vast majority of host and network based audit tools, vuln scanners,
and SEMs give you slim to none ability to define a CAV and compare it to
either vulnerability posture, or security events. And none give you both.
How hard would it be to let one define assets and assign metrics in the
log aggregation database, and do some metric comparisons to put all three
elements into perspective? Because that is what is really needed...
After years of doing this manually, and often failing, I *feel* the need.
so do all of you out there still caring for and feeding your networks...
Why didn't ISS build this function into Fusion? RDG? Maybe it's harder than
I think. Too bad code I write looks like it came from a pseudo-random-code-
-generator, or I'd take a stab at it myself. Marty? I know you can do this
"this code will be faaast" :)).
BTW// #4, above, has to be dynamic. In mid-to-large size Enterprises, the
network often changes faster than the security/IDS team can keep up with.
Manually tuning NIDS in respect to specific assets' vulnerability posture
_does_not_scale_ at all.
# I think that the data that ends up on the "cutting room floor" after this
# contextualization process still has value for trending purposes and
Well, that's another important point that deserves it's own discussion.
We need a Security Event Management (SEM) list to discuss centralized
log collection, aggregation, reporting and forensics...
A far more immature space than NIDS, IMHO.
# This why I believe that the Gartner guys are clueless, they don't even
# have a conceptual framework in which to define the problem that they're
# complaining about so they're obviously unable to conceive of a solution
The PC is Dead!
# Hope some of you found this useful!
As always, thanks. As always, I went on too long, so I will save my
discussion of the future of NIDS /and/ firewalls and protocol analyzers,
etc. in an Enterprise using all encrypted channels for its own thread
at a later date. Hopefully my Bigfoot account will be fixed by then, so
I can joyously receive all the flames pointing out what an idiot I am...
Good discussion, it's really helped me solidify my thoughts. Cheers,
Arian J. Evans
PS// caveat--since I started writing this tonight, Bennet already brought
up nCircle and Scott Wimer brought up Mazu in another thread....(see
my previous post today for more on network policy profilers....).
Captus Networks - Integrated Intrusion Prevention and Traffic Shaping
- Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
- Automatically Control P2P, IM and Spam Traffic
- Ensure Reliable Performance of Mission Critical Applications
Precisely Define and Implement Network Security and Performance Policies
**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
Visit us at: http://www.captusnetworks.com/ads/31.htm