RE: VA/IDS Integration (Was: RE: re[2]: Intrusion Risk Assessment)

Good list. Also other interesting tidbits to note:

• Much of the bleeding edge functionality deployed comes from integration work done by the security pros and not from the off-the-shelf software; the scanners out there today widely vary in how easy a motivated consultant can add these kind of tie-ins. E.g., NetIQ Security Analyzer does a great job with comprehensive XML support in making doing this kind of integration a breeze whereas some other scanners make you deal with unformatted log files or undocumented databases (I'm not endorsing or denigrating any of these products as a whole, just this is a nice feature others would be well-served to emulate).
• ISS Internet Scanner has a feature "ActiveAlert" that will directly send high-priority vulnerabilities directly to their RealSecure console as an alert.

Also worth noting is that while most of the solutions out today work at the correlation level (taking output from VA and using it to hone-in on IDS results), there is also a lot of potential value in building the relationships between these products at the engine-level. Some of the areas people are working on yet haven't found the way into most VA or IDS solutions yet:

• Actively launching scans to validate vulnerabilities (technically easy, though it has a host of potential security, dos, and network performance problems that have led most vendors to stick with the easier correlation solution for now)
• Inspecting traffic from hosts/services in the IDS for vulnerability assessment (you touched on this with banners, though from an integration perspective admins often use IDS today to identify 'policy violation' vulnerabilities and you can dig much deeper into watching the actual activity of a service to identify its vulnerabilities).
• Target-based IDS (TIDS) where the IDS is actively reconfigured to monitor and prioritize for exploitation of actual vulnerabilities based on vulnerability assessment data. (see http://lists.insecure.org/lists/ids/2000/Jul/0119.html).
• Using network change detection, from active probes (e.g. Tripwire for Network Devices) and/or passive monitoring (e.g. carefully crafted IDS policies or flow-based IDS, also Securify might fall in here) to detect changes that might fall into the 'potential vulnerability' category.
• VDS (vulnerability detection systems) that operate in the same continuously monitoring manner as an IDS but are monitoring for vulnerabilities and not intrusions, and by nature have a look and feel that is much more IDS than scanner.

-Dave

-----Original Message-----
From: Ron Gula [mailto:rgula@tenablesecurity.com] Sent: Wednesday, January 08, 2003 11:34 PM To: focus-ids@securityfocus.com
Subject: re[2]: Intrusion Risk Assessment

There are several systems available out there where the relationship between vulnerability
assessment (VA) and Intrusion detection/prevention is leveraged.

• ISS Site Protector can fuse ISS Scanner and ISS Real Secure information together such that you can ignore events from ISS RealSecure that you are not vulnerable to.
• Several NIDS consider service banners for some of their attack checks. NFR and Intruvert do this where possible. Many of the NIDS (like Snort, Dragon and ISS) have signatures to look for specific vulnerabilities as well.
• Our Lightning Console correlates Nessus vulnerabilities with ISS, Snort, Dragon and Bro alerts such that end users only get alerts when their systems have a correlation of a known IDS event and a vulnerability. (Sorry for the plug, but felt it was relevant)
• nCircle has an appliance that does VA/IDS correlation as well.
• Cisco recently acquired a company named Psionic which had a product that looked at logs from ISS and Netranger and then quickly verify that the targeted systems

were indeed vulnerable

There are probably more coming ...

(apologies to any vendor that I either forgot or misrepresented)

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

When I was involved with the Dragon IDS, I did not like any of the scoring
systems that were
out there. I've seen a lot, and each is good for a specific environment.

The two big problems
were setting up a scoring system for a given environment and getting rid of
creeping false
positives. Because of this, I was really interested in writing signatures
that looked for evidence
of a compromise or a successful attack. My thought was that you either had
an attack or you
did not, because there was to much grey area in between. Integrating vulnerabilities together
with intrusion data is the first step.

Ron Gula, CTO
Tenable Network Security
http:\\www.tenablesecurity.com

At 04:52 PM 1/8/2003 +0000, Richard Bennison wrote:
> > The problem with this is, define "damage." IDS systems are not

>no current IDS could ever be cognizant of) as well as the role of that
>machine.
> <
>
>Accounting for the string above, this is where the relationship between
>vulnerability assessment (VA) and Intrusion detection/prevention (IDP)
>becomes key. If a NIDS or HIDS is aware of the nature of the system(s)
it
>is protecting then it can respond relative to the liability of the
system
>to the attack.
can
>respond based on patch liability or services running on the box i.e.
IIS
>attacks on Apache, if the IDP knows that the box is not running IIS (or
is
>running IIS patched) why would it need to block/report the attack. As
such
>if you impliment a VA/IDP interaction that scans systems and primes IDP
to
>react appropriately then a score may be applied to each attack per
system.
>There is a system out there that does this, let me know if you want
more
>details.
>
>Rich
Received on Fri Jan 10 18:12:16 2003