RE: Views and Correlation in Intrusion Detection

From: Kohlenberg, Toby <toby.kohlenberg(at)intel.com>
Date: Wed Jun 25 2003 - 13:30:27 EDT

All opinions are my own and in no way reflect the views of my employer

> -----Original Message-----

I'd agree, any attack is worth being aware of. After all, the next attack
that source uses might not be known by your IDS and might succeed. The question is, what do you do with that information? I'd argue for a split
approach- for attacks where the server is vulnerable, these should be high-lighted and made very obvious in the console, for attacks where you

either aren't vulnerable or where there is some question about whether it
is a false positive, the attacker is added to a watchlist automatically and if more events come from them, the priority is raised.

This gives you sufficient awareness of attacks that you aren't vulnerable to
and clear visibility for attacks that you are vulnerable to.

> The most prominent reason that I don't consider this
> solution, however,
> is that it would be ridiculously difficult, if not impossible, to
> identify every server on the network here. I don't even know how many
> servers we have, let alone what OS, patch level, and services
> they have.
> There are tools being developed to passively scan the network
> and try to
> determine these things, but the ones I've seen cost a small fortune.

yup, and the passive ones don't really tell you much about vulnerability and they can impact your production environment (can you spell "crash" boys and girls? I knew you could) if they aren' passive.

toby

---

Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com

---

Received on Thu Jun 26 14:22:21 2003