Re: Gartner is Dead, nCircle, Fusion, asset-correlation--was-->False positives, negatives and don't cares

Hi Arian,

Comments inline.

> # my thoughts about data quality and event value coming out of NIDS.
>
> Ohhh, *data quality* and *event value*, now we're talking...

True. Unfortunately, defining asset value is one process that can't help but be manual. I suppose you could use some sort of behavioral analysis to locate heavily used servers on a network, but to date I don't know of anyone outside Arbor who has the technical infrastructure for that sort of thing available.

> 2. Lack of value in an Enterprise using predominantly encrypted

This is a tough one and the place where behavioral and statistical methods start to shine. There is infrastructure under development within Snort and other tech that Sourcefire is developing that will establish the informational basis for doing these sorts of things in encrypted environments, I have no doubt that others are looking at similar ideas.

> # Lots of vendors are taking a stab at building the necessary

They definitely had the genesis of the right idea...

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

> I've spent a number of years caring and feeding for corporate networks
> including HIDS, NIDS, SEMs (netForensics, Pentasafe VLA, etc.) and
> I know all about the pain and frustration and worthless value of aggregating
> all this data but being able to assign no value to it without tons of manual

Automation is the key here, manual methods don't scale and the information goes stale. In rapidly changing network environments you have to have a system that can work without human intervention and that doesn't rely on aggressive continuous interrogation of the network. Assigning "value" to network elements can be as trivial as assigning arbitrary weights to elements unless you've got a more specific taxonomy of value identifiers that you need to use. How would we define this? Role, exposure, purpose, prominence?

Role:
Server
Client
Infrastructure

Exposure:

Internal-only
External-only
Internal-slanted
External-slanted

Purpose:
Departmental
Enterprise
Customer-facing
Infrastructure (routing & switching separate?)

Prominence:
Primary
Secondary
Tertiary  

(I'm writing this on an airplane at 7AM, please excuse fuzzy thinking...)

That's one possible set of taxonomical identifiers we could use, assigning scores or weights to each identifier and then combining them to identify the CAV of a given network element.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

> How hard would it be to let one define assets and assign metrics in the

Once we define what we're going to call things and how we're going to define value, it's not hard at all. I've been thinking about this problem for a while but it's hard to come up with non-subjective terminology. I worry about having the same problems we run into with classification and priorities, there are so many ways to classify things (and priority is the ultimate in contextualization of the data) that we can spin our wheels forever if we're not careful.

> After years of doing this manually, and often failing, I *feel* the need.

Good things come to those who wait. :)

> BTW// #4, above, has to be dynamic. In mid-to-large size Enterprises, the
> network often changes faster than the security/IDS team can keep up with.
> Manually tuning NIDS in respect to specific assets' vulnerability posture
> _does_not_scale_ at all.

Actually, I predict there's going to be a religious battle (probably taking place on this list and others like it) between people advocating passive discovery approaches in contrast to active ones and how effective they are in dynamic environments. Passive approaches allow for automated tuning to take place in ways that can be specifically advantageous over active approaches and I think that this will ultimately prove to be one of the key differentiators of these technologies.

> # I think that the data that ends up on the "cutting room floor" after this

The more data we generate, the more important it will be. I wonder if there are better ways to approach it...

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

> Good discussion, it's really helped me solidify my thoughts. Cheers,

Thanks!

      -Marty

-- 
Martin Roesch - Founder/CTO Sourcefire Inc. - (410) 290-1616
Sourcefire: Enterprise-class Intrusion detection built on Snort
roesch(at)sourcefire.com - 
http://www.sourcefire.com
Snort: Open Source Network IDS - 
http://www.snort.org


---------------------------------------------------------------------------
Captus Networks - Integrated Intrusion Prevention and Traffic Shaping  
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Ensure Reliable Performance of Mission Critical Applications
Precisely Define and Implement Network Security and Performance Policies
**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
Visit us at: 
http://www.captusnetworks.com/ads/31.htm
---------------------------------------------------------------------------