Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > focus-ids > 03 > 081049.html (Request Expert securityfocus.com Support)

Re: Gartner is Dead, nCircle, Fusion,asset-correlation--was-->False positives, negatives and don't cares

From: dcdave <dcdave(at)att.net>
Date: Tue Aug 12 2003 - 23:09:38 EDT

Anyone else seen Silent Runner in this light?

dcdave
CSO Infosec Group
703 626 6516
----- Original Message -----
From: "Martin Roesch" <roesch@sourcefire.com> To: <arian.evans@fishnetsecurity.com>
Cc: <focus-ids@securityfocus.com>
Sent: Tuesday, August 12, 2003 10:19 AM
Subject: Re: Gartner is Dead, nCircle, Fusion,asset-correlation--was-->False positives, negatives and don't cares

> Hi Arian,
understand
> > this, and if they do, they don't have the time/skill to properly tune
> > NIDS, correlate events, etc. etc. etc.
> >
> > The Gartner claim is essentially "IDS is dynamic and hard to make
> > work; if we move this function to static perimeter access controls which
> > most people manage successfully, things will be easier."
> >
> > There's a lot of problems with that claim, but I've got two big
complaints
> > about NIDS which Gartner didn't touch:
> >
> > 1. Lack of security event correlation to asset value.
>
> True. Unfortunately, defining asset value is one process that can't help
to
> locate heavily used servers on a network, but to date I don't know of
anyone
> outside Arbor who has the technical infrastructure for that sort of thing
and
> other tech that Sourcefire is developing that will establish the
days...)
>
> They definitely had the genesis of the right idea...
aggregating
> > all this data but being able to assign no value to it without tons of
manual
> > analysis. It's easier to ignore and go play the patching game...
> >
> > So we have built an IDS deployment methodology at the organization I
> > work for, that the majority of work comes way before deployment or IDS
> > selection. (this is old hat to most of you, so I'll skip the details).
> > Essentially,
(very
> > different).
upon
> > #2.
> > 3. Security Event collection (NIDS, HIDS, SEMs, etc.).
> > 4. Vulnerability Posture collection (ISS, Retina, Nessus, Qualys,
whatever).
> > 5. Security Event correlation with Vulnerability Posture and CAV.
> > 6. Security Event metric generation, which is a combination of assigning
> > value
vulnerability
> > posture
both.
>
> Automation is the key here, manual methods don't scale and the information
the
> CAV of a given network element.
three
> > elements into perspective? Because that is what is really needed...
>
> Once we define what we're going to call things and how we're going to
define
> value, it's not hard at all. I've been thinking about this problem for a
need.
> > And
than
> > I think. Too bad code I write looks like it came from a
pseudo-random-code-
> > -generator, or I'd take a stab at it myself. Marty? I know you can do
this
> > (and
> > "this code will be faaast" :)).
>
> Good things come to those who wait. :)
the
> > network often changes faster than the security/IDS team can keep up
with.
> > Manually tuning NIDS in respect to specific assets' vulnerability
posture
> > _does_not_scale_ at all.
taking
> place on this list and others like it) between people advocating passive
key
> differentiators of these technologies.
this
> > # contextualization process still has value for trending purposes and
> >
> > Well, that's another important point that deserves it's own discussion.
> > We need a Security Event Management (SEM) list to discuss centralized
> > log collection, aggregation, reporting and forensics...
>
> The more data we generate, the more important it will be. I wonder if
there
> are better ways to approach it...
-
> Captus Networks - Integrated Intrusion Prevention and Traffic Shaping
-
>


Captus Networks - Integrated Intrusion Prevention and Traffic Shaping
  • Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
  • Automatically Control P2P, IM and Spam Traffic
  • Ensure Reliable Performance of Mission Critical Applications Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.captusnetworks.com/ads/31.htm
Received on Wed Aug 13 09:47:56 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:17 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library