Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: RE: Tuning false positives - SIM is not the answer

from [Gary Halleen (ghalleen)] Network Security [Permanent Link]
Subject: RE: RE: Tuning false positives - SIM is not the answer
Date: Wed, 28 Dec 2005 23:42:02 -0800 
That is correct with most SIM products, Rassel, but not with the new
generation of products.

A key feature of the new generation SIM is awareness of the network
topology.  

Consider the case of a firewall generating many millions of events per
day, as well as an IDS sitting outside the firewall, which is also
probably generating hundreds of thousands, or millions of events.  A SIM
that understands the topology also knows that the firewall sits between
the IDS and the host under attack.  A traditional SIM will do as you
say, and give you good reports and pretty pictures.  A topology-aware
SIM uses those IDS events to classify the traffic that both passes and
is blocked by the firewall.  When the IDS sends events that identify
Blaster.C worm, and the firewall sends events that shows TCP/4444 is
blocking the same traffic, then those events can be automatically
removed from the analyst's initial view, while still being available for
review if needed.  MARS refers to these as System-Determined
False-Positives.

You can use the same capabilities to see that web-based attacks are not
actually causing damage to the target host by monitoring things like the
web server's logs, antivirus, host IDS, or system/security logs.  These
capabilities are useful everywhere there are additional security or
network devices between the target and source of an attack that are
configured to log to the SIM.  

Additionally, when you do need to tune (and I'm not saying that a good
SIM completely removes the need to tune, just that it reduces the need),
often it makes more sense to tune all security devices centrally, at the
SIM, rather than at each security device.

Integration with vulnerability assessment systems increases the
intelligence a good SIM has.  This additional knowledge allows the SIM
to raise/lower the severity of an incident, or filter the events, based
on whether it appears that the target is vulnerable to an attack.  MARS
currently uses an internal Nessus (v2) scanner, but also will integrate
with several third-party VA systems if you'd rather use one of them.

There are several good SIM products on the market.  You'll find a wide
range in prices and capabilities, but it is worth investing in one if
you haven't already.  I like MARS, and am more familiar with it than
some of the others, and used it prior to Cisco acquiring Protego
Networks last year, as well as since then.



-----Original Message-----
From: rassel_k@hotmail.com [mailto:rassel_k@hotmail.com] 
Sent: Wednesday, December 28, 2005 10:45 PM
To: focus-ids@securityfocus.com
Subject: Re: RE: Tuning false positives - SIM is not the answer

SIM systems are nice. They give great graphical views and good methods
of drilling in to the info. However they are not able to do anything
about cutting down the amount of false positives, tuning the IPS is
still a must.
SIM systems have nothing to do with the fact your IDS/IPS gets 300,000
alerts per day. It'll just sum it up nicely for you so you don't read
them one at a time, however if some of them are for real attacks and
others from misconfigured network devices you're bound to miss the real
attacks.
SIM will help you see trends, not find targeted attacks and if you want
your IPS to work, you have to make a choice: lots of alarms catching
lots of false positive (sometimes 80%-90% of alerts) or fewer alarms
accepting you may be missing some of the more interesting attacks
(either targeted or just stuff that gets to many false alarms in your
specific environment).
You should use a SIM, but don't expect it to solve the problem of
configuring and analyzing your alarms, this problem is as old as
detection systems.

Just my $0.02
Rassel

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Next by Date:  Re: Fortinet's fortigate 100 devices, Louis Wang
Next by Thread:  Re: Tuning false positives - SIM is not the answer, Stefano Zanero
Indexes:  [Date] [Thread] [Top] [All Lists]