Our company is about to embark on a search for a HIDS/HIPS solution.
We would like something that can be deployed to servers but our primary
interest is being able to roll it out to all user laptops and possibly even all
desktops as well.
I am most aware of (I wouldnt say I am familiar with them) Cisco's CSA and
Eeye's Blink offering and am trying to build some sort of methodology for
testing various HIDS/HIPS options and comparing them against one another.
My initial thought is to have a number of workstations, each installed with its
own HIDS but an identical image other than that. I will use our standard
desktop image which is missing a couple MS Patches and anticipate testing the
results across all the workstations of working metasploit against known
vulnerabilities and maybe installing a worm onto a separate machine in this
isolated environment to see how each deals with it. Probably also subject each
host to a nessus or retina scan to see not only what it reveals but also how it
handles a scan.
Does anyone know if such a document/framework/plan exists (like in the SANS
reading room or somewhere)?
Do you have any suggestions as to what I should include in my process? I have
a basic idea as outlined above which I will begin to refine but the more input
you can offer me as to what specific measurable constructs I should apply in
each facet of testing would be appreciated.
Any other products that you would reccomend we include in the product survey?
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
