It's not a secret that by means of behavior analysis security manager can
discovery a lot of different security issues in LAN. Simple behavior
analysis can be done with help of NetFlow - information about sources,
destinations, ports and amount of traffic. In behavior based IDS it's
possible to create profiles for systems (which mean that the system is
working properly) and then analyst can look through deviations between
profile and current system behavior...
As RNE (or RGS and Proventias) is stateful IDS, it stores connections table
and, of course, knows information about sources, destinations, ports,
amount of bytes, packets, protocol types, etc. The only problem is that
sensor does not show this information to admin (AFAIK such statistics can
be seen in Proventa, I'm not sure, but this information is not stored
anywhere for further analysis), but this is VERY useful information of
forensic analysis (the only we can see now is sensor_statistics event which
can be used to get to know how sensor feels itself). So, the desired
enhancement is to store information about hosts, amount and type of traffic
between them in RealSecureDB so that such info would be available from SP
Console.
Does ISS plan to realize such functionality?
It's very important and from marketing point of view, because only
signature based IDS now are not able to detect and prevent propagation of
modern types of malware (i.e. bots, adware, etc.
Thanks.
Any feedback will be highly appreciated.
---
Best regards, Sergey V. Soldatov.
Information security department.
tel/fax +7 095 745 89 50 (1613)
_______________________________________________
ISSForum mailing list
ISSForum@iss.net
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo/issforum
To contact the ISSForum Moderator, send email to mod-issforum@iss.net
The ISSForum mailing list is hosted and managed by Internet Security Systems,
6303 Barfield Road, Atlanta, Georgia, USA 30328.
