IDS mailing list archives
Re: Towards a sound IDS Value Methodology--was-->Gartner is Dead, nCircle, Fusion, asset-correlation...
From: Anton Chuvakin <anton () chuvakin org>
Date: Fri, 22 Aug 2003 10:48:32 -0400 (EDT)
Arian and all,
My main criticism is that today's security tools do not allow you to *define* and *compare* these essential metrics, regardless of how they are gathered and assigned.
Oh, I see. I can give you a tool which will let you define values for all your 34,957 machines using a nice friendly GUI. Will you be happy? I doubt it. In other words, I agree that few tools do that, but the question how to do it right seems a bit more important to me.
In the methodology I proposed, the majority of information gathering regarding asset value is manual.
So, while Marty shared some of his insights on the subject, the proposed approach (IMHO) replaces the need to define one fuzzy parameter - value (which is hard) with the need to define several less but still fuzzy parameters - role, exposure, purpose, prominence. While some of them are easy to define (such as a role), others seem pretty tricky to me (e.g. "oh, this box has a prominence of 5, but that other one is 11"...), thus the problem is not really solved. I do see see the measure how actively the system is used as a valid metric (and we are thinking of some neat methods to use it), but it is obviously not a replacement for a value. To add insult to injury, in a large company any "value definition project" will not be handled by a single person. Thus, several people will impose their subjective AND different opinions on what value should be, thus screwing the system big time (technically speaking :-)) Such methods doesn't seem to scale. You might think that you know that your www server is 3.72 times more valuable to you than the ftp server, but what about extending this to many more boxes?
factor *one's* defined metrics against vuln posture and threat status.
Yeah, sure, once the value is there, the rest is relatively easy: events + value + vuln.
That's my/our problem, and I'm not asking software vendors to solve for this need. Yet. :~)
Ok, but how would you approach it, in general? Are you going to ask the resource owners? Company execs? Insurance companies? ...?
a) Human beings are likely to assign incorrect values to assets
Sure. For the simple reason of "correct" being undefined.
b) Assigning incorrect values to assets presents more risk than assigning no values to assets
Likely so, wrong value will cause some important events to be deprioritized and thus missed - here is your increased risk.
a) HB can assign values to assets w/>50% accuracy.
v = (int) rand() * 100; :-) Best, -- Anton A. Chuvakin, Ph.D., GCI* http://www.chuvakin.org http://www.info-secure.org --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the worldÂs premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symanetc is the Diamond sponsor. Early-bird registration ends September 6 Visit: www.blackhat.com ---------------------------------------------------------------------------
Current thread:
- False positives, negatives and don't cares Martin Roesch (Aug 11)
- Re: False positives, negatives and don't cares Bennett Todd (Aug 11)
- Re: False positives, negatives and don't cares Martin Roesch (Aug 12)
- Re: False positives, negatives and don't cares Paul Schmehl (Aug 12)
- Gartner is Dead, nCircle, Fusion, asset-correlation--was-->False positives, negatives and don't cares Arian J. Evans (Aug 12)
- Re: Gartner is Dead, nCircle, Fusion, asset-correlation--was-->False positives, negatives and don't cares Mike Coliton (Aug 12)
- Re: Gartner is Dead, nCircle, Fusion, asset-correlation--was-->False positives, negatives and don't cares Martin Roesch (Aug 12)
- Re: Gartner is Dead, nCircle, Fusion, asset-correlation--was-->False positives, negatives and don't cares Anton A. Chuvakin (Aug 21)
- Towards a sound IDS Value Methodology--was-->Gartner is Dead, nCircle, Fusion, asset-correlation... Arian J. Evans (Aug 25)
- Re: Towards a sound IDS Value Methodology--was-->Gartner is Dead, nCircle, Fusion, asset-correlation... Anton Chuvakin (Aug 25)
- Re: False positives, negatives and don't cares Bennett Todd (Aug 11)