RE: Views and Correlation in Intrusion Detection

[Michael Murray <mmurray () ncircle com>]

Disclaimer: these opinions are entirely my own, and in no way reflect
those of my employer. 

On Thu, 2003-06-26 at 12:17, Paul Schmehl wrote:
> The biggest problem with VA scanners is determining what *really is* a 
> vulnerability.  In some cases the scanner just looks at a banner and says 

Not to be blatantly obvious, but banner checks just don't cut it
anymore.  VA tools need to evolve past simply looking at a banner and
saying "you may be vulnerable".  (I haven't even mentioned the
difficulties inherent in the VA tools that are currently spending all
their time poking around in the Windows registry and reporting
vulnerabilities in services that aren't even running... imagine IDS
correlation with *that* data... ;)   Suffice it to say, some tools are
farther along in this evolution than others.

The requirement for VA to evolve becomes especially evident when we're
talking about moving VA to a point where it acts as a filter for IDS
events.   Sophistication in vulnerability detection methods needs to be
achieved before the data can really be trusted as actionable for any
correlative system.  Because if the VA data can't be trusted to be 100%
(or even 90%) accurate on both the false positives and false negatives,
any correlation is going to be problematic, to say the least.

My $0.02...  

M

-- 
-----------------------------------------------------
| Michael Murray, CISSP          <mmurray () nCircle com>
| Manager - VnE Research Team
| nCircle Network Security

Attachment: signature.asc
Description: This is a digitally signed message part