RE: Views and Correlation in Intrusion Detection

[Paul Schmehl <pauls () utdallas edu>]

The biggest problem with VA scanners is determining what *really is* a 
vulnerability.  In some cases the scanner just looks at a banner and says 
something like - oh, this is running WuFTPD.  THat's obviously bad - when 
in reality the box is patched to current and not vulnerable.

The other biggest gripe I have is the warnings about stuff like NetBIOS. 
Yes, we allow that inside our network!  And I really don't want to know 
that it's a weakness.  We block it at the edge.  Now, if a Windows box is 
missing a patch or a service pack, *that* I would like to know, but very 
few VAs that I've seen, tried or read about will do that.

They generate a ream of reports - there's no doubt about that, but again 
it's the problem of information overload.  I really don't have time to read 
through 1700 pages of warnings.  Just tell me the boxes that aren't patched 
and are therefore vulnerable.

At least highlight the serious stuff for me so I can concentrate on the 
biggest problems first.

If you're going to tie in current VA technology with current IDS technology 
and correlate the information, I suspect it's going to be more useful than 
what we presently have but a lot less useful than it *should* be.

ISTM that *somebody* in the vendor community ought to be getting the 
message that what we need is something that will tell us where the major 
risks are and what they are.  If I *knew* where every unpatched box was, I 
could fix the problem - at least I'd know what the problem was and where it 
was located.  If I *knew* that an IMAP buffer overflow attack was hitting a 
box running a vulnerable version of Wu-IMAPD, then I wouldn't mind getting 
a page and getting up in the middle of the night.

The best tools that I have in my arsenal right now are the SQLScan utility 
from Foundstone and Shareenum from sysinternals.  At least with those I 
know exactly where a problem is and what to do about it.  I run those every 
week, and it helps to keep our network problems to a minimum.

Too much of security work is still manual labor and massive amounts of 
reading.

--On Wednesday, June 25, 2003 11:40:49 AM -0400 Ron Gula 
<rgula () tenablesecurity com> wrote:
> This is exactly what the Lightning Console does. In addition, the console
> also 'knows' who owns the targeted systems and can send an alert to the
> effected end users when an IDS event targets a vulnerable server.
>
> The big issue I have with VA/IDS correlation is the accuracy of the
> underlying VA database. If you are just scanning once a quarter or even
> once a month, this VA database can get out of date fast. Our approach
> is to use distributed scanning (multiple, tiered Nessus scanners) so you
> can scan a class B in hours. We also are BETA testing a passive
> vulnerability scanner which determines vulnerabilities and topology
> changes from watching network sessions.

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu

-------------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
-------------------------------------------------------------------------------