IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Towards a sound IDS Value Methodology--was-->Gartner is Dead, nCircle, Fusion, asset-correlation...

From: Anton Chuvakin <anton () chuvakin org>
Date: Fri, 22 Aug 2003 10:48:32 -0400 (EDT)
Arian and all,


My main criticism is that today's security tools do not allow you to
*define* and *compare* these essential metrics, regardless of how
they are gathered and assigned.

Oh, I see. I can give you a tool which will let you define values for all
your 34,957 machines using a nice friendly GUI. Will you be happy? I doubt
it. In other words, I agree that few tools do that, but the question how
to do it right seems a bit more important to me.


In the methodology I proposed, the majority of information gathering
regarding asset value is manual.

So, while Marty shared some of his insights on the subject, the proposed
approach (IMHO) replaces the need to define one fuzzy parameter - value
(which is hard) with the need to define several less but still fuzzy
parameters - role, exposure, purpose, prominence. While some of them are
easy to define (such as a role), others seem pretty tricky to me (e.g.
"oh, this box has a prominence of 5, but that other one is 11"...), thus
the problem is not really solved. I do see see the measure how actively
the system is used as a valid metric (and we are thinking of some neat
methods to use it), but it is obviously not a replacement for a value.

To add insult to injury, in a large company any "value definition project"
will not be handled by a single person. Thus, several people will impose
their subjective AND different opinions on what value should be, thus
screwing the system big time (technically speaking :-))

Such methods doesn't seem to scale. You might think that you know that
your www server is 3.72 times more valuable to you than the ftp server,
but what about extending this to many more boxes?


factor *one's* defined metrics against vuln posture and threat status.

Yeah, sure, once the value is there, the rest is relatively easy: events +
value + vuln.


That's my/our problem, and I'm not asking software vendors to
solve for this need. Yet. :~)

Ok, but how would you approach it, in general? Are you going to ask the
resource owners? Company execs? Insurance companies? ...?


a) Human beings are likely to assign incorrect values to assets

Sure. For the simple reason of "correct" being undefined.


b) Assigning incorrect values to assets presents more risk than
assigning no values to assets

Likely so, wrong value will cause some important events to be
deprioritized and thus missed - here is your increased risk.


a) HB can assign values to assets w/>50% accuracy.

v = (int) rand() * 100;    :-)

Best,
-- 
  Anton A. Chuvakin, Ph.D., GCI*
     http://www.chuvakin.org
   http://www.info-secure.org




---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, 
VA; the world’s premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symanetc is the Diamond sponsor.  Early-bird registration ends September 6 Visit: www.blackhat.com
---------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: