Re: ForeScout ActiveScout

[Erik F <efortin () solstice vtc vsc edu>]

In-Reply-To: <20050107031424.49127.qmail () web41103 mail yahoo com>

<CAUTION: HUMOR AND SARCASM>

First of all, let's review the topic of patching.  A patch is an update to software that's broken in a variety of ways 
including, but not limited to, bug fixes and security issues.  I don't even think that certain vendors take their 
patching seriously - for example: a "critical security update" for an office font was released because it has some 
'offensive' characters in it ... critical for who?!  And then they make it so you can't get any new updates until you 
apply the new font... so, if you don't apply this "critical", but unnecessary update, you might not even know that you 
are missing patches!

Now let's assume you *are* patched with *all* the vendor's patches.
Every one of them.  So having all your exposed services being patched (and services configured properly), in theory, 
would make your network 100% secure, in combination with your firewalls being correctly configured of course.  This 
leaves your IDS sitting there gathering data on would-be exploits, but nothing will ever come of them because you
*are* patched.  Leaving you, supposedly, with nothing to worry about.
Nice feeling isn't it?  Quite peaceful.

Let's be realistic here.  Systems are not just vulnerable between the time the patch is released by a vendor and the 
time you apply it.  I've heard many sysadmins, approx. once a month, say things like "Another vulnerability came out 
today.  *Sigh* I guess I'll be patching our servers again tonight".  It's very important to make them realize that the 
*vulnerability* has been out for a long time and it was only recently patched by the vendor.  And we make the wild 
assumption that the patch works and that it doesn't introduce any new vulnerabilities.
The vendor released the problem code in the first place - what makes anyone think that they are incapable of doing it 
again?!

And if you are 100% patched - you should NEVER have to patch again, right?  100% means 100%, right?  Wrong!  You've 
only applied 100% of the available patches.  So why another release of patches?  It comes from the vulnerabilities that 
are STILL in your 100% patched systems.  Just accept it, you'll never be 100% patched.  And you should be happy about 
this - you'll always have a job because the patching and upgrades will
never end.   Well, I'm assuming that a system you maintain doesn't get
compromised on a zero-day and they fire your ass.  ;-)

So, our job as security people is risk mitigation, not complete protection.  Hey, people have accepted the concept of 
something not working 100% in other products - why do they have such a hard time accepting this same concept in the 
computer security field?  Condoms = risk mitigation, not elimination.

You have your firewalls to police traffic into, and hopefully out of, your network.  Your systems are patched for most 
commonly known vulnerabilities.  Your IDS is probably only looking for known signatures.  Your virus scanner most 
likely only looking for know signatures as well.  If you are lucky, you have some (N)IPS or HIPS blocking based on 
inappropriate behavior - and hopefully it catches whatever new exploit is out there.

Activescout isn't intended to replace your firewall, or your IDS.  It's intended to complement these systems you 
already have in place.  It REALLY IS damn near 100% accurate as far as false positives are concerned.  There is the 
issue of missed attacks, but that's what you have the other systems for, isn't it?

Information is power - let's say I scan your network for IIS servers and save their version numbers.  I find an 
instance of IIS running on an IP that doesn't have any DNS associated with it.  Maybe this is hidden to most of the 
world, but it's not hidden from a quick port scan.  So, move the port to something that not the default - a scan will 
find that too with a little bit more work.  Now suppose I know what version of IIS you are running on a system and it's 
completely patched, and I really want to hack into your network ... maybe I can't easily do it right now...
so, I wait.  

Think about this: who do you think is faster - a hacker waiting to exploit a vulnerability on a known vulnerable 
system, or a vendor producing a patch for a vulnerability, releasing it, you downloading it,
(maybe) testing it and then applying it and rebooting the server?  I'll just wait - we'll see who wins this little race.

Activescout gives a scanner so much misinformation that the attackers have a seriously hard time figuring out what is 
real and what is virtual.  This essentially takes away a lot of their knowledge by making them work harder for it.  
This by itself is only an "ok" tactic, but now suppose that you also block the IP addresses of these attackers.
Wouldn't you think this would mitigate risk?

I know what you are thinking - maybe the attacker spoofs the source IP.
Well, Activescout only blocks addresses that can be confirmed as attacking using techniques such as marking the data in 
a application layer and watching for these marks to return, in addition to watching for complete tcp handshaking.  So, 
where your IDS may have tons of false positives, activescout is nearly 100% accurate because it's not looking for 
signatures that occur frequently in real legitimate traffic.  And it really does come very close to 100% accuracy in 
identifying attackers.
I've had one false block in two plus years of running activescout, and it was from a user going to http instead of 
httpS.  I've since excluded that http port.  I don't know what the false positive rate is for *your* IDS - ignoring the 
fact it probably doesn't accurately identify the attacker's IP - but you'd have to be insane to implement it as part of 
a firewall blocking system that blocks all traffic from the suspected IP.
Many IDS's will alert on a single packet regardless of any connection state information.

Activescout takes very little effort to maintain, and it sets up in about 20 minutes.  Upgrades are just about idiot 
proof and take very little time and interaction from the user.  I don't know what you're running your java on, but 
maybe you should think about an upgrade.  I have a console (not my primary console) on a P300 with 128MBs that works 
just fine.  You can probably get one of those for less than $200.

Also, as a side effect, activescout actually reduces the number of IDS alerts you receive.  Mine went down by a factor 
of 100 after installing activescout.  Maybe I get paid more, but activescout has easily paid for itself just in the 
time I save managing my other security products.
Besides, it also makes pretty maps and graphs to show management which really helps them to understand and be able to 
quantify this invisible threat making it easier to get cash for security products in the future.
This saves me time again, but this time on the begging end of the scale.

If you can save time, money, and mitigate more risk by spending 20 minutes to implement activescout, why not use it?  
Of course, maybe there is a little masochist in everybody. ;-)

</CAUTION: HUMOR AND SARCASM>




--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------