Re: on NIDS/NIPS tuning

[Raffael Marty <rmarty () arcsight com>]

David,

[Dislaimer: I work for a SIM vendor]

I think today's SIMs should address your needs:

> I am curious to know what SIM product can handle un-tuned IDS alerts in 
> addition to firewall logs, server logs, and application logs. 

If they provide an agent to parse those logs, this should not be a
problem. I can only speak for my company where we have agents for all
these types of sources and more (e.g., AV)

> How accurate is the list of message ID's and the message parsing? 

As accurate as you want it. I consider it a bug if the fields you want
parsed do not show up in our normalized event. 

> I doubt that there is 
> a SIM vendor that has a correlation engine that can handle a fraction of 
> the traffic in an average data-center or enterprise network. 

Well. It depends what kind of event load you have. I could start playing
the numbers game here, but let me refrain from that. I can give you a
better answer: If you find that one manager (that's what we call our
server or collector or whatever) is not enough, you can deploy a
multi-tier setup and roll-up events where needed. 

> Can they provide packaged reporting and alert management? 

Definitely. 

> Flat-file or relational database? 

I am assuming you talk about data storage. You probably won't find a SIM
that uses flat-files to store the data. You are just missing too many
features and don't get the performance you need to query.

> Don't forget about your SOC operators who have to manage the 
> message queue and respond to all of the alerts. 

Event annotation, workflow, all there.

> You can not just push 
> traffic to a SIM and have it magically (and accurately) generate some 
> golden nugget message. 

You can have it take action. And I know all the SIMs support this.

> What are you using to gather vulnerability 
> assessment information 

You import scanner information. There are adapters for vulnerability 
scanners. (foundstone, qualys, nessus, you name it)

> and how is the SIM correlating against that information? 

This is where I can't make a statement about the other SIMs. I know that
we cross-correlated the incoming events with the vulnerability they
target and take that into account to come up with the final priority of
the event.

> Valid alerts need to be measured against the vulnerability of 
> the device/application (patch levels, hardening, etc).

That's done in the priority calculation mentioned in the last section.

Hope this helps...

        -raffy

-- 

Raffael Marty, GCIA, CISSP                    raffael.marty () arcsight com
Senior Security Engineer                    Content Team @ ArcSight Inc.
5 Results Way            Cupertino, CA  95014             (408) 864-2662

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------