Re: Tracking back internal incidents to users, not IPs

[Jason Haar <Jason.Haar () trimble co nz>]

We went through this exact exercise  3 years ago. We  implemented a
WAN-wide deployment of snort IDS servers, monitoring both DMZ and WAN
links. This rapidly proved to be more useful in monitoring and
responding to *internal* threats, as an internal alert is actually
something that can be FIXED - vs a remote attack where you end up
needing to contact some email address who is supposed to be a site
contact in some other company on the other side of the planet ;-)

Anyway, all an IDS has to initially go on is the source IP. So we had to
put some "glue" together to cross-reference that against more useful
information, to turn an IDS event into a consice, useful alert.

Our current alerts tell us what site and country the offending address
lives in, whether it is a RAS/VPDN or local network address, what it's
(typically) NetBIOS name is, who its suspected owner is, and what their
email and phone number is. Quite a lot to go on :-)

In the past, tracking down such information typically was a manual
process - involved talking to the network team (to find out what
site/country that address is from), the Windows server team (to find out
NetBIOS details/etc), and the Helpdesk team (to find owner/etc). Now,
it's automated and  takes about 20 secs :-)

Still doesn't make me coffee tho' :-(

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------