IDS mailing list archives
RE: RE: Tuning false positives - SIM is not the answer
From: "Gary Halleen (ghalleen)" <ghalleen () cisco com>
Date: Wed, 28 Dec 2005 23:42:02 -0800
That is correct with most SIM products, Rassel, but not with the new generation of products. A key feature of the new generation SIM is awareness of the network topology. Consider the case of a firewall generating many millions of events per day, as well as an IDS sitting outside the firewall, which is also probably generating hundreds of thousands, or millions of events. A SIM that understands the topology also knows that the firewall sits between the IDS and the host under attack. A traditional SIM will do as you say, and give you good reports and pretty pictures. A topology-aware SIM uses those IDS events to classify the traffic that both passes and is blocked by the firewall. When the IDS sends events that identify Blaster.C worm, and the firewall sends events that shows TCP/4444 is blocking the same traffic, then those events can be automatically removed from the analyst's initial view, while still being available for review if needed. MARS refers to these as System-Determined False-Positives. You can use the same capabilities to see that web-based attacks are not actually causing damage to the target host by monitoring things like the web server's logs, antivirus, host IDS, or system/security logs. These capabilities are useful everywhere there are additional security or network devices between the target and source of an attack that are configured to log to the SIM. Additionally, when you do need to tune (and I'm not saying that a good SIM completely removes the need to tune, just that it reduces the need), often it makes more sense to tune all security devices centrally, at the SIM, rather than at each security device. Integration with vulnerability assessment systems increases the intelligence a good SIM has. This additional knowledge allows the SIM to raise/lower the severity of an incident, or filter the events, based on whether it appears that the target is vulnerable to an attack. MARS currently uses an internal Nessus (v2) scanner, but also will integrate with several third-party VA systems if you'd rather use one of them. There are several good SIM products on the market. You'll find a wide range in prices and capabilities, but it is worth investing in one if you haven't already. I like MARS, and am more familiar with it than some of the others, and used it prior to Cisco acquiring Protego Networks last year, as well as since then. -----Original Message----- From: rassel_k () hotmail com [mailto:rassel_k () hotmail com] Sent: Wednesday, December 28, 2005 10:45 PM To: focus-ids () securityfocus com Subject: Re: RE: Tuning false positives - SIM is not the answer SIM systems are nice. They give great graphical views and good methods of drilling in to the info. However they are not able to do anything about cutting down the amount of false positives, tuning the IPS is still a must. SIM systems have nothing to do with the fact your IDS/IPS gets 300,000 alerts per day. It'll just sum it up nicely for you so you don't read them one at a time, however if some of them are for real attacks and others from misconfigured network devices you're bound to miss the real attacks. SIM will help you see trends, not find targeted attacks and if you want your IPS to work, you have to make a choice: lots of alarms catching lots of false positive (sometimes 80%-90% of alerts) or fewer alarms accepting you may be missing some of the more interesting attacks (either targeted or just stuff that gets to many false alarms in your specific environment). You should use a SIM, but don't expect it to solve the problem of configuring and analyzing your alarms, this problem is as old as detection systems. Just my $0.02 Rassel ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- RE: RE: Tuning false positives - SIM is not the answer Gary Halleen (ghalleen) (Jan 02)
- Re: Tuning false positives - SIM is not the answer Stefano Zanero (Jan 05)
- <Possible follow-ups>
- RE: RE: Tuning false positives - SIM is not the answer Andrew Plato (Jan 02)
- Re: RE: RE: Tuning false positives - SIM is not the answer rassel_k (Jan 05)
- Re: RE: RE: Tuning false positives - SIM is not the answer brent (Jan 05)
- Re: Tuning false positives - SIM is not the answer Jason (Jan 11)
- Re: Tuning false positives - SIM is not the answer Brent Stackhouse (Jan 12)
- Re: Tuning false positives - SIM is not the answer Jason (Jan 11)
- Re: Tuning false positives - SIM is not the answer Brent Stackhouse (Jan 10)
- Re: Tuning false positives - SIM is not the answer Jason (Jan 11)