RE: RE: Tuning false positives - SIM is not the answer

["Gary Halleen (ghalleen)" <ghalleen () cisco com>]

That is correct with most SIM products, Rassel, but not with the new
generation of products.

A key feature of the new generation SIM is awareness of the network
topology.  

Consider the case of a firewall generating many millions of events per
day, as well as an IDS sitting outside the firewall, which is also
probably generating hundreds of thousands, or millions of events.  A SIM
that understands the topology also knows that the firewall sits between
the IDS and the host under attack.  A traditional SIM will do as you
say, and give you good reports and pretty pictures.  A topology-aware
SIM uses those IDS events to classify the traffic that both passes and
is blocked by the firewall.  When the IDS sends events that identify
Blaster.C worm, and the firewall sends events that shows TCP/4444 is
blocking the same traffic, then those events can be automatically
removed from the analyst's initial view, while still being available for
review if needed.  MARS refers to these as System-Determined
False-Positives.

You can use the same capabilities to see that web-based attacks are not
actually causing damage to the target host by monitoring things like the
web server's logs, antivirus, host IDS, or system/security logs.  These
capabilities are useful everywhere there are additional security or
network devices between the target and source of an attack that are
configured to log to the SIM.  

Additionally, when you do need to tune (and I'm not saying that a good
SIM completely removes the need to tune, just that it reduces the need),
often it makes more sense to tune all security devices centrally, at the
SIM, rather than at each security device.

Integration with vulnerability assessment systems increases the
intelligence a good SIM has.  This additional knowledge allows the SIM
to raise/lower the severity of an incident, or filter the events, based
on whether it appears that the target is vulnerable to an attack.  MARS
currently uses an internal Nessus (v2) scanner, but also will integrate
with several third-party VA systems if you'd rather use one of them.

There are several good SIM products on the market.  You'll find a wide
range in prices and capabilities, but it is worth investing in one if
you haven't already.  I like MARS, and am more familiar with it than
some of the others, and used it prior to Cisco acquiring Protego
Networks last year, as well as since then.



-----Original Message-----
From: rassel_k () hotmail com [mailto:rassel_k () hotmail com] 
Sent: Wednesday, December 28, 2005 10:45 PM
To: focus-ids () securityfocus com
Subject: Re: RE: Tuning false positives - SIM is not the answer

SIM systems are nice. They give great graphical views and good methods
of drilling in to the info. However they are not able to do anything
about cutting down the amount of false positives, tuning the IPS is
still a must.
SIM systems have nothing to do with the fact your IDS/IPS gets 300,000
alerts per day. It'll just sum it up nicely for you so you don't read
them one at a time, however if some of them are for real attacks and
others from misconfigured network devices you're bound to miss the real
attacks.
SIM will help you see trends, not find targeted attacks and if you want
your IPS to work, you have to make a choice: lots of alarms catching
lots of false positive (sometimes 80%-90% of alerts) or fewer alarms
accepting you may be missing some of the more interesting attacks
(either targeted or just stuff that gets to many false alarms in your
specific environment).
You should use a SIM, but don't expect it to solve the problem of
configuring and analyzing your alarms, this problem is as old as
detection systems.

Just my $0.02
Rassel

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------