RE: Tuning false positives (SIM and VM)

["Jasun Tate" <jtate () ICWGROUP com>]

In reference to SIM management I have a question almost on another tier,
what is your outtake on the new Advanton appliance and centrally
"clustering" them. 

Jasun Tate
Network Operations
ICW System Security Specialist
Office #858-350-2459
  

~~INVEST IN LOSS~~ Chen Man Ching
-----Original Message-----
From: Ron Gula [mailto:rgula () tenablesecurity com] 
Sent: Wednesday, January 11, 2006 9:05 AM
To: focus-ids () securityfocus com
Subject: Re: Tuning false positives (SIM and VM)

At 03:56 PM 1/5/2006, Raffael Marty wrote:
> > On the subject of SIMs and vulnerability analysis scans...has anyone
> > actually found this feature to be useful?
> > 1) I can't even imaging letting my SIM scan the network in such an
adhoc
> > manner.  It doesn't help that none of the vendors seem to bother
with
> > providing much in the way of documentation of the process.  I'm in a
wacky
> > world where an outtage is almost never trivial;-) I've used Nessus
enough
> > to know that it WILL eventually cause an outtage.
>
> I think you misunderstand what a SIM does with respect to vulnerability
> scans. SIMs import scans from vulnerability scanners that you have
> deployed. For example from Nessus. I think I remember that there is one
> product (not even sure if it is a SIM) that does ad-hoc scans for
events
> it gets. That's just not a good idea, introduces a lot of latency (so
> doesn't scale) and has the problems you outline. Again. In general,
SIMs
> import vuln-scans, they don't scan themselves.

One of the reasons we design Tenable's products as a blend of SIM and VM
is because this import function is a leap of faith. Too often, I see
great
SIM products loaded with last year's vuln data, or vuln data that didn't
have the proper credentials or vuln data that was only a discovery scan.

With Tenable's products, you can do SIM and VM at the same time with one
product set. If scanning too often is an issue, we can also sniff
network
traffic with NeVO to find new hosts, applications and vulnerabilities.

Having accurate vulnerability data makes any SIM process (incident
response,
VA/IDS correlation, updated Asset inventory, .etc) much more relevant.

Ron Gula, CTO
Tenable Network Security 


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708

to learn more.
------------------------------------------------------------------------



#####################################################################################
Warning: 

This email and any files transmitted with it are confidential and intended solely for the use of the individual or 
entity to which it is addressed. If you are not the named addressee any review, dissemination, distribution or 
duplication of this e-mail is strictly prohibited. If you have received this email in error, please let us know by 
e-mail and delete it from your system. Please note that any personal views or opinions presented in this email are 
solely those of the author and do not necessarily represent those of the company.

Thank You.
#####################################################################################

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------