Re: RFI aims at security info sharing

[InfoSec News <isn () c4i org>]

Forwarded from: H C <keydet89 () yahoo com>
Cc: dfrank () fcw com

 From what I've seen of corporate and gov't (some state and fed)
infrastructures, from what's been in the news, and from my experience
with commercial security systems, I find it hard to believe that
determining the method for exchanging incident information is turning
out to be such a difficult endeavor.

Managed security monitoring structures, such as set up by RipTech (now
Symantec) have gone a long way toward solving this problem.  
MountainWave (producer of CyberWolf, now owned by Symantec) did a
great deal of work in 'normalizing' audit log data, as well as data
from several commercial and freeware tools.

Simply looking at the results of defaced web pages, the various worms,
etc., it's easy to see that the real issue isn't so much how to
exchange incident data, but how to *get* credible incident data in the
first place.  It would seem that even today, across the entire
spectrum of infrastructures (state, federal, private, commercial,
etc.), the true limiting factors are first detecting an incident, and
then quickly and accurately gathering credible data regarding that
incident.

As an example (only an example) I teach a self-developed IR course for
Win2K (XP and NT, as well).  The course utilizes several hands-on lab
exercises, in which the attendees return from a break to find their
systems "compromised" by a Trojan.  While all systems have Internet
access, the only instruction to the attendees is that they can't use
any tools from the CD provided.  Invariably, the only tools used are
TaskManager and EventViewer.

In another instance, I was investigating an incident at a data center.  
I asked the MCSE+I admin to provide me with the IIS 5.0 web logs.  I
received a zipped archive containing three .evt files.  Doh!

My point is this...if setting up a format for exchanging information
is so difficult, what happens when we get to actually collecting
information?  If the reliance is on commercial security tools, then
there's another issue...anyone with a modicum of experience is aware
of configuration issues, as well as the issue of false positives.  
While this is also true, to some degree, with the various freeware
tools, the overall point is GIGO...garbage in, garbage out.  If the
commercial tools are having limited success within each individual
organization, what is the expected outcome of connecting all of these
systems?

 
> For some time, FedCIRC has been working with the CERT Coordination
> Center (CERT/CC) on the Data Analysis Capability (DAC), a solution
> that will allow FedCIRC to analyze and correlate incident
> information across government. The idea is that as more agencies
> share information, the better the overall management of security
> incidents will be.
>
> Several agencies have helped test the DAC and work through policy
> issues surrounding data sharing among agencies, but technologically,
> agencies face difficulty in combining information from proprietary
> commercial security systems.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.