september 5, 2015copyright © 2007 tenable network security, inc. 1 good and bad uses of...
TRANSCRIPT
![Page 1: September 5, 2015Copyright © 2007 Tenable Network Security, Inc. 1 Good and Bad Uses Of Vulnerability Data For IDS Event Correlation Mostly Bad Uses Of](https://reader037.vdocument.in/reader037/viewer/2022110209/56649e185503460f94b039e9/html5/thumbnails/1.jpg)
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 1
Good and Bad UsesOf Vulnerability Data
For IDS Event Correlation
Mostly Bad UsesOf Vulnerability Data
For IDS Event Correlation
![Page 2: September 5, 2015Copyright © 2007 Tenable Network Security, Inc. 1 Good and Bad Uses Of Vulnerability Data For IDS Event Correlation Mostly Bad Uses Of](https://reader037.vdocument.in/reader037/viewer/2022110209/56649e185503460f94b039e9/html5/thumbnails/2.jpg)
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 2
Introduction
The goalgoal of this talk is tohelp those of us with networkmonitoring programs tounderstand the limits of IDS/VA correlation.
![Page 3: September 5, 2015Copyright © 2007 Tenable Network Security, Inc. 1 Good and Bad Uses Of Vulnerability Data For IDS Event Correlation Mostly Bad Uses Of](https://reader037.vdocument.in/reader037/viewer/2022110209/56649e185503460f94b039e9/html5/thumbnails/3.jpg)
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 3
Introduction
-- OR --
![Page 4: September 5, 2015Copyright © 2007 Tenable Network Security, Inc. 1 Good and Bad Uses Of Vulnerability Data For IDS Event Correlation Mostly Bad Uses Of](https://reader037.vdocument.in/reader037/viewer/2022110209/56649e185503460f94b039e9/html5/thumbnails/4.jpg)
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 4
Introduction
We all have purchasedexpensive SIM and IPS products and this will help you operate them better!
![Page 5: September 5, 2015Copyright © 2007 Tenable Network Security, Inc. 1 Good and Bad Uses Of Vulnerability Data For IDS Event Correlation Mostly Bad Uses Of](https://reader037.vdocument.in/reader037/viewer/2022110209/56649e185503460f94b039e9/html5/thumbnails/5.jpg)
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 5
Introduction
I hope no-one needs to recode their software orstrangle their sales guyafter this …
![Page 6: September 5, 2015Copyright © 2007 Tenable Network Security, Inc. 1 Good and Bad Uses Of Vulnerability Data For IDS Event Correlation Mostly Bad Uses Of](https://reader037.vdocument.in/reader037/viewer/2022110209/56649e185503460f94b039e9/html5/thumbnails/6.jpg)
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 6
IDS/VA is in lots of places already
• SIMs do it – Arcsight, Q1, Cisco MARS, Tenable, .etc
• IDS/IPS do it – Sourcefire, Lucid, NFR, .etc
• Threat Simulators do it – Skybox, RedSeal, .etc
• Pre/Post NAC looks a lot like this too• Home grown applications !!!
– Your MSPs and internal IT projects
![Page 7: September 5, 2015Copyright © 2007 Tenable Network Security, Inc. 1 Good and Bad Uses Of Vulnerability Data For IDS Event Correlation Mostly Bad Uses Of](https://reader037.vdocument.in/reader037/viewer/2022110209/56649e185503460f94b039e9/html5/thumbnails/7.jpg)
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 7
Why listen to me?
• CTO/CEO and Co-Founder of Tenable– Nessus Vulnerability Scanner– Several monitoring & correlation products
• Founder of Network Security Wizards which made the Dragon Intrusion Detection System
• Director of Risk Mitigation at USi• Consultant, pen-tester & security
researcher for GTE, BBN and NSA• Captain in USAF
![Page 8: September 5, 2015Copyright © 2007 Tenable Network Security, Inc. 1 Good and Bad Uses Of Vulnerability Data For IDS Event Correlation Mostly Bad Uses Of](https://reader037.vdocument.in/reader037/viewer/2022110209/56649e185503460f94b039e9/html5/thumbnails/8.jpg)
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 8
Overview
• Basic VA/IDS Concepts• Sources of Correlation Errors• Multiple Vulnerability Scan Handling• Under Emphasis of IDS events• Operating System Based Correlation• Why isn’t Patch Auditing and Passive Network
Data used more? • IDS/IPS configuration based on Vulns• Latent Scanner Handicaps• Questions and comments
![Page 9: September 5, 2015Copyright © 2007 Tenable Network Security, Inc. 1 Good and Bad Uses Of Vulnerability Data For IDS Event Correlation Mostly Bad Uses Of](https://reader037.vdocument.in/reader037/viewer/2022110209/56649e185503460f94b039e9/html5/thumbnails/9.jpg)
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 9
Basic VA/IDS Concepts
• Why correlate at all?– Typical NIDS have imperfect knowledge of the
networks they are watching– Most NIDS are not intrusion detection systems,
but are instead attack and probe detection systems
– A NIDS may give you hundreds of thousands of events per day (hour); correlating this with your known vulnerabilities can reduce this to a small handful
– You can use the fact that your NIDS device has such a high false positive rate that you can justify VA scanning everyday instead of once per quarter
![Page 10: September 5, 2015Copyright © 2007 Tenable Network Security, Inc. 1 Good and Bad Uses Of Vulnerability Data For IDS Event Correlation Mostly Bad Uses Of](https://reader037.vdocument.in/reader037/viewer/2022110209/56649e185503460f94b039e9/html5/thumbnails/10.jpg)
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 10
Basic VA/IDS Concepts
Which describes you better?
Want to see anyand all possibleattacks.
Only respondingto events which effect your business
![Page 11: September 5, 2015Copyright © 2007 Tenable Network Security, Inc. 1 Good and Bad Uses Of Vulnerability Data For IDS Event Correlation Mostly Bad Uses Of](https://reader037.vdocument.in/reader037/viewer/2022110209/56649e185503460f94b039e9/html5/thumbnails/11.jpg)
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 11
Basic VA/IDS Concepts
![Page 12: September 5, 2015Copyright © 2007 Tenable Network Security, Inc. 1 Good and Bad Uses Of Vulnerability Data For IDS Event Correlation Mostly Bad Uses Of](https://reader037.vdocument.in/reader037/viewer/2022110209/56649e185503460f94b039e9/html5/thumbnails/12.jpg)
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 12
Basic VA/IDS Concepts
![Page 13: September 5, 2015Copyright © 2007 Tenable Network Security, Inc. 1 Good and Bad Uses Of Vulnerability Data For IDS Event Correlation Mostly Bad Uses Of](https://reader037.vdocument.in/reader037/viewer/2022110209/56649e185503460f94b039e9/html5/thumbnails/13.jpg)
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 13
Basic VA/IDS Concepts
![Page 14: September 5, 2015Copyright © 2007 Tenable Network Security, Inc. 1 Good and Bad Uses Of Vulnerability Data For IDS Event Correlation Mostly Bad Uses Of](https://reader037.vdocument.in/reader037/viewer/2022110209/56649e185503460f94b039e9/html5/thumbnails/14.jpg)
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 14
V
VV
V
V
Basic VA/IDS Concepts
![Page 15: September 5, 2015Copyright © 2007 Tenable Network Security, Inc. 1 Good and Bad Uses Of Vulnerability Data For IDS Event Correlation Mostly Bad Uses Of](https://reader037.vdocument.in/reader037/viewer/2022110209/56649e185503460f94b039e9/html5/thumbnails/15.jpg)
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 15
V
Basic VA/IDS Concepts
![Page 16: September 5, 2015Copyright © 2007 Tenable Network Security, Inc. 1 Good and Bad Uses Of Vulnerability Data For IDS Event Correlation Mostly Bad Uses Of](https://reader037.vdocument.in/reader037/viewer/2022110209/56649e185503460f94b039e9/html5/thumbnails/16.jpg)
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 16
V
Basic VA/IDS Concepts
![Page 17: September 5, 2015Copyright © 2007 Tenable Network Security, Inc. 1 Good and Bad Uses Of Vulnerability Data For IDS Event Correlation Mostly Bad Uses Of](https://reader037.vdocument.in/reader037/viewer/2022110209/56649e185503460f94b039e9/html5/thumbnails/17.jpg)
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 17
V
Basic VA/IDS Concepts
![Page 18: September 5, 2015Copyright © 2007 Tenable Network Security, Inc. 1 Good and Bad Uses Of Vulnerability Data For IDS Event Correlation Mostly Bad Uses Of](https://reader037.vdocument.in/reader037/viewer/2022110209/56649e185503460f94b039e9/html5/thumbnails/18.jpg)
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 18
V
IDS Says: “Nine Attacks!”
Basic VA/IDS Concepts
![Page 19: September 5, 2015Copyright © 2007 Tenable Network Security, Inc. 1 Good and Bad Uses Of Vulnerability Data For IDS Event Correlation Mostly Bad Uses Of](https://reader037.vdocument.in/reader037/viewer/2022110209/56649e185503460f94b039e9/html5/thumbnails/19.jpg)
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 19
V
VA/IDS Says:“1 REAL attack”
Basic VA/IDS Concepts
![Page 20: September 5, 2015Copyright © 2007 Tenable Network Security, Inc. 1 Good and Bad Uses Of Vulnerability Data For IDS Event Correlation Mostly Bad Uses Of](https://reader037.vdocument.in/reader037/viewer/2022110209/56649e185503460f94b039e9/html5/thumbnails/20.jpg)
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 20
Basic VA/IDS Concepts
Which is more accurate?
Your favorite: • IDS• IPS• UTM• NBAD
Your favorite: • Scanner• PCI Scanning MSP• Patch Tester• Agent
![Page 21: September 5, 2015Copyright © 2007 Tenable Network Security, Inc. 1 Good and Bad Uses Of Vulnerability Data For IDS Event Correlation Mostly Bad Uses Of](https://reader037.vdocument.in/reader037/viewer/2022110209/56649e185503460f94b039e9/html5/thumbnails/21.jpg)
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 21
IDS
VA
FalsePositive
100%Accuracy
FalseNegative
FalsePositive
Sends you a well qualified event that is false!
Over-emphasizes a valid IDS event
Can’t help directly
100%Accuracy Removes IDS
false positiveDesiredAlerting
Potentially reconfigure
the NIDS
FalseNegative
IDS Events that are incorrect are
not removed
IDS Events are not emphasized
Can’t help directly
Basic VA/IDS Concepts
![Page 22: September 5, 2015Copyright © 2007 Tenable Network Security, Inc. 1 Good and Bad Uses Of Vulnerability Data For IDS Event Correlation Mostly Bad Uses Of](https://reader037.vdocument.in/reader037/viewer/2022110209/56649e185503460f94b039e9/html5/thumbnails/22.jpg)
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 22
Sources of IDS/IPS FP/FN
• False Positives– Bad Signature– Good signature, but unexpected matching
traffic
• False Negatives– No signature
• Unknown attack/vuln• Can’t write a rule to look for it
– Bypass detection with encoding
![Page 23: September 5, 2015Copyright © 2007 Tenable Network Security, Inc. 1 Good and Bad Uses Of Vulnerability Data For IDS Event Correlation Mostly Bad Uses Of](https://reader037.vdocument.in/reader037/viewer/2022110209/56649e185503460f94b039e9/html5/thumbnails/23.jpg)
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 23
Sources of Vuln FP/FN
• False Positives– Bad Rule/Plugin/Check– Good Rule/Plugin/Check, but unexpected
matching data or application– Back-porting of Daemons
• Nessus “Paranoid” mode
![Page 24: September 5, 2015Copyright © 2007 Tenable Network Security, Inc. 1 Good and Bad Uses Of Vulnerability Data For IDS Event Correlation Mostly Bad Uses Of](https://reader037.vdocument.in/reader037/viewer/2022110209/56649e185503460f94b039e9/html5/thumbnails/24.jpg)
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 24
Sources of Vuln FP/FN
• False Negatives– No signature– Didn’t scan that port– Didn’t use credentials– Didn’t scan that often– Back-porting of Daemons
• Nessus “Paranoid” mode
– Can’t perform a check for this• Credentialed vs. scanning• “We’d like you to develop a non-credentialed method
to test for the new Daylight Savings Time patch”
![Page 25: September 5, 2015Copyright © 2007 Tenable Network Security, Inc. 1 Good and Bad Uses Of Vulnerability Data For IDS Event Correlation Mostly Bad Uses Of](https://reader037.vdocument.in/reader037/viewer/2022110209/56649e185503460f94b039e9/html5/thumbnails/25.jpg)
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 25
Introduction
And even when it does work ….
![Page 26: September 5, 2015Copyright © 2007 Tenable Network Security, Inc. 1 Good and Bad Uses Of Vulnerability Data For IDS Event Correlation Mostly Bad Uses Of](https://reader037.vdocument.in/reader037/viewer/2022110209/56649e185503460f94b039e9/html5/thumbnails/26.jpg)
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 26
Basic VA/IDS Concepts
The Security Grind
Hey Joe, I thinkthere is something
wrong with our SIM!!!
Why do you say that?
According to this, we’ve just had
several hundred successful Telnet and DNS attacks
There is the human layer:
![Page 27: September 5, 2015Copyright © 2007 Tenable Network Security, Inc. 1 Good and Bad Uses Of Vulnerability Data For IDS Event Correlation Mostly Bad Uses Of](https://reader037.vdocument.in/reader037/viewer/2022110209/56649e185503460f94b039e9/html5/thumbnails/27.jpg)
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 27
Sources of Correlation Errors
Simple Algorithm1. Receive IDS event2. “Lookup” to see if target is vuln3. Launch missiles if real attack
![Page 28: September 5, 2015Copyright © 2007 Tenable Network Security, Inc. 1 Good and Bad Uses Of Vulnerability Data For IDS Event Correlation Mostly Bad Uses Of](https://reader037.vdocument.in/reader037/viewer/2022110209/56649e185503460f94b039e9/html5/thumbnails/28.jpg)
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 28
• Magic “Lookup” functions– What is the correlation based on?
• CVE, Bugtraq, Nessus ID, X-Force ID, .etc
– Is it port and protocol specific? – How does it get updated?
• IDS and vuln scanners get daily updates• How does the solution sync with this new data?
– How correct is the code?• Does it accept “CVE” and “CAN”• Does it handle multiple CVE/Bugtraq entries per
vulnerability or IDS event?
Sources of Correlation Errors
![Page 29: September 5, 2015Copyright © 2007 Tenable Network Security, Inc. 1 Good and Bad Uses Of Vulnerability Data For IDS Event Correlation Mostly Bad Uses Of](https://reader037.vdocument.in/reader037/viewer/2022110209/56649e185503460f94b039e9/html5/thumbnails/29.jpg)
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 29
Sources of Correlation Errors
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS view source via translate header"; flow:to_server,established; content:"Translate|3A| F"; nocase; reference:arachnids,305; reference:bugtraq,14764; reference:bugtraq,1578; reference:cve,2000-0778; reference:nessus,10491; classtype:web-application-activity; sid:1042; rev:13;)
![Page 30: September 5, 2015Copyright © 2007 Tenable Network Security, Inc. 1 Good and Bad Uses Of Vulnerability Data For IDS Event Correlation Mostly Bad Uses Of](https://reader037.vdocument.in/reader037/viewer/2022110209/56649e185503460f94b039e9/html5/thumbnails/30.jpg)
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 30
![Page 31: September 5, 2015Copyright © 2007 Tenable Network Security, Inc. 1 Good and Bad Uses Of Vulnerability Data For IDS Event Correlation Mostly Bad Uses Of](https://reader037.vdocument.in/reader037/viewer/2022110209/56649e185503460f94b039e9/html5/thumbnails/31.jpg)
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 31
![Page 32: September 5, 2015Copyright © 2007 Tenable Network Security, Inc. 1 Good and Bad Uses Of Vulnerability Data For IDS Event Correlation Mostly Bad Uses Of](https://reader037.vdocument.in/reader037/viewer/2022110209/56649e185503460f94b039e9/html5/thumbnails/32.jpg)
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 32
![Page 33: September 5, 2015Copyright © 2007 Tenable Network Security, Inc. 1 Good and Bad Uses Of Vulnerability Data For IDS Event Correlation Mostly Bad Uses Of](https://reader037.vdocument.in/reader037/viewer/2022110209/56649e185503460f94b039e9/html5/thumbnails/33.jpg)
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 33
Sources of Correlation Errors
• What happens when the META DATA is incorrect?– Advisories can have incorrect CVEs, Bugtraq
IDs and so on– We’ve seen cases where the wrong CVE or
Bugtraq reference is in the IDS signature– With 14,000+ plugins, we’ve made mistakes
putting the wrong CVE, Bugtraq ID, .etc in Nessus scripts too
![Page 34: September 5, 2015Copyright © 2007 Tenable Network Security, Inc. 1 Good and Bad Uses Of Vulnerability Data For IDS Event Correlation Mostly Bad Uses Of](https://reader037.vdocument.in/reader037/viewer/2022110209/56649e185503460f94b039e9/html5/thumbnails/34.jpg)
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 34
Sources of Correlation Errors
• Disparity in NIDS ports and Scanned Ports• Few organizations scan all 65k TCP and
UDP port• Few organizations scan for ALL available
vulnerabilities• So what happens if vulnerability #44 is on
port 55000 but we never scanned for it?
![Page 35: September 5, 2015Copyright © 2007 Tenable Network Security, Inc. 1 Good and Bad Uses Of Vulnerability Data For IDS Event Correlation Mostly Bad Uses Of](https://reader037.vdocument.in/reader037/viewer/2022110209/56649e185503460f94b039e9/html5/thumbnails/35.jpg)
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 35
Sources of Correlation Errors
• Disparity in NIDS rules and Scanner checks• NIDS Rules are updated daily, and so are
vuln scanner checks, but scans might not happen daily
• What happens when your NIDS starts to detect today’s attack-of-the-week but you have not scanned for it yet? – More on this in a moment …
![Page 36: September 5, 2015Copyright © 2007 Tenable Network Security, Inc. 1 Good and Bad Uses Of Vulnerability Data For IDS Event Correlation Mostly Bad Uses Of](https://reader037.vdocument.in/reader037/viewer/2022110209/56649e185503460f94b039e9/html5/thumbnails/36.jpg)
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 36
Multiple Vulnerability Scans
• There is only one network.• It might change.• We scan it often to detect the change.• Hopefully our VA/IDS solution is keeping
up with the scans.
• More solutions are becoming available that detect network changes in order to drive scans.
![Page 37: September 5, 2015Copyright © 2007 Tenable Network Security, Inc. 1 Good and Bad Uses Of Vulnerability Data For IDS Event Correlation Mostly Bad Uses Of](https://reader037.vdocument.in/reader037/viewer/2022110209/56649e185503460f94b039e9/html5/thumbnails/37.jpg)
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 37
Multiple Vulnerability Scans
• Very Cheap Model– No real correlation; VA data just presented
when requested or invoked
• Cheap Models– Only the last scan is used for correlation– Vulnerabilities are not port/protocol centric
• Misleading Models– Vulnerabilities never get fixed– “point scans” magically fix other vulnerabilities
• i.e the monthly SSH scan didn’t find any FTP issues
![Page 38: September 5, 2015Copyright © 2007 Tenable Network Security, Inc. 1 Good and Bad Uses Of Vulnerability Data For IDS Event Correlation Mostly Bad Uses Of](https://reader037.vdocument.in/reader037/viewer/2022110209/56649e185503460f94b039e9/html5/thumbnails/38.jpg)
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 38
Multiple Vulnerability Scans
PatchAudit
FullPortScan
SANSTop20
PatchVerifyScan
DMZScan
DMZScan
MailScan
MailScan
PointVulnScan
![Page 39: September 5, 2015Copyright © 2007 Tenable Network Security, Inc. 1 Good and Bad Uses Of Vulnerability Data For IDS Event Correlation Mostly Bad Uses Of](https://reader037.vdocument.in/reader037/viewer/2022110209/56649e185503460f94b039e9/html5/thumbnails/39.jpg)
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 39
Under Emphasis
• Basic idea– De-emphasize stuff I’m not effected by– Alert me if I’ve been attacked
• Problem– What if my vulnerability data isn’t as updated
as my IDS data?
![Page 40: September 5, 2015Copyright © 2007 Tenable Network Security, Inc. 1 Good and Bad Uses Of Vulnerability Data For IDS Event Correlation Mostly Bad Uses Of](https://reader037.vdocument.in/reader037/viewer/2022110209/56649e185503460f94b039e9/html5/thumbnails/40.jpg)
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 40
Under Emphasis
SCAN
SCAN
NewIDS
Rules
NewIDS
Rules
NewIDS
RulesNewIDS
Rules
NewScanRules
NewScanRules
NewScanRules
NewScanRules
NewScanRules
NewScanRules
![Page 41: September 5, 2015Copyright © 2007 Tenable Network Security, Inc. 1 Good and Bad Uses Of Vulnerability Data For IDS Event Correlation Mostly Bad Uses Of](https://reader037.vdocument.in/reader037/viewer/2022110209/56649e185503460f94b039e9/html5/thumbnails/41.jpg)
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 41
Under Emphasis
• For the latest round of “major” vulns:– Telnet -froot– ANI
MS DNS
• When did you first scan for these?• When did you first notice these in your IDS
logs?
![Page 42: September 5, 2015Copyright © 2007 Tenable Network Security, Inc. 1 Good and Bad Uses Of Vulnerability Data For IDS Event Correlation Mostly Bad Uses Of](https://reader037.vdocument.in/reader037/viewer/2022110209/56649e185503460f94b039e9/html5/thumbnails/42.jpg)
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 42
OS Based VA/IDS Correlation
• Attempt to discover the type of OS and then associate relative vulnerabilities from it
• Lots of ways to guess the remote OS– Passive and/or Active fingerprint– Asset database
• These are not 100% accurate, but let’s assume they are …
![Page 43: September 5, 2015Copyright © 2007 Tenable Network Security, Inc. 1 Good and Bad Uses Of Vulnerability Data For IDS Event Correlation Mostly Bad Uses Of](https://reader037.vdocument.in/reader037/viewer/2022110209/56649e185503460f94b039e9/html5/thumbnails/43.jpg)
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 43
OS Based VA/IDS Correlation
• Once we know the OS, which vulnerabilities do we associate with it?– All of them? – What if they have been patched?
![Page 44: September 5, 2015Copyright © 2007 Tenable Network Security, Inc. 1 Good and Bad Uses Of Vulnerability Data For IDS Event Correlation Mostly Bad Uses Of](https://reader037.vdocument.in/reader037/viewer/2022110209/56649e185503460f94b039e9/html5/thumbnails/44.jpg)
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 44
OS Based VA/IDS Correlation
• What about client-side applications like Outlook?
• What about cross-platform applications like Skype, Mozilla, iTunes, .etc?
![Page 45: September 5, 2015Copyright © 2007 Tenable Network Security, Inc. 1 Good and Bad Uses Of Vulnerability Data For IDS Event Correlation Mostly Bad Uses Of](https://reader037.vdocument.in/reader037/viewer/2022110209/56649e185503460f94b039e9/html5/thumbnails/45.jpg)
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 45
OS Based VA/IDS Correlation
• In a mixed environment of Solaris, UNIX, Linux, Windows, .etc filtering out or highlighting attacks is useful. – Example vendor customer testimonial: “With
product XYZ, we go from 1,000,000 events a day to just 100”.
– Keep in mind a lot of IDS events just don’t correlate
• For discriminating between two servers where one has a patch and the other doesn’t, it is misleading.
![Page 46: September 5, 2015Copyright © 2007 Tenable Network Security, Inc. 1 Good and Bad Uses Of Vulnerability Data For IDS Event Correlation Mostly Bad Uses Of](https://reader037.vdocument.in/reader037/viewer/2022110209/56649e185503460f94b039e9/html5/thumbnails/46.jpg)
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 46
Patch and Passive Data
Why isn’t patch data used more?
Positive • Accuracy• Client Vulns• Works all over• Fast
Negative• No more agents!• Can’t get creds!• IT won’t share
![Page 47: September 5, 2015Copyright © 2007 Tenable Network Security, Inc. 1 Good and Bad Uses Of Vulnerability Data For IDS Event Correlation Mostly Bad Uses Of](https://reader037.vdocument.in/reader037/viewer/2022110209/56649e185503460f94b039e9/html5/thumbnails/47.jpg)
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 47
Patch and Passive Data
I’ve been scanning since you were in diapers sunny!
Those IT guys don’t
know #%#$# about
security.
![Page 48: September 5, 2015Copyright © 2007 Tenable Network Security, Inc. 1 Good and Bad Uses Of Vulnerability Data For IDS Event Correlation Mostly Bad Uses Of](https://reader037.vdocument.in/reader037/viewer/2022110209/56649e185503460f94b039e9/html5/thumbnails/48.jpg)
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 48
Patch and Passive Data
Why isn’t passive data used more?
Positive • Real Time• Client Vulns• Works all over• Fast
Negative• Accuracy • No span port• BW or topology
![Page 49: September 5, 2015Copyright © 2007 Tenable Network Security, Inc. 1 Good and Bad Uses Of Vulnerability Data For IDS Event Correlation Mostly Bad Uses Of](https://reader037.vdocument.in/reader037/viewer/2022110209/56649e185503460f94b039e9/html5/thumbnails/49.jpg)
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 49
Tuning Your IDS/IPS
• Based on your discovered assets, applications or vulnerabilities, only enable certain rules– Your NIDS runs faster !!– No more silly false positives !!
• Example– None of your systems run SNMP – Remove all of the SNMP rules on your IDS/IPS
![Page 50: September 5, 2015Copyright © 2007 Tenable Network Security, Inc. 1 Good and Bad Uses Of Vulnerability Data For IDS Event Correlation Mostly Bad Uses Of](https://reader037.vdocument.in/reader037/viewer/2022110209/56649e185503460f94b039e9/html5/thumbnails/50.jpg)
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 50
Tuning Your IDS/IPS
• Marketing claims from some IPS vendors:– “Vulnerability Shielding”– “Virtual Patching”– “In-line Patching”
• The key is to have near-real time awareness of what is on your network
• Any lag between network change and what your IPS is blocking is a window of time where events are not prevented or monitored correctly.
![Page 51: September 5, 2015Copyright © 2007 Tenable Network Security, Inc. 1 Good and Bad Uses Of Vulnerability Data For IDS Event Correlation Mostly Bad Uses Of](https://reader037.vdocument.in/reader037/viewer/2022110209/56649e185503460f94b039e9/html5/thumbnails/51.jpg)
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 51
Latent Scanner Handicaps
• Need to know your tools and processes– What ports do we scan for?– What checks do we use?– Are we using credentials or agents?
![Page 52: September 5, 2015Copyright © 2007 Tenable Network Security, Inc. 1 Good and Bad Uses Of Vulnerability Data For IDS Event Correlation Mostly Bad Uses Of](https://reader037.vdocument.in/reader037/viewer/2022110209/56649e185503460f94b039e9/html5/thumbnails/52.jpg)
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 52
Latent Scanner Handicaps
• How does your scanner technology get updated with new checks?– Does each scanner need a manual update?– How often is my organization pushing new
checks?– Are there RSS feeds or email alerts when new
checks are available?
![Page 53: September 5, 2015Copyright © 2007 Tenable Network Security, Inc. 1 Good and Bad Uses Of Vulnerability Data For IDS Event Correlation Mostly Bad Uses Of](https://reader037.vdocument.in/reader037/viewer/2022110209/56649e185503460f94b039e9/html5/thumbnails/53.jpg)
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 53
Latent Scanner Handicaps
• What is in my scanner “black box”?– They might say Nessus … – They probably are using Nessus 2 …– They probably are using checks which were
relevant in 2005, and not doing patch auditing on modern MS OSes
![Page 54: September 5, 2015Copyright © 2007 Tenable Network Security, Inc. 1 Good and Bad Uses Of Vulnerability Data For IDS Event Correlation Mostly Bad Uses Of](https://reader037.vdocument.in/reader037/viewer/2022110209/56649e185503460f94b039e9/html5/thumbnails/54.jpg)
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 54
Latent Scanner Handicaps
• What is in my MSP’s “black box” scanner?– How often do they push new checks into
production?– What is their source of new checks?
• Qualys, Nessus, nCircle, IBM/ISS, .etc
![Page 55: September 5, 2015Copyright © 2007 Tenable Network Security, Inc. 1 Good and Bad Uses Of Vulnerability Data For IDS Event Correlation Mostly Bad Uses Of](https://reader037.vdocument.in/reader037/viewer/2022110209/56649e185503460f94b039e9/html5/thumbnails/55.jpg)
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 55
Summary
• Basic VA/IDS Concepts• Sources of Correlation Errors• Multiple Vulnerability Scan Handling• Under Emphasis of IDS events• Operating System Based Correlation• Why isn’t Patch Auditing and Passive Network
Data used more? • IDS/IPS configuration based on Vulns• Latent Scanner Handicaps• Questions and comments
![Page 56: September 5, 2015Copyright © 2007 Tenable Network Security, Inc. 1 Good and Bad Uses Of Vulnerability Data For IDS Event Correlation Mostly Bad Uses Of](https://reader037.vdocument.in/reader037/viewer/2022110209/56649e185503460f94b039e9/html5/thumbnails/56.jpg)
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 56
Questions?
![Page 57: September 5, 2015Copyright © 2007 Tenable Network Security, Inc. 1 Good and Bad Uses Of Vulnerability Data For IDS Event Correlation Mostly Bad Uses Of](https://reader037.vdocument.in/reader037/viewer/2022110209/56649e185503460f94b039e9/html5/thumbnails/57.jpg)
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 57
Resources
• Tenable White Papers– Correlating IDS Alerts with Vulnerability
Information– Security Event Management – Advanced Event Correlation Scripting– Blended Vulnerability Assessments
• Tenable BLOG & Demos & Webinars– http://blog.tenablesecurity.com– http://www.tenablesecurity.com
• Click “DEMOS” for Webinars & Product info
• http://www.nessus.org
![Page 58: September 5, 2015Copyright © 2007 Tenable Network Security, Inc. 1 Good and Bad Uses Of Vulnerability Data For IDS Event Correlation Mostly Bad Uses Of](https://reader037.vdocument.in/reader037/viewer/2022110209/56649e185503460f94b039e9/html5/thumbnails/58.jpg)
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 58
![Page 59: September 5, 2015Copyright © 2007 Tenable Network Security, Inc. 1 Good and Bad Uses Of Vulnerability Data For IDS Event Correlation Mostly Bad Uses Of](https://reader037.vdocument.in/reader037/viewer/2022110209/56649e185503460f94b039e9/html5/thumbnails/59.jpg)
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 59
![Page 60: September 5, 2015Copyright © 2007 Tenable Network Security, Inc. 1 Good and Bad Uses Of Vulnerability Data For IDS Event Correlation Mostly Bad Uses Of](https://reader037.vdocument.in/reader037/viewer/2022110209/56649e185503460f94b039e9/html5/thumbnails/60.jpg)
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 60
Questions?
• Other question topics:– IDS evasion?– Scanner impact? – IPv6 and IDS/Scanners?– Configuration auditing and IDS events?– Testing for IDS vulnerabilities?– Host IDS logs and VA/IDS correlation?