I have to agree with Ron here. We've actually taken steps to bypass SIM
solutions for _some_ functionality. SIMs do offer a lot of
functionality beyond simply correlating Vulnerabilty information to
IDS/IPS information. However, for customers who are using SIM solutions
solely to correlate vulnerability and IDS/IPS data, we've simply
integrated it into our Server software. So, customers can choose to run
Nessus or Nevo, generate an .xml report from that product, and we'll do
the correlation for them. i.e. when we see an attack, we'll correlate
(without a SIM) with the output of the customers Nessus scan to figure
out if they would have been vulnerable to that alert. This is
particularly useful when our customers deploy us in inline IPS mode.
They can go back to management and show them attacks that were stopped,
that Nessus/Nevo said they were vulnerable to. This is the same type
of functionality offered by an increasing number of our competitors.
Having said all this, I think SIM solutions definitely provide a service
that we are NOT trying to fill. i.e. aggregation of data from many
types of devices, and correlation of data across multiple logging
devices. Often, a SIM can correlate a simple event (an event that
neither a host based, nor network based product would have _alerted_
on), with other simple events, and determine that all these seemingling
simple events are in fact something bigger. The basic aggregation of
potentially benign data is, all by itself, very useful. The further
correlation capabilities to look for things that your
detection/prevention tools may have missed is also useful.
However, I believe more and more vendors, as they compete for the
almighty dollar, will continue to look at their own products and see
where they can add as much functionality as possible to provide their
customers for the lowest price. The end result will be 95% solutions
for 50% of the cost. The other 5% is going to end up costing you the
other 50%. :)
-dave
Systems Engineer, NFR Security
http://www.nfr.com
Ron Gula wrote:
At 03:56 PM 1/5/2006, Raffael Marty wrote:
> On the subject of SIMs and vulnerability analysis scans...has anyone
> actually found this feature to be useful?
> 1) I can't even imaging letting my SIM scan the network in such an
adhoc
> manner. It doesn't help that none of the vendors seem to bother with
> providing much in the way of documentation of the process. I'm in
a wacky
> world where an outtage is almost never trivial;-) I've used Nessus
enough
> to know that it WILL eventually cause an outtage.
I think you misunderstand what a SIM does with respect to vulnerability
scans. SIMs import scans from vulnerability scanners that you have
deployed. For example from Nessus. I think I remember that there is one
product (not even sure if it is a SIM) that does ad-hoc scans for events
it gets. That's just not a good idea, introduces a lot of latency (so
doesn't scale) and has the problems you outline. Again. In general, SIMs
import vuln-scans, they don't scan themselves.
One of the reasons we design Tenable's products as a blend of SIM and VM
is because this import function is a leap of faith. Too often, I see
great
SIM products loaded with last year's vuln data, or vuln data that didn't
have the proper credentials or vuln data that was only a discovery scan.
With Tenable's products, you can do SIM and VM at the same time with one
product set. If scanning too often is an issue, we can also sniff network
traffic with NeVO to find new hosts, applications and vulnerabilities.
Having accurate vulnerability data makes any SIM process (incident
response,
VA/IDS correlation, updated Asset inventory, .etc) much more relevant.
Ron Gula, CTO
Tenable Network Security
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to
learn more.
------------------------------------------------------------------------
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
