Re: [ISN] RFI aims at security info sharing

From: InfoSec News (isnat_private)
Date: Fri Feb 07 2003 - 00:43:18 PST

  • Next message: InfoSec News: "[ISN] Linux Advisory Watch - February 7th 2003"

    Forwarded from: H C <keydet89at_private>
    Cc: dfrankat_private
     From what I've seen of corporate and gov't (some state and fed)
    infrastructures, from what's been in the news, and from my experience
    with commercial security systems, I find it hard to believe that
    determining the method for exchanging incident information is turning
    out to be such a difficult endeavor.
    Managed security monitoring structures, such as set up by RipTech (now
    Symantec) have gone a long way toward solving this problem.  
    MountainWave (producer of CyberWolf, now owned by Symantec) did a
    great deal of work in 'normalizing' audit log data, as well as data
    from several commercial and freeware tools.
    Simply looking at the results of defaced web pages, the various worms,
    etc., it's easy to see that the real issue isn't so much how to
    exchange incident data, but how to *get* credible incident data in the
    first place.  It would seem that even today, across the entire
    spectrum of infrastructures (state, federal, private, commercial,
    etc.), the true limiting factors are first detecting an incident, and
    then quickly and accurately gathering credible data regarding that
    As an example (only an example) I teach a self-developed IR course for
    Win2K (XP and NT, as well).  The course utilizes several hands-on lab
    exercises, in which the attendees return from a break to find their
    systems "compromised" by a Trojan.  While all systems have Internet
    access, the only instruction to the attendees is that they can't use
    any tools from the CD provided.  Invariably, the only tools used are
    TaskManager and EventViewer.
    In another instance, I was investigating an incident at a data center.  
    I asked the MCSE+I admin to provide me with the IIS 5.0 web logs.  I
    received a zipped archive containing three .evt files.  Doh!
    My point is this...if setting up a format for exchanging information
    is so difficult, what happens when we get to actually collecting
    information?  If the reliance is on commercial security tools, then
    there's another issue...anyone with a modicum of experience is aware
    of configuration issues, as well as the issue of false positives.  
    While this is also true, to some degree, with the various freeware
    tools, the overall point is GIGO...garbage in, garbage out.  If the
    commercial tools are having limited success within each individual
    organization, what is the expected outcome of connecting all of these
    > For some time, FedCIRC has been working with the CERT Coordination
    > Center (CERT/CC) on the Data Analysis Capability (DAC), a solution
    > that will allow FedCIRC to analyze and correlate incident
    > information across government. The idea is that as more agencies
    > share information, the better the overall management of security
    > incidents will be.
    > Several agencies have helped test the DAC and work through policy
    > issues surrounding data sharing among agencies, but technologically,
    > agencies face difficulty in combining information from proprietary
    > commercial security systems.
    ISN is currently hosted by
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Fri Feb 07 2003 - 03:24:01 PST