Forwarded from: H C <keydet89at_private> Cc: dfrankat_private From what I've seen of corporate and gov't (some state and fed) infrastructures, from what's been in the news, and from my experience with commercial security systems, I find it hard to believe that determining the method for exchanging incident information is turning out to be such a difficult endeavor. Managed security monitoring structures, such as set up by RipTech (now Symantec) have gone a long way toward solving this problem. MountainWave (producer of CyberWolf, now owned by Symantec) did a great deal of work in 'normalizing' audit log data, as well as data from several commercial and freeware tools. Simply looking at the results of defaced web pages, the various worms, etc., it's easy to see that the real issue isn't so much how to exchange incident data, but how to *get* credible incident data in the first place. It would seem that even today, across the entire spectrum of infrastructures (state, federal, private, commercial, etc.), the true limiting factors are first detecting an incident, and then quickly and accurately gathering credible data regarding that incident. As an example (only an example) I teach a self-developed IR course for Win2K (XP and NT, as well). The course utilizes several hands-on lab exercises, in which the attendees return from a break to find their systems "compromised" by a Trojan. While all systems have Internet access, the only instruction to the attendees is that they can't use any tools from the CD provided. Invariably, the only tools used are TaskManager and EventViewer. In another instance, I was investigating an incident at a data center. I asked the MCSE+I admin to provide me with the IIS 5.0 web logs. I received a zipped archive containing three .evt files. Doh! My point is this...if setting up a format for exchanging information is so difficult, what happens when we get to actually collecting information? If the reliance is on commercial security tools, then there's another issue...anyone with a modicum of experience is aware of configuration issues, as well as the issue of false positives. While this is also true, to some degree, with the various freeware tools, the overall point is GIGO...garbage in, garbage out. If the commercial tools are having limited success within each individual organization, what is the expected outcome of connecting all of these systems? > For some time, FedCIRC has been working with the CERT Coordination > Center (CERT/CC) on the Data Analysis Capability (DAC), a solution > that will allow FedCIRC to analyze and correlate incident > information across government. The idea is that as more agencies > share information, the better the overall management of security > incidents will be. > > Several agencies have helped test the DAC and work through policy > issues surrounding data sharing among agencies, but technologically, > agencies face difficulty in combining information from proprietary > commercial security systems. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Fri Feb 07 2003 - 03:24:01 PST