Javascript is required for MOREAL Online Documentation to function properly. Please enable Javascript by adjusting your browser settings.

Correlating IPS/IDS events and VA feeds

Overview

The process of correlating IPS/IDS events and VA scan results is another step in our efforts to integrate various threat information components into a unified ecosystem, comprised of -and already including- components such as ThreatDB, ThreatIQ, etc.

By employing methods and procedures of analyzing and matching IPS events to known vulnerabilities of a given system/network, we can tailor our alerting system to each and every different environment (be it a whole network or standalone assets) and as such, provide high-quality actionable information to the end user.

Also, knowing beforehand about possible vulnerabilities on a given network we can evaluate the performance and signature relevance of the IPS/IDS monitoring said network. This allows us to also provide suggestions on rule enabling/disabling which further helps alert generation quality as well as performance and detection speed of that IDS.

Integration axis

  1. VA-based IDS rules.
    In this case, we utilize the VA scan results to push the appropriate rules on our IDS, so we know beforehand that any triggered alert will be relevant and of high quality.
  2. Persistent VA/IDS correlation database.
    Maintaining a master database where system vulnerabilities are listed can be utilized to check reported incidents as they are received, discarding irrelevant ones and elevating relevant ones (or appropriately affect a factor).
  3.  Real-time correlation assessment.
    This approach is similar to the above, except that we do not store a persistent database of known vulnerabilities, but instead we scan the relevant (targeted) system on-the-fly for whether it is vulnerable or not. The benefit of this approach is that the result is never outdated, but the apparent drawback is the latency that is introduced in decision-making, making it ineffective or even non-applicable to low-latency/high-throughput environments.

MOREAL integration, a high-level approach

ips-ids-1
The above diagram illustrates a high-level overview flowchart for correlating IDS-generated events and relevant VA scan results.

  1. By employing various feeds (both open-source and proprietary), a master reference database [1] is populated and maintained, which allows us to have at least one-to-one links between various incidents’ vendor IDs and a common reference of our choice (currently using CVEs as the chosen standard) where applicable.
  2. A client has the ability to upload VA scan results (currently supporting Nessus v2 .CSV-formatted results) which are stored in a separate database [2] after being enriched with appropriate information (such as the organization ID of the client).
  3. When a threat event is received, we search our master database in order to find the relevant IDs for that particular event (we effectively map vendor IDs to Nessus IDs).

If a match is found, we check if there is such an ID in our assets’ vulnerabilities DB, and if it does exist we produce an alert [3].

A demonstration example

  1. Upon uploading a VA result on MOREAL, the respective assets’ criticality is updated accordingly (DVL_Dicease_VM in our example).

    ips-ids-2

    VA results upload screen

    ips-ids-3

    Excerpt from Assets DB listing asset criticality, scan results upload date etc

    ips-ids-4

    Excerpt from Vulnerabilities DB being populated with reported issues.

  2. A threat event being reported by the IDS protecting the asset.
    ips-ids-5
  3. MOREAL cross-checks all relevant information and produces a critical alert upon match, thus elevating and distinguishing the important and actionable incidents.
    ips-ids-6