Friday, November 14, 2008
I was very excited to read about TCG IF-MAP on Chris Hoff's blog last week. Chris found that interesting as something that could bring some light to the "cloud nightmare" and to virtualization issues.I like IF-MAP, however, because it raises the security intelligence level on the network. Today most of SIEM installations are working mostly with information from network devices and concentration points, like firewalls and IPSes. There are a lot of things happening in the endpoint world, behind those enforcement points, that is not usually detected and feed into correlation systems. IF-MAP seems to be a nice way to leverage security information along security tools, including SIEMs, to allow better correlation. Look at this example from the IF-MAP FAQ:"Q. What can people do with IF-MAP?A. The IF-MAP 1.0 specification supports many use cases. The following are two examples:• An intrusion detection system with an IF-MAP client publishes an alert to an IF-MAP server ( “IP address 10.10.100.24 is sending anomalous traffic” ); A firewall that subscribes to information involving 10.10.100.24 receives a notification from the IF-MAP server, triggering an automatic response• A Security Event Manager (SEM) system queries an IF-MAP server to find the aggregate associations between the IP address and MAC published by the DHCP server, the user name published by the RADIUS server, and the hostname published by the DNS server.Since IF-MAP is extensible, more use cases may be supported in the future."I always believed that effective correlation on security should be able to deal with information from different layers, like MAC, IP, Port, user name, information context, physical location, among others. Sometimes two events don't show any correlation when looking at the network level, but when you look at them on higher layers you can see they are referring to similar things. With this perspective you can not only figure out that the exploit from IP X being detected by the IDS and blocked at the firewall are the same event (ok, it has its value, but not that much), but you also can start to identify colusion between different internal users to bypass segregation of duties controls, privilege abuse and stolen credentials in use. That should be the play field for security intelligence, and IF-MAP can help vendors to produce tools that can do that.