using dynamic host tracking to ensure accurate host trending for vulnerability management

30

Upload: tripwire

Post on 20-Jul-2015

251 views

Category:

Technology


2 download

TRANSCRIPT

Page 1: Using Dynamic Host Tracking to Ensure Accurate Host Trending for Vulnerability Management
Page 2: Using Dynamic Host Tracking to Ensure Accurate Host Trending for Vulnerability Management
Page 3: Using Dynamic Host Tracking to Ensure Accurate Host Trending for Vulnerability Management
Page 4: Using Dynamic Host Tracking to Ensure Accurate Host Trending for Vulnerability Management

DHCP

VPN

Complex Environments

Page 5: Using Dynamic Host Tracking to Ensure Accurate Host Trending for Vulnerability Management

A numeric identifier for hosts that appear in more than one scan session.

This number is the key to DHT

These are the numbers that decide how to

derive the one above

Page 6: Using Dynamic Host Tracking to Ensure Accurate Host Trending for Vulnerability Management

Every one of these settings is

tracked clearly in IP360 and SIH

reports whenever available

The categories below should look familiar to you

Page 7: Using Dynamic Host Tracking to Ensure Accurate Host Trending for Vulnerability Management

Make sure your values add up

Before choosing weights, review your

scan results

Page 8: Using Dynamic Host Tracking to Ensure Accurate Host Trending for Vulnerability Management

Information collected during the scan cycle is used to identify the

host

If information collected can be used to positively ID a host, it will

be used for matching

When data is collected well and DHT values are properly selected

interval reporting will show excellent results

Page 9: Using Dynamic Host Tracking to Ensure Accurate Host Trending for Vulnerability Management

Default set is 100 IP Address. All matches are formed on IP only.

You can choose one of

our preset defaults

here.

A custom set can

be inserted here

when Custom is

selected

Caution! All tracking data will be lost!!

2 or more criteria should add up to >58

Page 10: Using Dynamic Host Tracking to Ensure Accurate Host Trending for Vulnerability Management

If your hosts are static, your DHT should be too

Excellent choice for data

centers and other segments

where all hosts have static

IP addresses.

Page 11: Using Dynamic Host Tracking to Ensure Accurate Host Trending for Vulnerability Management

Any 2 of these

3 criteria will

add up to 59

and form a

match.

This is a good option for segments that are Windows only

Page 12: Using Dynamic Host Tracking to Ensure Accurate Host Trending for Vulnerability Management

DNS can form a match

with any additional

piece of criteria, or the

other 3 can override it.

For mixed environments where DNS information is regularly collected

The highest match combination takes precedence

Page 13: Using Dynamic Host Tracking to Ensure Accurate Host Trending for Vulnerability Management

NOT good!

Two or more

criteria should be

required to form a

match.

Custom values are ones you derive based on your knowledge of the network.

Validate your assumptions before setting these values

Page 14: Using Dynamic Host Tracking to Ensure Accurate Host Trending for Vulnerability Management

Values should be carefully selected based on research

Hostname field can be

populated with either

DNS or NetBIOS info.

OS Detection is

not too specific in

this example.

The first step to selecting good DHT values is understanding the composition of the network.

DHT is network specific.

Page 15: Using Dynamic Host Tracking to Ensure Accurate Host Trending for Vulnerability Management

Common

characteristics

Port

signature

is here.

Review a sampling of hosts in the network to be configured and not just one

Page 16: Using Dynamic Host Tracking to Ensure Accurate Host Trending for Vulnerability Management

If the answer to any of these questions is “Yes” you probably have a DHT issue.

Low host counts are often indicative of inappropriate matching.

Page 17: Using Dynamic Host Tracking to Ensure Accurate Host Trending for Vulnerability Management

This host appears multiple times

in the same network, therefore it

has multiple persistent host IDs.

This data only

represents 2

days worth of

audits…

Scoring over

time is erratic.

Page 18: Using Dynamic Host Tracking to Ensure Accurate Host Trending for Vulnerability Management

IP360 only shows 3 hosts in this

network…

There are 8

different IP

addresses

here.

Conclusion: Either this device

has multiple network interfaces,

or DHT is inappropriately

matching.

Page 19: Using Dynamic Host Tracking to Ensure Accurate Host Trending for Vulnerability Management

The XML3 test works for all versions of IP360

This information is available in other export

formats, but XML3 is the easiest to read.

These IP

addresses do not

match.

Both excerpts below are from the same XML3

document.

Persistent

hosts ID is the

same.

Page 20: Using Dynamic Host Tracking to Ensure Accurate Host Trending for Vulnerability Management

Network overlap is the enemy of DHT

IP360 must have sufficient privileges to get accurate,

consistent scan results

Hosts with generic hostnames will be difficult to match

correctly

Setting DHT to match on criteria that is generic or not

collected consistently

Page 21: Using Dynamic Host Tracking to Ensure Accurate Host Trending for Vulnerability Management

Overlapping networks are not your friend.

This host is already contained within that network.

DHT will match hosts within a network, but not across them.

Page 22: Using Dynamic Host Tracking to Ensure Accurate Host Trending for Vulnerability Management

Unauthenticated or underprivileged scans produce sparse results that can be difficult to match correctly on.

The low score and generic OS do not give DHT much to go on other than IP and hostname.

Page 23: Using Dynamic Host Tracking to Ensure Accurate Host Trending for Vulnerability Management

DNS and NetBIOS are very important criteria for matching

Multiple hosts with ‘Name not in DNS’ may mean these hosts are not

properly registered with the DNS server.

It can also mean a DNS server

has not been bound to the DP

monitoring that network.

If no DNS information is available, the hostname field is

populated with the NetBIOS name if it is known.

Page 24: Using Dynamic Host Tracking to Ensure Accurate Host Trending for Vulnerability Management

A perceived influx of unique hosts with their own data would cause

the database to swell.

Increased database sizes due to failed matching attempts can cause

slowness and other performance problems.

Since each incidence of the same host will be tracked as unique,

any timeframe or distinct audit report would list unmatched hosts

multiple times instead of once.

Page 25: Using Dynamic Host Tracking to Ensure Accurate Host Trending for Vulnerability Management

Multiple records for the

same hosts likely means it

is not being matched

consistently.

Focus reports can provide helpful information.

Page 26: Using Dynamic Host Tracking to Ensure Accurate Host Trending for Vulnerability Management

These host records are from 2 different XML3

exports.

Notice how all identifying

information is the same

except for Persistent Host

ID.

XML3 analysis can help to identify hosts that do not match as well.

Page 27: Using Dynamic Host Tracking to Ensure Accurate Host Trending for Vulnerability Management

One of the easiest ways to identify host matching issues is in the Security Intelligence Hub.

Configuration > Asset Groups

You must have appropriate privileges to view this screen.

Page 28: Using Dynamic Host Tracking to Ensure Accurate Host Trending for Vulnerability Management

Inconsistent DNS information makes it a poor match point.

OS

information is

relatively

good.

A good algorithm for this network would give OS and IP higher

weights, as well as NetBIOS.

Evaluation of matching performance would determine if an effort to assign DNS names was

warranted.

Page 29: Using Dynamic Host Tracking to Ensure Accurate Host Trending for Vulnerability Management

Majority of hosts respond to DNS

queries.

OS info is generic in most

cases, so not a good match

point.

High scores on most hosts

suggest port signature may be a

good match point

Strong, consistent DNS

information makes it an excellent

match point for this network that

could form a match paired with

pretty much any other piece of

criteria.

Page 30: Using Dynamic Host Tracking to Ensure Accurate Host Trending for Vulnerability Management

tripwire.com | @TripwireInc