I had the chance to see a friends ISS Fusion system in action on a large corporate network just before the Thanksgiving holiday. Before I talk about Fusion, let me set the stage.

Let’s say you purchase an intrusion detection system (IDS) with network sensors and host agents for your SCADA system. You also have your firewall logs, server logs, and application logs. All this great technology creates two challenges. First, how are you going to correlate all the security events. And second, can you afford to have a 24×7 security staff to monitor and react to the events. Most events are benign and could wait until business hours, but it takes a skilled intrusion analyst to make the distinction between critical events and false positives. The answer for most organizations is to pay a managed security service provider (MSSP) for the correlation technology and round-the-clock manpower.

The SiteProtector Fusion Module is ISS’s answer for those companies that want to keep the monitoring function in house without the cost of a round the clock analyst team. In ISS’s own words “the SiteProtector™ Security Fusion Module immediately estimates the impact of attacks, automatically alerts users to attacks that are successful, and de-emphasizes attacks that failed.” So in theory a control system operator could monitor the Fusion system for attacks that SiteProtector considers high risk or serious without having vast security knowledge. Sounds interesting.

My friend had been using Fusion for about six months and was very knowledgeable about the system. He gave me a full demo on live systems and data and answered a lot of questions. This is what I took away from the demo:

Pros:

- the unified user interface is great. Many vendors are cobbling together multiple management systems in one product, but each GUI is different. SiteProtector has one style of user interface for all of the various ISS products. The interface was clean and intuitive.

- integration with the scan engine works. ISS’s scanner identifies the type of system and patch level as well as identified vulnerabilities. Alerts are automatically adjusted to a lower level if the system is known to not be vulnerable to the attack. Why get paged for a Microsoft IIS attack on a UNIX system? Fusion solves this problem and is a major step forward.

- the beginning of automated correlation alerting for attack scenarios. A single event may not be critical, but a number of events from the same IP address may mean you are under a concerted attack from a system. Similarly a combination of events may indicate a specific type of attack that combined events including reconnaissance, exploit, and owning the system. Fusion can now look for these multi-event attacks. Very interesting and it works for some simple scenarios.

Cons:

- automated analysis is far from sufficient to allow a SCADA operator to also operate the security monitoring system on off hours. This was a goal for my friend, and it is not close to being achieved. A number of potential harmful, but eventually benign events come in every night. These events still require expertise to evaluate and would result in his team being paged EVERY night. Some of the reasons for this are additional cons listed below.

- it is difficult for the system to learn. One of the key benefits I have seen in the MSSP systems is the ability for an operator to add experience knowledge into the correlation engines. Whenn a MSSP processes an event, the information on how the event was processed is added to the correlation engine and affects the positive and negative filters.

- granularity. It is impossible or at least difficult to set the signatures alert level for individual systems or zones. For example, you may want to set different alert levels for internal vs. external attacks or even for specific systems. The alert level was primarily on a per signature basis.

- personnel cost. Even though the system was not staffed 24×7, it still had 1.5 intrusion analysts dedicated for the ISS system. This is much less than the 7 people to run a 24×7 shop, but it may be more than the cost of outsourcing.

Summary: The ISS Fusion Module is the best commercial product I have seen for bringing the MSSP function in house. If you have a very large network with many sensors and are committed to doing this function in house, you should look at this solution. The Security Manager using the product believes it is an excellent solution for hardening the network and maintaining current security patches because of the integrated scanning, and it was very helpful at isolating and minimizing damage from the various worms over the last six months.

Most networks are still much better off outsourcing this function. The Fusion module is interesting, and we will continue to watch its progress.