Intrusion Detection/Protection Systems (IDS/IPS) examine network traffic using rules and signatures. Some of these rules or signatures are designed to detect exploits targeting specific vulnerabilities. A higher fidelity IDS/IPS alert would be when the network traffic matches a signature associated with a CVE that is known to target a system with that particular CVE vulnerability. This approach was commonly used by IDS/IPS vendors but required organizations to run the vendor's agents.
Drawbacks to the single-vendor solution include:
Dependence on the vendor's agent.
Does not work for systems that cannot support the installation of the vendor's agents.
The organization might already utilize a separate vulnerability scanner that provides vulnerability data for all the systems it scans."
The solution below addresses all of these factors. A distinct vulnerability management system scans the systems and then integrates the data into the IDS/IPS through an API.
The CVE, which stands for 'Common Vulnerabilities and Exposures,' serves as a unique identifier that connects exploit detection IDS/IPS signatures to vulnerability data from systems that are vulnerable to that CVE.
When an IDS/IPS signature matches, and the target system is vulnerable to the CVE in that signature, it triggers a high-fidelity alert for the SOC and cybersecurity engineers.
Comments