1. Field of the Invention
The present invention relates generally to systems and methods for managing computer network vulnerability analysis systems. More particularly, the present invention relates to systems and methods for finding computer network security vulnerabilities, managing those vulnerabilities, and identifying intrusion detection events.
2. Background of the Invention
Current vulnerability systems typically include one active scanner to scan an entire network. The scan process may take as long as two weeks. Because of the time required to complete a scan, scans are not performed as frequently as desired to detect new or on-going system vulnerabilities. In addition, because the scans cross network switches and detect vulnerability by probing various devices and observing responses, the scans themselves may crash network devices.
Conducting an active vulnerability scan involves discovering systems that are present, services running on those systems, and discovering any vulnerabilities in the detected services. During an active vulnerability scan, the active scanner sends one or more packets and waits for a response. Limitations of bandwidth, memory and other factors make point vulnerability scanning solutions very limited in scanning large networks.
FIG. 1 is a schematic diagram of a conventional active scanning system. System 100 includes multiple routers 130, hosts or network devices 120 and a single active scanner 110.
Even in the small network of system 100, a single scanner 110 has to perform a considerable amount of work. Active scanner 110, which is placed in one network subnet, must send packets across several routers 130 and scan for various potential hosts 120 which may or may not be active. If any of routers 130 is performing firewall screening, the scan's results will be non-comprehensive, because the scan will be unable to scan behind the firewall. Thus, the scan results are often limited in their accuracy due to the scanner's inability to scan behind firewalls. Also, the acts of conducting host enumeration, operating system fingerprinting, service fingerprinting and port scanning may cause network performance impact and in some cases may cause a network device to crash.
In addition to hardware limitations in gathering the data, software limitations exist in assimilating and interpreting the voluminous amount of data produced during a scan. Notably, a network vulnerability analysis system may include firewalls, intrusion detection system (IDS) devices and vulnerability scanners. Each of these devices produces large amounts of data, formats that data in unique ways and classifies each type of attack according to its own terminology. Finding “real” threats in the data becomes a feat unto its own. Current vulnerability systems may filter particular events as “high priority” based upon the event name or some other variable, without having any knowledge of whether the event targets an actual vulnerability of the system. Thus, events of no consequence to the system may be flagged (resulting in false positives); whereas, true events may slip through the system undetected by security administrators.
Yet another problem plaguing security systems is the lack of communications between various groups. For example, an IT department may not receive (or understand) security vulnerabilities determined by a security group. Further, executives or other department heads may have no idea how secure their business unit is either standing alone or in comparison to other units in the organization. Because of this lack of communication, system administrators are unable to hold individuals accountable for network security and may be unaware of the true security of their system.
Consequently, a substantial need exists for methods and systems capable of managing vulnerability detection information by gathering large amounts of disparate data, correlating it, and organizing it in an efficient manner that is useful to computer network security administrators and executives in other departments.