Up
Previous Next Sheriff CSM™
Sheriff Vigilante Limitations: Sheriff CSM includes a faster and more robust correlation section with more complex correlation directives. Sheriff Vigilante has a smaller number of correlation directives, but you are allowed to customize and build your own directives based on your needs.
Previous Next Sheriff CSM™
Cross-Correlation
Cross-correlation is a special type of correlation performed by the Sheriff CSM. The Sheriff CSM Server uses cross-correlation to modify the reliability of a Network Intrusion Detection System (NIDS) event, which subsequently affects the risk assessment of the event.
Sheriff CSM only performs cross-correlation on events with destination IP address defined, and the system checks if any vulnerability has been identified on that destination. if the IDS has discovered an attack to an IP address, and a related vulnerability has been found on the same IP, the reliability of the IDS event increases to 10.
The figure below provides an example, where the Sheriff Vulnerability Scanner detects the IIS remote command execution vulnerability on a server, and the Sheriff NIDS reports an attack exploiting that vulnerability on the same server.
Sheriff Vigilante Limitations: Sheriff CSM includes a faster and more robust correlation section with more complex correlation directives. Sheriff Vigilante has a smaller number of correlation directives, but you are allowed to customize and build your own directives based on your needs.This topic: Sheriff > UserGuides > SheriffCSMDocumentation > UserGuide > EventCorrelation > CrossCorrelation
Topic revision: 17 Dec 2021, SheriffCyberSecurity
Topic revision: 17 Dec 2021, SheriffCyberSecurity
Copyright 2020 Sheriff Cyber Security, LLC. All rights reserved.