Wednesday, September 20, 2006

Changing Definitions of Network Security Monitoring

I first defined Network Security Monitoring in print through my contribution to the February 2003 book Hacking Exposed, 4th Edition. Prior to that I defined NSM in a December 2002 SearchSecurity Webcast. NSM probably became more recognized in my first book, where I repeated the same definition by writing "Network security monitoring is the collection, analysis, and escalation of indications and warnings to detect and respond to intrusions."

I emphasized the role of indications and warning (I&W) because my Air Force intelligence background involved training specifically in that discipline. I recommend reading the last link above for additional insight into this approach.

Today, however, I reviewed some Department of Defense documentation that made me take a second look at my NSM definition. (You might say this proves I am not a slave to my prior writings. Then again, you won't ever hear me say a threat and a vulnerability are the same!)

I&W is defined as those intelligence activities intended to detect and report time-sensitive intelligence information on foreign developments that could involve a threat to the United States or allied and/or coalition military, political, or economic interests or to US citizens abroad. It includes forewarning of enemy actions or intentions; the imminence of hostilities; insurgency; nuclear/nonnuclear attack on the United States, its overseas forces, or allied and/or coalition nations; hostile reactions to US reconnaissance activities; terrorists' attacks; and other similar events. Also called I&W. See also information; intelligence.

Note the heavy emphasis on gaining intelligence on threats, namely their capabilities and intentions.

While reading a DoD document, I came across the term attack sensing and warning (AS&W), with which I was only vaguely familiar. AS&W is defined as the detection, correlation, identification and characterization of cyber attacks across a large spectrum coupled with the notification to command and decision makers so that an appropriate response can be developed. Attack sensing and warning also includes attack/intrusion related intelligence collection tasking and dissemination; limited immediate response recommendations; and limited potential impact assessments.

I have a feeling that AS&W might be derived from Army operations. A friend previously part of 1st Information Operations Command worked that unit's AS&W mission.

Looking at the AS&W definition, it seems more appropriate within the context of NSM than I&W. I haven't decided how I'll define NSM in my next book or major paper, but I will keep AS&W at the forefront of my thoughts.

2 comments:

Anonymous said...

AS&W isn't an Army IO term, the term is used by the DoD community as whole.

I used work in an organization
that works with 1st IO's ASW section. They're a good crew.

John Ward said...

Rich,

"A rose by any other name would smell as sweet."

Don't focus so much on the syntax of ambigous government definitions. With the exception of scope, the definitions seem very similar...

Given that, the only additional verbage that would be something along the lines of:
"Network security monitoring is the collection, analysis, identification, characterization escalation of indications, warnings, and events to detect, respond, and report intrusions to command and decision makers." Essentially, the same definition as before, except you are now including the process of reporting incidents to the appropriate parties in the definition. (Sorry, you know me, I've been trying to push you to back my belief of BI principles in NSM for some time now)