Tuesday, March 27, 2007

Ayoi on the Importance of NSM Data

At my ShmooCon talk I provided a series of case studies showing the importance of Network Security Monitoring data. The idea was to ask how it would be possible to determine if an IDS alert represented a real problem if high-quality data didn't exist. Alert management is not security investigation, and unfortunately most products and processes implement the former while the latter is truly needed.

I noticed that Ayoi in Malaysia posted a series of blog stories showing his investigative methodology using NSM data and Sguil (Not Only Alert Data parts I, II, and III). These posts demonstrate several alerts and compare data available via an alert management tool like BASE versus a security investigation tool like Sguil. I am glad to see these sorts of stories because they show how people in the trenches do their jobs.

I have yet to meet an analyst -- someone responsible for finding intrusions -- who rejects my methods or the need for collecting NSM data. Almost everyone who argues against these methods is not directly responsible for the technical aspects of personally detecting and responding to intrusions.

5 comments:

Murali Raju said...

"Almost everyone who argues against these methods is not directly responsible for the technical aspects of personally detecting and responding to intrusions."

I could not agree with you more. On a lighter note, I am winning battles, but not the war on promoting NSM principles. It is a start...

_Raju

JengKlen said...

Wow...good jobs Ayoi...

Joel Esler said...

Richard--

I agree with you. It takes surrounding data.

When i used to be an analyst, I started with RealSecure, well, needless to say.. sucked.

Snort came next, and it was awesome, but not enuff.

I developed an IDS system with pcap logs, p0f, and Snort being analyzed by BASE.

Sguil wasn't as sharp as it is now, and wasn't as "stable", so it didn't work out for me. But being able to analyze a Snort alert by utilizing the src and dst, and running a tcpdump query for the surrounding timeframe was awesome. We found stuff we otherwise would have not found.

However, this approach was not feasible when we get over 10 sensors. The data being collected was just too much to deal with.

I can think of a 100 different scenarios where products like RNA, IPS, IDS, Sguil-ish NSM tools, and the like all have their place, some more than others, RNA provides alot of the contextual alerting without the need for "Immaculate Collection".

I don't disagree with you, but my point is, there is more than one way to skin a cat.

Anonymous said...

Totally agree with you Joel Esler.

Anonymous said...

So what would be the best way to monitor?

hackathology.blogspot.com