Friday, June 15, 2007

DHS Einstein Demonstrates Value of Session Data

If you're looking for case studies to show management to justify collecting session data, check out Einstein keeps an eye on agency networks. I've known about this program for several years but waited until a high-profile story like this to mention it in my blog. Basically:

Since 2004, Einstein has monitored participating agencies’ network gateways for traffic patterns that indicate the presence of computer worms or other unwanted traffic. By collecting traffic information summaries at agency gateways, Einstein gives US-CERT analysts and participating agencies a big-picture view of bad activity on federal networks.

US-CERT’s security analysts use Einstein data to correlate cross-agency security incidents. Participating agencies can go to a secure Web portal to view their own network gateway data.

Einstein doesn’t eliminate the need for intrusion-detection systems on agencies’ networks, said Mike Witt, deputy director of US-CERT. But the 24-hour monitoring program does give individual agencies a view of activity in other parts of the federal network infrastructure that could affect their own networks...

Ten agencies participate in Einstein, and four or five others have indicated they plan to join by the end of the year. Witt said DHS officials hope to have most Cabinet-level agencies in the program by the end of 2008. DHS will try to expand participation to more of the midsize and small federal agencies later, he said.

“Einstein is not mandatory, so we have to do a sales job with agencies,” Witt said. Witt wouldn’t name the agencies that have signed up. In a public presentation last year, however, a DHS official identified eight participants. They were DHS, DOT, the departments of State, Treasury and Education, the Federal Trade Commission, the Securities and Exchange Commission, and the U.S. Agency for International Development. The Justice Department has since joined the program.


This is just the sort of project I'd like to roll out at my new job, possibly combining Argus with ArgusEye, or maybe just Sguil without Snort. The idea is to be an internal security awareness provider for business units, offering them better insights into their network activity while using that data to monitor for attacks and respond to incidents more effectively.

After a pilot program to demonstrate the value of the approach, I would consider more robust options like an internally-developed product or a commercial option. I know of at least one large customer of mine who read my first book and built their own session and full content capture appliance for about $50,000, rated up to OC-48 for full content collection.

Note that Einstein is session data only, and from what I hear some people find its capabilities and data format lacking -- hence the desire to run something else, pairing session data with full content. Session data is very helpful but never sufficient for real investigations.

5 comments:

Anonymous said...

Sounds like they are using something like Ourmon. If you want to do something similar to what they're doing, Ourmon might be a better solution than Argus. There are a few chapters on using Ourmon in Botnets: The Killer Web Applications if you're interested...

Richard Bejtlich said...

They're using something like Argus, but not Argus. I've seen the data.

LonerVamp said...

So...something that you can switch into full content mode and send to bigger storage! :D

geek00L said...

Rich,

Something interesting about session data is that it can give you clue about malicious event instead of relying on alert data only. It definitely increases your chance of noticing malicious activities and storing historical session data is way cheaper.

Argus allows you to read partial user data dump so sometimes it is enough to perform network forensic relying on argus itself however ourmon is more to serve as real time flow monitoring tool and the graphs generated by it is meaningful.

http://www.architectsban.webs.com said...
This comment has been removed by a blog administrator.