Friday, September 21, 2007

Tactical Traffic Assessment

When I wrote Extrusion Detection in 2004-5 I used the term Traffic Threat Assessment to describe a means of inspecting network traffic for signs of malicious activity. I differentiated among various assessments using this terminology.

  1. A vulnerability assessment identifies vulnerabilities and exposures in assets.

  2. A penetration test identifies at least one way that an adversary could exploit vulnerabilities and exposures to compromise a target or satisfy a related objective.

  3. A traffic threat assessment identifies traffic that indicates a network has already been compromised.


The goal of the customer determined which of the actions to perform.

I was not really comfortable with the term "traffic threat assessment," so I'm going to use Tactical Traffic Assessment starting now. That definition for TTA nicely differentiates between a short-term, focused, tactical effort and a long-term, enterprise-wide, strategic program like Network Security Monitoring.

Tactical Traffic Assessment removes the "threat assessment" part out of TTA, since "threat assessment" is more about characterizing the capabilities and intentions of an adversary and not whether he has compromised the enterprise.

Tactical Traffic Assessment also leaves room for findingnon-security issues like misconfigured devices or other troubleshooting-related network problems.

1 comment:

Anonymous said...

Richard,

I agree that Tactical Traffic Assessment is a much more appropriate term for this type of analysis versus tactical threat assessment but along those lines is Network Security Monitoring really an expansive enough term now that many enterprises are monitoring applications and user level activity along with traditional network event sources at the same time (or if they haven't gotten there yet they are headed in that direction)? The principals of NSM apply no matter the event sources, but since we are keying in on terms in this post - the question is still relevant. Within an Enterprise Security Operations Capability does NSM simply fall into a larger scale enterprise monitoring/visibility initiative?