Wednesday, December 19, 2007

After Five Years, NSM Is Still More Than IDS

I've received a series of questions relating to Network Security Monitoring (NSM) recently, via email, blog comments, IRC questions, and so on. Just over five years ago (2 Dec 02) Bamm Visscher and I recorded a Webcast for SearchSecurity.com titled Network Security Monitoring Is More Than IDS. That URL links to a series of questions submitted in response to the podcast.

I still have a copy of our slides, which I just exported to .pdf and uploaded as bejtlich_visscher_techtarget_webcast_4_dec_02.pdf. Remarkably, I would hardly change any of the content. All of the arguments we made back then still hold today. The only real changes involve replacing one or two defunct Web sites.

Anyone who is trying to understand NSM will enjoy this presentation. Please post questions here, and I will either answer the comments directly or save them for a follow-on blog post. Thank you.

2 comments:

Anonymous said...

Richard,

It's amazing how consistent your NSM message has been for the past 5 years. :)

Do you have any thoughts on how well the NSM methodology scales? I recently read a comment on one of your earlier blog postings about how one person couldn't use the NSM methodology past 10 sensors:

http://taosecurity.blogspot.com/2007/03/ayoi-on-importance-of-nsm-data.html

I'm sure you must face this issue at GE, given that it probably has a lot more than 10 sensors. :)

Richard Bejtlich said...

Anonymous, that is such a good question I will address it and a separate question on IDS limitations in the Snort Report due for publication in February.