I've been tasked with reevaluating our current NSM / SIEM implementation, and I see that you posted about a NetFlow book you are techediting for Lucas.
My question is this, Outside of Sguil, what do you prefer/recommend in the way of NSM products/solutions?
Our current NSM uses a modified version NetFlow and our Networking team also uses Cisco Netflow elsewhere...
While I find it useful to collect header data, the current implementation lacks payload information. So while we may be able to turn back the clock to look at flows for a given duration, its not always possible to see valuable contents...
Another wall I have hit with NetFlow is that the communication of the protocol takes place in somewhat of a half duplex manner (I.E. it is possible to receive the response flow before you receive the request flow) thus making it difficult to assure a particular direction without some processing...
I have yet to see a blog post covering any consolidated comparisons to solutions regarding NSM.
I do have your NSM book on order from Amazon today if it already has the answers I'm looking for...
As always, thank you for your time Richard, I appreciate it greatly.
Thank you for the question. I don't recommend specific products, but I do recommend NSM data types. That way, you can ask the vendor which NSM data types they support, and then decide if their answer is 1) correct and 2) sufficient. For reference, the six NSM data types are:
- Alert: judgment made by a product ("Port scan!" or "Buffer overflow!"); either detect or block
- Statistical: high-level description of activity (protocol percentages, trending, etc.)
- Session: conversations between hosts ("A talked to B on Friday for 61 seconds sending 1234 bytes")
- Full Content: all packets on the wire
- Extracted Content: rebuild elements of a session and extract metadata
- Transaction: generate logs based on request-reply traffic (DNS, HTTP, etc.)
Looking at these six types, I can make the following general assessments of products. This is my opinion based on products I have encountered. If you find a product that performs better than the general categories I describe, excellent!
If you want to learn more about this, I'll be discussing it during my solo presentation at the 2009 Information Security Summit, October 29-30, 2009 at Corporate College East in Warrensville Heights, Ohio.