Comments on ISSA Journal Article
It's been 2 1/2 years since my first book was published, although I've been writing and speaking about Network Security Monitoring (NSM) for at least five years. I'm starting to see other people cite my works, which is neat. It also means people are starting to criticize what I wrote, so I need to elaborate on some ideas.
The December 2006 ISSA Journal includes an article by Robert Graham titled Detection Isn’t Optional: Monitoring-in-depth. (No, it's not the Robert Graham of Black Ice/ISS fame. This is a different person.)
The implication of this article is that NSM is insufficient because it does not integrate SNMP data, event logs, and other sources. I do not disagree with this assessment. The reason I focus on NSM is that I start from the premise of self-reliance. In many enterprises, the security team does not have access to SNMP data from infrastructure devices. That belongs to the networking team. They also might not have access to event logs, since those are owned by system administrators. In these situations, security analysts are left analyzing whatever data they can collect independently -- hence NSM.
Granted, the NSM definition I proposed is far too wide to apply strictly to traffic-centric monitoring. As I wrote previously I'm going to revise the NSM definition prior to writing a second edition of Tao. I think it makes sense to think of monitoring within this skeleton framework:
Here you see that I consider NSM to be a single part of the security aspect of enterprise situational awareness. NSM is not the be-all, end-all approach to solving enterprise problems. If I had tried to tackle this entire issue my first book could have been 2400 pages instead of 800. If you've read my blog for a while you'll remember seeing me review books on Nagios and host integrity monitoring and also commenting on SNMP. I do all this because I recognize the value of these other data sources.
The December 2006 ISSA Journal includes an article by Robert Graham titled Detection Isn’t Optional: Monitoring-in-depth. (No, it's not the Robert Graham of Black Ice/ISS fame. This is a different person.)
The implication of this article is that NSM is insufficient because it does not integrate SNMP data, event logs, and other sources. I do not disagree with this assessment. The reason I focus on NSM is that I start from the premise of self-reliance. In many enterprises, the security team does not have access to SNMP data from infrastructure devices. That belongs to the networking team. They also might not have access to event logs, since those are owned by system administrators. In these situations, security analysts are left analyzing whatever data they can collect independently -- hence NSM.
Granted, the NSM definition I proposed is far too wide to apply strictly to traffic-centric monitoring. As I wrote previously I'm going to revise the NSM definition prior to writing a second edition of Tao. I think it makes sense to think of monitoring within this skeleton framework:
- Enterprise Monitoring
- Performance Monitoring
- Fault Monitoring
- Security Monitoring
- Network- (i.e., traffic) centric
- Infrastructure-centric
- Host-centric
- Application-centric
- Compliance Monitoring
Here you see that I consider NSM to be a single part of the security aspect of enterprise situational awareness. NSM is not the be-all, end-all approach to solving enterprise problems. If I had tried to tackle this entire issue my first book could have been 2400 pages instead of 800. If you've read my blog for a while you'll remember seeing me review books on Nagios and host integrity monitoring and also commenting on SNMP. I do all this because I recognize the value of these other data sources.
Comments