Full Content
Thanks to this story I learned of the latest 2006 FISMA Report. If you want a summary of the findings, read the story. Here I'd like to highlight an amazing paragraph on page 14.
B. Incident Detection
Agencies must be able to quickly detect and respond to incidents. During the next year, OMB will work with federal agencies to increase the exchange of packet level (full content) information regarding incidents which have penetrated an agency’s perimeter. Sharing this data will enable more effective analysis of attacks targeting multiple Federal agencies, and may enable more timely responses to new threats. The sharing of intrusion data will also improve the knowledge base of analysts in Federal agencies. (emphasis added)
I have a feeling the person who wrote that part of the report has read Tao or another one of my works.
I am detecting a trend. People are starting to realize they cannot understand or even detect incidents without having facts to analyze. Most security products provide inferences in the form of alerts; the product makes a judgement on what it's seen. Alerts are helpful but never sufficient. Analysts are driven to investigate NSM data in the form of facts; amateurs are satisfied with managing inferences in the form of alerts.
Full content data is the best form of network-centric fact since it completely represents a conversation. Session data is another excellent form of network-centric fact, but it sacrifices some granularity. Statistical data is a third form of network-centric fact, but it is least helpful because so much detail has been lost.
In an attempt to head off a blizzard of complaints, note I say "network-centric." As I've said many times elsewhere, sometimes a single accurate log statement like "File X containing Y was transferred between hosts A and B at time C over an encrypted channel using protocol Z" is more helpful than a million packets. However, sometimes the only data you have is that which you can gather passively and independently. I call that self-reliant Network Security Monitoring.
Expect to hear more on this topic at my ShmooCon talk. (Why oh why did they schedule me against Joe Stewart? I really looked forward to seeing his talk. Argh.)
I am not alone in these thoughts. Please read this blog post by Tate Hansen. I'd reproduce the whole thing here since I like all of it.
B. Incident Detection
Agencies must be able to quickly detect and respond to incidents. During the next year, OMB will work with federal agencies to increase the exchange of packet level (full content) information regarding incidents which have penetrated an agency’s perimeter. Sharing this data will enable more effective analysis of attacks targeting multiple Federal agencies, and may enable more timely responses to new threats. The sharing of intrusion data will also improve the knowledge base of analysts in Federal agencies. (emphasis added)
I have a feeling the person who wrote that part of the report has read Tao or another one of my works.
I am detecting a trend. People are starting to realize they cannot understand or even detect incidents without having facts to analyze. Most security products provide inferences in the form of alerts; the product makes a judgement on what it's seen. Alerts are helpful but never sufficient. Analysts are driven to investigate NSM data in the form of facts; amateurs are satisfied with managing inferences in the form of alerts.
Full content data is the best form of network-centric fact since it completely represents a conversation. Session data is another excellent form of network-centric fact, but it sacrifices some granularity. Statistical data is a third form of network-centric fact, but it is least helpful because so much detail has been lost.
In an attempt to head off a blizzard of complaints, note I say "network-centric." As I've said many times elsewhere, sometimes a single accurate log statement like "File X containing Y was transferred between hosts A and B at time C over an encrypted channel using protocol Z" is more helpful than a million packets. However, sometimes the only data you have is that which you can gather passively and independently. I call that self-reliant Network Security Monitoring.
Expect to hear more on this topic at my ShmooCon talk. (Why oh why did they schedule me against Joe Stewart? I really looked forward to seeing his talk. Argh.)
I am not alone in these thoughts. Please read this blog post by Tate Hansen. I'd reproduce the whole thing here since I like all of it.
Comments
This might be a topic worth discussing at the next novasec. I definitely have some other thoughts about it.
By the way, it is too bad you're against Joe Stewart. Now I'm really torn. :p
this is proving a difficult choice for me as well.. I wish I could be at both talks at once, :( I wonder if there will be video recordings this year??
Also, if you track down who at OMB has placed this paragraph in their report, will you make it known. Thanks!