Saturday, March 03, 2007

Full Content

Thanks to this story I learned of the latest 2006 FISMA Report. If you want a summary of the findings, read the story. Here I'd like to highlight an amazing paragraph on page 14.

B. Incident Detection

Agencies must be able to quickly detect and respond to incidents. During the next year, OMB will work with federal agencies to increase the exchange of packet level (full content) information regarding incidents which have penetrated an agency’s perimeter. Sharing this data will enable more effective analysis of attacks targeting multiple Federal agencies, and may enable more timely responses to new threats. The sharing of intrusion data will also improve the knowledge base of analysts in Federal agencies.
(emphasis added)

I have a feeling the person who wrote that part of the report has read Tao or another one of my works.

I am detecting a trend. People are starting to realize they cannot understand or even detect incidents without having facts to analyze. Most security products provide inferences in the form of alerts; the product makes a judgement on what it's seen. Alerts are helpful but never sufficient. Analysts are driven to investigate NSM data in the form of facts; amateurs are satisfied with managing inferences in the form of alerts.

Full content data is the best form of network-centric fact since it completely represents a conversation. Session data is another excellent form of network-centric fact, but it sacrifices some granularity. Statistical data is a third form of network-centric fact, but it is least helpful because so much detail has been lost.

In an attempt to head off a blizzard of complaints, note I say "network-centric." As I've said many times elsewhere, sometimes a single accurate log statement like "File X containing Y was transferred between hosts A and B at time C over an encrypted channel using protocol Z" is more helpful than a million packets. However, sometimes the only data you have is that which you can gather passively and independently. I call that self-reliant Network Security Monitoring.

Expect to hear more on this topic at my ShmooCon talk. (Why oh why did they schedule me against Joe Stewart? I really looked forward to seeing his talk. Argh.)

I am not alone in these thoughts. Please read this blog post by Tate Hansen. I'd reproduce the whole thing here since I like all of it.


Anonymous said...

I'm impressed they used "packet level (full content) information" rather than "packet level data" because the difference is huge in my mind.

This might be a topic worth discussing at the next novasec. I definitely have some other thoughts about it.

By the way, it is too bad you're against Joe Stewart. Now I'm really torn. :p

Marcin said...

Expect to hear more on this topic at my ShmooCon talk. (Why oh why did they schedule me against Joe Stewart? I really looked forward to seeing his talk. Argh.)

this is proving a difficult choice for me as well.. I wish I could be at both talks at once, :( I wonder if there will be video recordings this year??

ContinuousCapture said...

Richard, I would love to read your thoughts on SP800-61. There's alot of reference to packet sniffers but as you point out, the session & statistical data is also very useful. Interested in your take on the list of tools in the publication and what you think of any commercial tools that fall into the table on G-5: Examples of Free and OPen Source Incident Detection Analysis Software.

Also, if you track down who at OMB has placed this paragraph in their report, will you make it known. Thanks!