Wednesday, February 06, 2008

NSM at the Endpoint

For many years I've advocated Network Security Monitoring (NSM) as a powerful way to improve digital situational awareness in an independent, self-reliant, and cost-effective manner. NSM relies on watching network traffic to identify suspicious and malicious activity, which prompts incident response and remediation activities. An underlying assumption is that the asset of interest is using a network you own and have adequately instrumented.

What do you do if you do not own the network?

Consider the following situation. First, a company laptop is connected via wired Ethernet to the company LAN. Here, traffic from the laptop out to the Internet can be assumed to traverse a link monitored by a NSM sensor. No problem.

Second, the user moves the laptop outdoors, and the link switches to using a company WLAN. Here, the traffic from the laptop out to the Internet eventually reaches the same wired link used in the first scenario, and hence is monitored by the same NSM sensor. Again, no problem.

In the third case, the user moves outside the reach of the company WLAN. Her laptop transitions to using an EVDO card or other metropolitan wireless network not operated by the company. Suddenly the network traffic generated by the laptop is invisible to the NSM sensor.

In a fourth case, the user moves home and uses her home network connection to access the Internet. This is the same problem as case number 3. If you think the using a VPN client that prevents split tunnels will solve this problem, what do you when the laptop is connected to the home LAN but not yet connected to the company via VPN?

Clearly a large and definitely growing amount of network time is outside the reach of network-based sensors. I would personally still find network traffic generated by a compromised host to be extremely useful, regardless of how that host connects to any network. One option I pitched to NetWitness yesterday was to deploy a software agent to a suspected compromised system for purposes of collecting and storing network traffic to the victim hard drive.

In this model, once an asset has been identified as requiring additional monitoring, an agent is either pushed or activated that begins collection and retention. Periodically the agent reports summaries (probably session data) to a central server, and an analyst can decide what traffic should be fully retrieved for analysis. This approach has the benefit (some would say drawback, but whatever) of intercepting encrypted traffic as well. Remember, this is for an intrusion investigation. I am not a fraud/waste/abuse (FWA) investigator or privacy violator!

Of course you cannot really trust anything an endpoint does or reports once it has been compromised, but I am looking for an improvement over the current situation. The current situation is complete blindness in cases where instrumentation is lacking.

I believe at some point we will see malware that detects the various network access technologies available to a victim, and makes a choice as directed by the intruder. In other words, if the corporate LAN is too difficult for extrusion purposes, switch to a lesser controlled network -- like an EVDO connection.

If anyone knows of a product which offers the capability to remotely capture network traffic via pushing an agent, please let me know via comment. Incidentally, I am aware of Rpcap and similar technologies. Thank you.


PJ said...

You might want to look at Vontu's Network DLP solution. It is agent-based and will continue to monitor network traffic even when the device is offline. It will report back up to the server the next time the device is connected to the company network. I actually use the product to deal with the scenarios you described.

Anonymous said...


I have heard that Oakley, now part of Raytheon, does this at the OS and Application Level and according to at least one source also at the Network Level. Perhaps one of your readers can provide additional context on how this might work in more technical detail.

I have a similar problem I'm trying to solve on very large scale (similar to yours I'm sure) so I'll watch this carefully for responses indicating existing and proposed solutions.


Anonymous said...

There is a product called netscout we used for application testing at my last job. It has remote agents that can do captures to the local disk - that can later be retrieved. We used it for application profiling, but I don't see why it couldn't be used for NSM.

Anonymous said...

If the goal is to identify suspicious and malicious activity, which prompts incident response and remediation activities - then protecting the laptop with Host Intrusion Defense would be the best option. The Third Brigade Deep Security product enables security profiles to be applied to each network interface in the laptop /server enabling stricter security postures to be adopted for wireless connections. This is ideal for mobile users access wireless hotspots in hotels, Starbucks, etc.
Host Intrusion Defense solutions typically include Firewall, IDS/IPS capabilities that protect the system from attacks. The one other recommendation I would offer is full disk encryption of mobile users.

Hope this helps.