Question on NSM Scaling

A long-time TaoSecurity Blog reader sent me the following question:

I have a question about scaling NSM in regards to large, complex enterprises that transmit countless gigabytes of data per day.

Last month I interviewed for a position with a large wireless company and the hiring manager was familiar with your work, so as I attempted to extol the value of NSM and explain how I thought that NSM could benefit this organization, I was told by the hiring manager that he felt that NSM worked with small organizations, but did not scale well with organizations of a certain size.

I am curious if you have ever had to counter this type of argument and how you addressed it.

This is a common question. I'll need to address it concisely and precisely in an updated edition of Tao. A few recent posts come to mind, like Requirements for Defensible Network Architecture: Monitored, NSM vs Encrypted Traffic, Plus Virtualization, and Network Security Monitoring Lives. A few principles come to mind.

  • Concentrate on infrastructure you own, not necessarily infrastructure you support. In other words, I don't advocate full NSM for ISPs watching customer links. That may be the issue mentioned in the question, i.e., a wireless company might think NSM is inappropriate for watching customer traffic. I would probably agree with that.

  • Monitor at trust boundaries. The places where the infrastructure you own touches infrastructure you do not own is likely to be the place where you need additional visibility.

  • Monitor what you can, given your technical, political, and legal constraints. You may not be able to continuously capture full content data on 10 Gbps links with commodity hardware, or even specialized hardware. If that is too expensive, then don't do it. However, deploy the capability to capture at those locations when necessary. Better to be prepared than to struggle with workarounds or emergency deployments in a crisis.

  • Solutions can be engineered for almost any environment. I guarantee organizations larger than those in the question are already doing intense monitoring. If you don't believe me, look at the history of wiretapping during the last administration. Outside of that case, organizations like mine are deploying hundreds of sensors around the world. NSM can scale if you engineer it properly and hire people who know what they are doing!

  • Don't make NSM a hammer and every security problem a nail. NSM is one way to gain visibility and situational awareness. It may be worthless to deploy sensors doing traditional NSM on a link that only sees SSL-encrypted traffic between two point systems, or between the Internet and a SSL-only system. In cases like that, the first option might be to deploy host-centric monitoring and logging on the asset in question.

Thank you for questions like these -- please keep sending them. They make good sections for a new book.


Dan Weber said…
Even if you cannot capture every single packet and save it forever, you can do very useful statistical analysis based on things like connection data.
Unknown said…
I think developing stronger heuristics for full content capture has the potential to dramatically cut your data.

We are able to cut over 60% of traffic in a large enterprise by not storing any Lotus Notes traffic. If we could eliminate the SMS (Microsoft) and AV updates, we estimate that we could cut upto 70%.

Flow based cutoff techniques such as the Time Machine could also work, but may fall short if we are interested in content reconstruction.

This is one of the areas where IP reputation can really help.
Roland Dobbins said…
NetFlow, NetFlow, NetFlow.
test said…
Roland, technically NetFlow would be classified as session data.

Popular posts from this blog

Zeek in Action Videos

New Book! The Best of TaoSecurity Blog, Volume 4

MITRE ATT&CK Tactics Are Not Tactics