Monday, June 21, 2010

All Aboard the NSM Train?

It was with some small amusement that I read the following two press releases recently:

First, from May, NetWitness® and ArcSight Partner to Provide Increased Network Visibility:

NetWitness, the world leader in advanced threat detection and real-time network forensics, announced certification by ArcSight (NASD: ARST) of compliance with its Common Event Format (CEF) standard. ArcSight CEF certification ensures seamless interoperability and support between NetWitness’ industry-leading threat management solution and ArcSight’s security information and event management (SIEM) platform.

Let me parse the market-speak. This is another indication that an ArcSight user can click on an event in the SIM console and access network traffic captured by NetWitness.

Second, from June, Solera Networks™ and Sourcefire™ Announce Partnership:

Solera Networks, a leading network forensics products and services company today announced its partnership with Sourcefire, Inc. (Nasdaq:FIRE), the creators of SNORT® and a leader in intelligent Cybersecurity solutions. Solera Networks can now integrate its award-winning network forensics technology directly into Sourcefire’s event analysis. The integration enhances Sourcefire’s packet analysis functionality to include full session capture, which provides detailed forensics for any security event. The partnership enables swift incident response to any security event and provides full detail in the interest of understanding “what happened before and after a security event?”

Martin Roesch, founder and CTO of Sourcefire. “There is a powerful advantage in being able to see the full content of every attack on your network. Network forensics from Solera Networks compliments Sourcefire’s IPS and RNA products by letting you see everything that led up to and followed a successful prevention of an attack.

This press release is a little clearer. This is an indication that a Sourcefire user can click on an event in the Sourcefire console and access network traffic captured by Solera.

This second development is interesting from a personal level, because it shows that the Network Security Model has finally been accepted by the developer (Marty Roesch) of what is regarded as the most popular intrusion detection system (Snort).

In other words, after over eight years of evangelizing the need to collect NSM data (at its core, full content, session, statistical, and alert data) in order to detect and respond to intrusions, we see Sourcefire partnering with Solera to pair full content network traffic with Snort alert data. It's almost enough to bring a tear to my eye. "Yo Adrian! I did it!"


ayoi said...

Well Mr.Bejtlich, I just want to say thank you for NSM. The Tao's books and following your blog since 04 really help me in understanding security properly :). Thanks

Anonymous said...

I did `NSM` way back before I knew about you,Tao and your NSM views. But finding you, TAO and NSM, makes me now feel not that lonely :) Your book explains it well and a good reference when ppl ask me what the F* Im doing :)

I have also been emailing support@SF craving Full Packet Capture integration.

Finally something. But I guess there is more to come!

Anonymous said...

Great news.. Now for the 'storage' and transfer problems which will arise...

Joe said...


Great job. Regardless of who came up with the concept or who was talking about it first, you deserve a lot of credit for getting NSM out there, both by helping people understand NSM and by showing people people to how to use it.

I'm really excited about the Solera/Sourcefire deal. We've been looking at both products for some time, but the integration has been missing.

Mister Reiner said...

What I don't understand, is why so many people are living in the dark ages when it comes to NSM. I know that part of the problem is because most of the tools suites are garbage-ware (that's why I had to build my own), but I think most of it has to do with a lack of understanding of the problem set and realizing that traditional security measures and monitoring tools are not enough to secure the enterprise. Why are people so uneducated? What is preventing them from seeing the light?

I've known for a long time that computer security training is really outdated. Has it reached a point that it's no longer effective?

I know it's possible for a team of like minded individuals to come up with new training and new tools, but until people buy into them, they are never going to make it into mainstream computing.

A paradigm shift is definitely required, but how do you go about changing the world's mindset? Is it even possible?

Vivek Rajan said...

Both missing statistics and flows ?

gunnar said...

most interesting part to me was integrating network and app logs since by themselves neither is sufficient