An intro to Network Security Monitoring

[attachment=18105]

There are three key components to any NSM installation:
1. Collection of data, performed by products
2. Analysis of data, performed by people
3. Escalation of events, guided by process.
Data is collected by products rather than people, because the sheer volume of traffic flowing across a network warrants automated collection. Though products are rarely, if ever, capable of full analysis, they can assist an analyst by creating alerts. At that point, the human analyst must take over to assess the reason for the alert. The final stage, escalation, involves highlighting an event to a decision maker – somebody with the authority, responsibility and capability to act.
In practise, an NSM system is usually built around an Intrusion Detection System (IDS) like Snort, which monitors network traffic and compares it to a series of signatures. When these signatures (or rules) are matched, an alert is generated. In order to diagnose the alert, which could be an indication of an attack, or could be authorised activity, an Intrusion Analyst requires additional sources of data. NSM systems therefore usually complement the IDS with enrichment data from others tools. These can include session statistics data from tools like SanCP (Security Analyst Network Connection Profiler) or even full packet captures.
The analyst then spends time forensically combing over the available data and assesses the reason for the alert – usually on a sliding scale from authorised behaviour to successful attack. Tools like Sguil, provide complex user interfaces allowing analysts to view, analyse and escalate their events to management from a single place. Later this week we’ll be reviewing a second NSM framework, Snorby.