NSM; work and IT @ 03 Apr 2007 04:14 am by ayoi
I’ve been asked about nsm and sguil for few times. Well most of the time I will either refer them to Richard’s blog or ask them to read his book (The Tao of Network Security Monitoring-Beyond Intrusion Detection).
I am using sguil because for time being it is the only application that really embrace the nsm concept. The user can make use all the data collected by its sensor in order to identify and validating any intrusions or extrusion incidents. IMHO, while performing my daily tasks the main concern or problem that I’ve encountered so many times is validating intrusion/extrusion. Once we received alerts or warning on suspicious activities, the main questions need to be answered.
“Are these warnings or alerts valid or only false alarm? Why?”
Believe me, based on my experience, having only snort alerts will make this question too difficult to answer properly. Why? Most of the time after looking at the alerts, there is nothing we else can do. You can guess whether the activities that trigger the alerts have any damaging impact on the victim by trying to simulate the attack based on the payload. And these only effective for most of the web attack. Other than that? “Notify the Network Administrator or The Client authorized personnel on the activities detected and ask them to check their server.”
NSM is about collection, analysis, and escalation of indications and warnings to detect and respond to intrusions or extrusions. Product or tools will do the data collection and HUMAN intervention is needed in order to provide context or analyze the data collected. Full content, session, statistical and alert data are necessary resources needed by analysts in doing their analysis. Having all those 4 data is an ideal setup but we might have to settle for an optimal setup to accomodate our network structure and design (allocating a huge storage for full content might not be possible in one network but not to other network. Still instead of having a month worth of full content data, might as well just store a day or a week data and more session data).
NSM is not a SEM, forensic tools, and intrusion prevention tools. It is a concept. Sguil is an application that embraces this concept. If u are using other application, collecting necessary data, designing defensible network, realized that prevention eventually fails, you are practising NSM. NSM is not Sguil and Sguil is not NSM. 2 different thing ok? 
