Ayoi’s

Security is relatively new in Malaysia (Based on my observation anyway) as the awareness level is errrr.. I can put it mediocre. Okay, ppl know about firewalls and IDS (IPS nowadays) but the proper understanding is not there. (snort itself only is not the IDS. It is only one of the IDS tools or to be exact the detection engine). What are the purpose of having the detection engine if there’s no one or nobody to interprate the output generated by it? What are the purpose of having personnel to monitor all the alerts triggered if they don’t have (or refuse to equip themselves)adequate knowledge in analysing intrusion or extrusion incidents?

NSM or Network Security Monitoring is new to me. I believe there’re people in Malaysia who working hard in introducing and increasing the awareness level of proper network security monitoring in Malaysia. People like geek00l, mel and others even provides few trainings on this matter as well. Me? To be honest, I only took this analysis field seriously since 2004. Yeah, still a new person in this field(proper). I tried to catch up by reading, asking, hands-on training and practice to equip myself with the proper knowledge.

Why NSM? I embracing this principle because of the problems that I’ve encountered during my service years at The Client site. The main problem is alerts validation. I discovered that it is damned difficult to give an absolute answer on alerts just based on its payloads and other related alerts triggered. Most of the time, my analysis will not be conclusive, lack of other resources to make my analysis really firm and absolute. That’s why I said on my previous posts, it was  more like a guessing game.

If you are an analyst, detecting intrusion or extrusion incidents is your job scope, trust me, you can’t help but to admit that so far the nsm principles is the best practice.

Comments RSS