Network Security Monitoring

 NSM:

History:
Todd Heberlein started NSM informally in 1988. It was the first NSM that used the network traffic as its source for generating alerts. Air Force Computer Emergency was the first organization who informally followed the NSM principles. In 1993, AFCERT with collaboration of Heberlein deployed the first version of NSM as the ASIM(Automated Security Incident Measurement).

NSM:
It is the best method from zero defense to some defense. By using this organization would prevent himself from being exposed or (prevent data breach). This is operated by the group of people known as CIRT(Computer incident response team).

Benefits:
  • Collect a rich amount of network derived data from different devices.
  • CIRT analyses this data to find compromise assets.
  • CIRT uses the NSM data to assess the cause of the incident.
Does NSM Prevent Incidents?
No it does not prevent incidents because breaches are inevitable. Intruders different techniques to cause the incident but by using NSM you can frustrate the intruders. Time is the key factor in the detect, respond and contain the intruder.

Difference between NSM and continuous monitoring?
NSM is threat centric and CM is the vulnerability centric. It means that adversaries are the focus of NSM and on the other hand configuration and weaknesses are the focus of CM. In CM continuous means checking the configuration monthly or quarterly and monitoring means determining systems are compliant with controls. So according to definition CM operation strives to find an organization's computers, identify vulnerabilities, and patch those holes if possible. NSM operation is designed to detect adversaries, respond to their activities and contain them before they can accomplish their mission.

NSM and other technologies:
These technologies are just blocking, filtering or denying mechanisms. Their job is to recognize malicious activity and stop them on the other hand NSM is not filtering and blocking technology. It focuses on visibility. CIRT monitors when the security controls fail because these tools do not inform their weakness or loopholes. So NSM is one way to make failure of security controls more visible.

CIRT and Forensic Professional:
CIRT: They perform analysis, watch malicious activities and protect authorized users and the organizations. It focuses on external threats. Forensic Professionals: They perform investigations, watch fraud, and monitor abuse by authorized users to protect the organization. It focuses on internal threats.

NSM data:
  • Full content
In this type of data analyst collects the full information that passes across the network. Analysts don't filter the data that would be associated with the security incident.
  • Extracted Content 
It refers to the high level data streams such as files, images and media transferred between the computers.
  • Session Data 
It is the record of conversation between two network nodes.
  • Transaction Data: 
It is similar to the session data but it also shows the request and response between the communicated devices. 
  • Statistical Data:
 It describes the traffic resulting from various aspects of an activity
  • Meta Data : 
Data about data by using the who is command
  • Alert Data : 
Data that is used for alert (data from IDS, snort)

Comments

Popular posts from this blog

Cyber Threat Intel

Analyzing Spear Phishing Email

Advance Attacks on Network