This chapter is from the book
This chapter is from the book
This chapter is from the book
NSM in Action
With a basic understanding of NSM, consider the scenario that opened Chapter 1. The following indications of abnormal traffic appeared.
-
A pop-up box that said, "Hello!" appeared on a user's workstation.
-
Network administrators noticed abnormal amounts of traffic passing through a border router.
-
A small e-commerce vendor reported that one of your hosts was "attacking" its server.
-
A security dashboard revealed multiple blinking lights that suggested malicious activity.
How do you handle each of these activities? Two approaches exist.
-
Collect whatever data is on hand, not having previously considered the sorts of data to collect, the visibility of network traffic, or a manner to validate and escalate evidence of intrusion.
-
Respond using NSM principles.
This book demonstrates that the first method often results in failure. Responding in an ad hoc manner, with ill-defined tools and a lack of formal techniques, is costly and unproductive. The second method has a far better success rate. Analysts using NSM tools and techniques interpret integrated sources of network data to identify indications and form warnings, escalating them as actionable intelligence to decision makers, who respond to incidents.
Although the remainder of this book will explain how to take these steps, let's briefly apply them to the scenario of abnormally heavy router traffic. In a case where an unusual amount of traffic is seen, NSM analysts would first check their statistical data sources to confirm the findings of the network administrators. Depending on the tools used, the analysts might discover an unusual amount of traffic flowing over an unrecognized port to a server on a laboratory network. The NSM analysts might next query for all alert data involving the lab server over the last 24 hours, in an effort to identify potentially hostile events. Assuming no obviously malicious alerts were seen, the analysts would then query for all session data for the same period. The session data could show numerous conversations between the lab server and a variety of machines across the Internet, with all of the sessions initiated outbound by the lab server. Finally, by taking a sample of full content data, the analysts could recognize the footprint of a new file-sharing protocol on a previously unseen port.
These steps might seem self-evident at first, but the work needed to implement this level of analysis is not trivial. Such preparation requires appreciation for the principles already mentioned, along with the selection and deployment of tools and techniques yielding high-fidelity data. Far too often security personnel spend thousands of dollars on equipment that produces little valuable information in the face of uncertainty. The purpose of this book is to help readers prepare for and conduct efficient network-based analysis. Having the right data on hand means faster and more accurate incident response, thereby preserving the assets that security professionals are bound to protect.
Hopefully you accept that a prevention-oriented security strategy is doomed to fail. If not, consider whether or not you agree with these four statements.
-
Most existing systems have security flaws that render them susceptible to intrusions, penetrations, and other forms of abuse. Finding and fixing all these deficiencies is not feasible for technical and economic reasons.
-
Existing systems with known flaws are not easily replaced by systems that are more secure—mainly because the systems have attractive features that are missing in the more secure systems, or else they cannot be replaced for economic reasons.
-
Developing systems that are absolutely secure is extremely difficult, if not generally impossible.
-
Even the most secure systems are vulnerable to abuses by insiders who misuse their privileges.
Dorothy Denning and Peter Neumann made these four arguments two decades ago in their report "Requirements and Model for IDES—A Real-Time Intrusion-Detection Expert System." [19] They are as true for 1985 as they are today. Denning and Neumann used these four truths to justify the development of network IDSs. I call on their insights today to justify deploying NSM operations.