Home > Articles > Security > Network Security

  • Print
  • + Share This
This chapter is from the book

Collection, Analysis, and Escalation

We now appreciate that NSM is concerned with I&W. According to the NSM definition, indicators are collected and analyzed, and warnings are escalated. In the NSM world, distinct components are responsible for these actions.

Products perform collection. A product is a piece of software or an appliance whose purpose is to analyze packets on the network. Products are needed on high-speed networks because people cannot interpret traffic without assistance. I discuss numerous NSM products in Part II of this book.

People perform analysis. While products can form conclusions about the traffic they see, people are required to provide context. Acquiring context requires placing the output of the product in the proper perspective, given the nature of the environment in which the product operates. Because few products are perfectly customized for the networks they monitor, people increasingly complement deficiencies in software. This is not the fault of the developer, who cannot possibly code his product to meet all of the diverse needs of potential customers. On the other hand, it is an endorsement of open source software. Being free to accept modifications by end users, open source software is best suited for customization. Just as products must be tuned for the local environment, people must be trained to understand the information generated by their products. Part IV gives suggestions for training analysts.

Processes guide escalation. Escalation is the act of bringing information to the attention of decision makers. Decision makers are people who have the authority, responsibility, and capability to respond to potential incidents. Without escalation, detection is virtually worthless. Why detect events if no one is responsible for response?

  • + Share This
  • 🔖 Save To Your Account