What NSM Is Not
The rest of this book will more fully address NSM operations. But before finishing this chapter, it's helpful to understand what NSM is not. Many vendors use the term network security monitoring in their marketing literature, but it should become clear in this discussion that most of them do not follow true NSM precepts.
NSM Is Not Device Management
Many managed security service providers (MSSPs) offer the ability to monitor and administer firewalls, routers, and IDSs. The vast majority of these vendors neither understand nor perform NSM as defined in this book. Such vendors are more concerned with maintaining the uptime of the systems they manage than the indicators these devices provide. Any vendor that relies on standard commercial intrusion detection products is most assuredly not performing true NSM. Any vendor that subscribes to NSM principles is more likely to deploy a customized appliance that collects the sorts of information the NSM vendor believes to be important. Customers are more likely to receive useful information from a vendor that insists on deploying its own appliance. Vendors that offer to monitor everything do so to satisfy a popular notion that monitoring more equals greater detection success.
NSM Is Not Security Event Management
Other vendors sell products that aggregate information from diverse network devices into a single console. This capability may be a necessary but insufficient condition for performing NSM. It certainly helps to have lots of information at the analyst's fingertips. In reality, the GIGO principle"garbage in, garbage out"applies. A product for security event management or security incident management that correlates thousands of worthless alerts into a single worthless alert offers no real service. It may have reduced the analyst's workload, but he or she is still left with a worthless alert. Some of the best NSM analysts in the business rely on one or two trusted tools to get their first indicators of compromise. Once they have a "pointer" into the data, either via time frame, IP address, or port, they manually search other sources of information to corroborate their findings.
It's important for security engineers to resist the temptation to enable every IDS alert and dump the results to a massive database. Better to be selective in your approach and collect indicators that could be mined to forge true warnings.
NSM Is Not Network-Based Forensics
Digital forensics is an immature field, despite the fact that investigators have performed autopsies of computer corpses for several decades. Digital forensics is typically divided into host-based forensics and network-based forensics. While many think forensics means searching a hard drive for illicit images, others believe forensics involves discovering evidence of compromise. Until digital forensics professionals agree on common definitions, tools, and tactics, it's premature to refer to NSM, or any other network-based evidence collection process, as network-based forensics. Incident response is a computer security term; digital forensics is a legal one. Legal terms carry the burden of chains of custody, meeting numerous court-derived tests and other hurdles ignored by some incident responders. While NSM should respect laws and seek to gather evidence worthy of prosecuting criminals, the field is not yet ready to be labeled as network-based forensics.
NSM Is Not Intrusion Prevention
Beginning in 2002, the term intrusion prevention system (IPS) assumed a place of important in the minds of security managers. Somewhere some smart marketers decided it would be useful to replace the d in IDS with the p of prevention. "After all," they probably wondered, "if we can detect it, why can't we prevent it?" Thus started the most recent theological debate to hit the security community. An intrusion prevention system is an access control device, like a firewall. An intrusion detection system is a detection device, designed to audit activity and report failures in prevention. NSM operators believe the prevention and detection roles should be separated. If the two tasks take place on a single platform, what outside party is available to validate effectiveness?
Intrusion prevention products will eventually migrate into commercial firewalls. Whereas traditional firewalls made access control decisions at layer 3 (IP address) and layer 4 (port), modern firewalls will pass or deny traffic after inspecting layer 7 (application data). Poor technological choices are forcing firewall vendors to take these steps. As application vendors run ever more services over Hypertext Transfer Protocol (HTTP, port 80 TCP), they continue to erode the model that allowed layer 4 firewalls to function. Microsoft's decision to operate multiple services on a single set of ports (particularly 135 and 139 TCP) has made it difficult to separate legitimate from illegitimate traffic. The problems will haunt port 80 until access control vendors compensate for the application vendor's poor choices.