Full Content Data in Network Security Monitoring

Full Content Data in Network Security Monitoring

Security is the method of keeping an acceptable level of risk. The security process revolves around four steps: assessment, protection, detection, and response as described by Bejtlich (2004). The step of the process, assessment, is a groundwork needed for the other three components. Protection, the second step, as Bejtlich (2004) points out, is the use of countermeasures to lessen the likelihood of compromise. Detection is the process of identifying intrusions and the third step. The last step is the response. The response is the process of validating the fruits of detection and taking steps to remediate intrusions.

Network Security Monitoring Defined

Network Security Monitoring (NSM) as described by Bejtlich (2004) is the collecting, analyzing and escalating of a sign(s) or a warning(s) to detect and respond to intrusions. Finding and stopping intruders on the network before damage is done to the organization or enterprise is NSM as Bejtlich (2013) points out.

Full Content Data and Full Packet Capture

Full Content Data (FCD) also known as Full Packet Capture (FPC) data is the the most core value to an analyst as described by Sanders & Smith (2014) when performing NSM. The data collected by FCD provides a complete account of all the data packet transmitted in the middle of two endpoints. Collection of FCD data takes high priority when architecting a sensor one can generate almost all other major data types from previously collected FCD data. As Sanders & Smith (2014) point if one compares an investigation of computer crime to human-related crime, the collection of the FCD data for the computer crime would be equivalent to having human-related crimes surveillance video record of the human suspect under investigation. If the attacker accesses a system from the network, there will be evidence of it within FPC data.

Deployment Considerations and Challenges

There are deployment considerations and challenges with NSM. They are lack of standards within the information security field, the high skill required to practice NSM effectively and the cost required to establish and maintain an NSM program as Sanders & Smith (2014) points out. NSM lacks this regulation and standards which means Information security experts having a conversation concerning the same topic with four different people may use four different sets of terminology. A high-level skill in different Information Technology areas are needed to practice NSM effectively. There are not very many information security specialists with the skill and understanding required to meet all the needs for the NSM demand. The last challenge is a significant challenge to the development of NSM is the price tag necessary to launch and sustain an NSM program. The high price tag to enter NSM is typically related to the hardware essential to collect, store and parse the enormous amount of data produced from NSM functions. The majority of the money spent usually is due to the technical human resources required to do the analysis and manage the infrastructure of the NSM. Another cost for a massive operation is the need and cost to run NSM 24 hours x 7 days a week x 365 days a year.

References

Bejtlich, R. (2004). The Tao of network security monitoring: Beyond intrusion detection. Addison-Wesley Professional.

Bejtlich, R. (2013). The practice of network security monitoring: Understanding incident detection and response. No Starch Press.

Sanders, C., & Smith, J. (2014). Applied network security monitoring: Collection, detection, and analysis. Syngress.