This is a two part questions. First I will need the discussion question answer which will be below in bold, 300 words APA format. For those response I will need three responses of at least 175 words each.
Distinguish between alert data (including generation tools) and previously covered NSM monitoring (including collection tools).
The concepts, tools and data we discussed over the last few weeks help network security monitoring (NSM) analysts distinguish between normal and unusual traffic. Within the NSM concept of collection, analysis and escalation, traffic patterns can be distinguished into different categories of data. These categories include full content data, session data and statistical data. Although distinguishable in type and use, these types of data empower the analyst with information to make security decisions and responses (Bejtlich, 2004).
Alert data can be leveraged to take on some of that decision-making responsibility. Bejtlich (2004) defines alert generation tools as those that ‘make judgements based on the traffic they inspect,’ and are commonly used in Intrusion Detection Systems (IDSs) and NSM deployments. The distinction is clear: alert data goes beyond just presenting traffic data. Alert generation tools can be programmed to recognize traffic patterns as malicious activity or signs of intrusion. Bejtlich (2004) considers this programmed recognition to be ‘judgements,’ and the generated alerts can assist analysts with their respective NSM response strategies. Doing a bit of research on alert data and NSM, I stumbled on a few academic papers that address a problem: utilizing multiple tools and applications in an NSM deployment can actually create large aggregates of alert data that are difficult to sift through and understand. Some other common problems include more important alerts being overshadowed by a high number of less important alerts…and false alerts/false positives (Yao et al., 2016). There are also academic papers in our library that take on the challenge of alert data aggregation and correlation. This is to prevent an NSM analyst from additional tedious work in organizing alert data that, in theory, should effectively assist them in making correct judgements on traffic patterns (Alserhani, 2016).
Beyond the concept of collection, analysis and escalation is detection and response. Alert data is all about detection and response…and can help an analyst associate network traffic with intrusions and malicious activity. The reading holds the Snort IDS in high regard. In the time of writing, Snort was a formidable IDS solution that was opened source and highly supported in the IT/NSM community (Bejtlich, 2004). Two alert generation tools described in depth in the reading include Bro and Seguil. Bro is a powerful IDS tool that command line geeks and programmers may find to be more approachable and customizable (Bejtlich, 2004). Seguil is another alert-based tool in high praise from Bejtlich (2004). This is due for a few reasons: it’s open sourced, has an easy to use graphical user interface, and is a UNIX suite tool compatible with multiple types of types of data (such as session and full content). Of particular note is the fact that Sguil’s alert data is sourced from Snort itself. BONUS, it was also developed by an Air Force veteran (Bejtlich, 2004). Alert tools like Sguil can present a wealth of information to an NSM analyst who must grapple with the decision of response. One of the more poignant take-aways from this week’s reading is that these tools can often tell you more about what didn’t happen in your network traffic – equally as important as what did happen.
I can’t believe we’re almost at the halfway point of this course. Good luck to everyone on their quiz and paper. Unfortunately, Coronavirus is keeping me busy at work, and there is a lot of uncertainty amongst us in the military community. Control what you can control - stay safe, and stay home!
Alserhani, F. (2016). Alert correlation and aggregation techniques for reduction of security alerts and detection of multistage attack. International Journal of Advanced Studies in Computers, Science and Engineering, 5(2), 1–7. Retrieved from http://search.proquest.com/docview/1776319413/
Bejtlich, R. (2004). The Tao of Network Security Monitoring. Boston: Addison-Wesley.
Yao, Y., Wang, Z., Gan, C., Kang, Q., Liu, X., Xia, Y., & Zhang, L. (2016). Multi-source alert data understanding for security semantic discovery based on rough set theory. Neurocomputing, 208, 39–45. https://doi.org/10.1016/j.neucom.2015.12.127
The Network security monitoring tools (NSM) monitoring uses tools collect full content data, session data and statistical data. Bejtlich (2005) explains how the tools like tcpdump are used to collect data or ethereal to examine packet headers or Argus to collect session data. All of these NSM monitoring the tools not look at the data for threats to the network. They simply collect and store the data. The alert data is when analysis of the data is collected to determine if there is a potential risk to the network.
Sanders (2012) reveals that network security monitoring is broken down into three phases: collection, detection and analysis. He explains how collection is gathering the relevant network security data and sorting it out. This is the phase where the monitoring tools like tcpdump, Argus and ethereal come into play. Sanders (2012) explains the detection phase is when software or sometimes humans process the data collected to find anomalies in the data that was collected to identify potential intrusions on the network. According to Bejtlich (2005) Squil is a software that gives the user alert data. He explains that Squil uses Snort to provide its alert data. Bejtlich (2005) also identified two network intrusion detection systems that generate alret data: Bro and Prelude.
Sander (2012) identifies the last phase of network security monitoring as the analysis phase. Sanders explains that this is the phase where an analyst will review the alert data and then investigate the data that was collected during the collection phase to determine if there was in fact an intrusion on the network. Sanders (2012) believes the analysis phase is best done by humans and not software or hardware.
Sanders, C. (2012). NSM collection vs. detection. Retrieved from https://chrissanders.org/2012/02/nsm-collection-vs...
Bejtlich, R. (2005). The Tao of Network Security Monitoring: Beyond intrusion detection. Boston, MA: Addison-Wesley
The full content data, session data, and statistical data tools previously discovered requires the cybersecurity analyst to determine which traffic is normal, and which traffic is either suspicious or malicious (Bejtlich, 2005). Alert data is different than the full content, session, and statistical data tools. The main point of difference is that with alert data tools, the tools themselves are preprogrammed to make a determination on the traffic that they are inspecting (Bejtlich, 2005). Since these tools are making determinations rather than merely presenting the data, they are characterized as alert data tools.
The alert data tools that Bejtlich (2005) discuss in this week’s readings include Bro (and BRA), Prelude, and Sguil. Since publication of our course material, Bro has since become Zeek, and it still remains active and current today (Paxson, 2018) (Corelight, 2020). Outside information on BRA was more limited than Bro, but is the Bro Re-usable Architecture (Manders, BRA: The Bro Re-usable Architecture, 2003). The link to the original BRA release is no longer valid, and its possible it is no longer supported (Manders, BRA, 2020). Bro examines the network traces through libpcap and then passes the data to the Bro event engine, which breaks the data into events, and then makes actions based on Bro’s assessments of the events (Bejtlich, 2005). Prelude, now the Prelude Security Information and Event Management (SIEM) is also still active and supported (Prelude SIEM, 2020). Prelude SIEM imports security alerts from Snort, Systrace and Honeyd virtual honeynet and uses these types of external alert data to build its own alert data (Bejtlich, 2005).
Sguil is somewhat unique among this group as a number of tools make up Sguil. Some of the tools that make up Sguil include Snort, Tcpflow, Tcpdump, and MySQL (Bejtlich, 2005) (Visscher, Sguil: The Analyst Console for Network Security Monitoring, 2014) (Visscher, 2020). We have discussed a number of these tools already in past weeks. Sguil has continues to receive updates since its release over a decade ago, with some of the latest updates on request coming as recently as early March (Visscher, 2020).
Bejtlich, R. (2005). The Tao of Network Security Monitoring. Boston: Addison-Wesley.
Corelight. (2020). Zeek. Retrieved from Corelight.
Manders, C. (2003, July 5). BRA: The Bro Re-usable Architecture. Retrieved from Berkeley University: http://mailman.icsi.berkeley.edu/pipermail/zeek/20...
Manders, C. (2020). BRA. Retrieved from Unix Helpdesk: http://www.unixhelpdesk.com/~cmanders/projects/bra...
Paxson, V. (2018, October 11). Renaming the Bro Project. Retrieved from Zeek Blog: https://blog.zeek.org//2018/10/renaming-bro-projec...
Prelude SIEM. (2020). Prelude SIEM. Retrieved from Prelude SIEM: https://www.prelude-siem.com/
Visscher, R. (2014). Sguil: The Analyst Console for Network Security Monitoring. Retrieved from Sguil: https://bammv.github.io/sguil/index.html
Visscher, R. (2020, March 3). bammb / sguil. Retrieved from Github: https://github.com/bammv/sguil