electricfork

Practicing NSM via DIY attitude

Posted Dec 15, 03:32 PM by ben

I read Tao of NSM when it first came out. A lot of the ideas behind the book just make sense, especially when you truely need actionable data (Don’t even get me started on IDS consoles or MMC snap-ins).
It also suits (or helped develop?) my thoughts that data is what’s important. Event data, session data, virus reports, firewall logs, vulnerability data. Good stuff! This is where my hate for vendors come in, they never work together and they will constantly have a shoddy interface. This is also where my DIY attitude also kicks in.

Tools needed:


Now, ignore your toolset and concentrate at the data that it provides. Call the vendor and get access to their SQL database. Pull together your session data and correlate that to your IDS events. Then combine that with open source intelligence such as dshield blocklist or where a netblock is registered. And add your own whitelist / blacklist checks. Then pull in your antivirus infections. Setup data to pinpoint where a local machine pysically resides.

I finally got around to writing a portion of this. I am receiving hourly emails on non-us sites that have sessions to my network (flow data). I check these non-us (and US) sites against dshield’s blocklist. I count how many connections I’ve seen, if they are on my own personal white/blacklist, and how many IDS events the connections have made. This is all very actionable data, and it’s all in just one table. More will be on the way.

I still need to look into session data from a services/ports perspective. And add in my IDS stats, Antivirus stats, and maybe some web proxy stats just for added fun. In short, if I can aggregate all these feeds into one source a few really neat things happen. The most important is situational awareness. But I can also summarize this data into daily/weekly/monthly reports. That sounds awfully close to being able to trend your posture over time. You may even be able to draw inferences of performance/security/roi with such things.

Mental picture: Your data is a small shiny sphere. You are pac-man.


// :: /

Commenting is closed for this article.

Creative Commons License
This work by http://electricfork.com is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License.

archive

about

charmsec

I lead an information security ops and response team. This site is a collection of interesting notes and brainstorms on the protecting from, detecting of, and responding to badness. You can read more about me or my site here.

You can subscribe to my blog via rss , or if you're looking for older items check out my archive of previous posts.

I organize a small infosec meetup in baltimore called charmsec. If you are looking for charmsec details you probably want to go here.

 

RSS

:: © 2002-2008