The Practice of Applied Network Security Monitoring
The collection, detection, and analysis of network security data are all aspects of network security management. Information security has traditionally been divided into a plethora of different focus areas, but I tend to lean toward the way the United States Department of Defense (US DoD) categorizes the domains of Computer Network Defense (CND) per DoD 8500, which is based on the United States Department of Defense (US DoD) classification system. 2.1 The following are examples:
Anomaly-Based Detection with Statistical Data
The authors (Chris Sanders and Jason Smith) published Applied Network Security Monitoring in 2014.
Abstract
Monitoring of network security is based on the collection of data to perform detection and analysis functions. It is only natural that a SOC should be able to generate statistical data from existing data, and that this statistical data can then be used for detection and analysis purposes. Here, we will look at methods for generating statistical data that can be used to support detection, including methods for generating data in near real-time and methods for generating data retrospectively. This section will cover the use of various NetFlow tools, such as Awstats and recount, among others. We will also discuss methods for visualizing statistics using Gnuplot and the Google Charts API, as well as the use of other software. This chapter will provide several practical examples of useful statistics that can be generated from NSM data, which will be discussed in detail later in the chapter.
Detection Mechanisms, Indicators of Compromise, and Signatures
During the detection phase of Network Security Monitoring, it is critical to understand your detection capabilities, as well as adversarial tactics, before applying those capabilities to detect when an adversary acts. This process occurs when the collected data is examined and anomalies are discovered in the data.
Applied NSM’s first chapter, “Detection Mechanisms and Indicators of Compromise,” will define detection mechanisms and indicators of compromise (IOCs), and then examine how the IOCs are compromised, and how they can be derived from network attacks, in this first chapter. Several best practices for the successful management of IOCs will also be discussed, along with several common IOC frameworks.
Packet Analysis
The analysis phase of Network Security Monitoring is predicated on the analysis of data to determine whether or not an incident has occurred, as previously stated. It should come as no surprise that the ability to analyze and interpret packet data is one of the most important skills an analyst can have, given that the vast majority of the data collected by NSM tools is related to network activity in general. Our journey into packet analysis will begin in the first chapter of this book’s analysis section, where we will examine it from the perspective of a network security manager (NSM). While providing a framework for understanding the protocols that aren’t covered in this chapter, the primary goal of this chapter is to provide you with the knowledge you need to understand packets at a fundamental level. These concepts will be taught in this chapter through the use of tcpdump and Wireshark. Towards the end of the chapter, we’ll take a look at some packet analysis filters, such as capture and display filters.
Vic (J.R.) Winkler’s Securing the Cloud: Architecture was published in Securing the Cloud in 2011.
Securing the Cloud: Architecture
Audit logs, network security monitoring (using traffic inspection tools such as snort, and so on), and environmental data are all used to conduct security monitoring operations (see section Physical Security, above). The following are some of the requirements for security monitoring:
• Security monitoring must be a highly available and hardened service that is accessible both internally and externally in a secure manner, as determined by the organization.
• A security monitoring system must be in place.
• The generation of alerts based on automated recognition that a critical security event or situation has occurred or has been detected is a critical security event or situation.
• The dissemination of critical alerts through a variety of channels so that security and management are made aware of the situation as soon as possible.
• Providing security personnel with the tools they need to investigate and prosecute an unfolding incident, or simply to review logs to improve alerting mechanisms or to manually identify security incidents.
• Implement an intrusion and anomaly detection capability for the entire cloud and consider offering it as a service to tenants or users (see Figure 4.2 for an overview of security event management and how it relates to security monitoring).
Detecting System Intrusions
Figure 4.2: An overview of security event management and its role in monitoring security events.
Customer-facing intrusion/anomaly detection for a platform-as-a-service (PoS) or infrastructure-as-service (IaaS) environments, as well as the ability to send appropriate event sets or alerts to a cloud provider’s security monitoring system, should be taken into consideration. In Chapter 6, the Security Monitoring section, we go into greater detail about this topic.)
• Ensure that security monitoring is implemented in such a way that it is reliable and correct even in the event of a failure in the pathway of event generation and collection, which is accomplished through reporting. Security logs must be kept for a period that is consistent with applicable law, regulations, and the security policy in question.
Identifying and preventing system intrusions
Scott R. Ellis’s Computer and Information Security Handbook (Third Edition), published in 2017, is an excellent resource.
True/False
1. Is this true or false? In network security monitoring (NSM), the most useful data is packet data, which is the least useful data.
2. Is this true or false? Observing the behavior of a hacker on your network is impossible to accomplish with taps enabled.
3. Is this true or false? If an intruder becomes aware that he is being watched, he may begin to deploy forensic countermeasures or, in the worst-case scenario, may begin to take hostages; in other words, he may decide to deploy ransomware throughout your network.
4. Is this true or false? The world of security is populated by professionals who are skeptical, hyper-paranoid, critical, reality-seeking, and hands-on in their work.
5. Is this true or false? Emails from friends, business associates, colleagues, and family members can all be used to gain access to a computer system or network.
Foreword Contributor
In his role as Chairman and CEO of NetWitness Corporation, Amit Yoran has established the company as the world’s leading provider of next-generation network security monitoring solutions. In his previous positions, Mr. Yoran served as Director of the National Cyber Security Division of the Department of Homeland Security, as well as CEO and advisor to In-Q-Tel, the venture capital arm of the Central Intelligence Agency (CIA). Yoran was a co-founder of Riptech, the market-leading managed security services company, and served as its CEO from the time of the company’s inception in 1996 until it was acquired by Symantec in 2002. A former officer in the United States Air Force, he worked as part of the Department of Defense’s Computer Emergency Response Team (CERT).
Intrusion Prevention and Detection Systems (IPS) are systems that detect and prevent intrusions into a network.
In the Computer and Information Security Handbook, published in 2009, Christopher Day says
14 The Analysis of Network Session
Network session data is a high-level summary of “conversations” that take place between computer systems over a network connection.
21 Although no specifics about the content of the conversation, such as packet payloads, are retained, several elements about the conversation are retained, and these can be extremely useful in the investigation of an incident or as an early indicator of suspicious activity. NetFlow22 is one example of a vendor-specific implementation that generates and processes network session data. Another example is the reconstruction of network session data from full traffic analysis using tools like Argus. 23 Regardless of how the session data is generated, several common elements make up the session, such as the source IP address, source port, destination IP address, destination port, time-stamp information, and a variety of metrics about the session, such as bytes transferred and packet distribution, that are present in all sessions.
Intrusion Prevention and Detection Systems
An analyst can use the session information collected to examine traffic patterns on a network to determine which systems are communicating with one another and which sessions are suspicious and should be investigated further. An alarm will be generated, for example, if a session or series of sessions appears between an internal server and addresses on the Internet that has no legitimate reason to exist. Depending on the circumstances, the analyst may suspect a malware infection or other system compromise and proceed with further investigation. It is possible to generate a large number of other queries to identify sessions that are abnormal in some way, such as sessions with excessive byte counts, sessions with excessive session lifetimes, or sessions with unexpected ports being used. A baseline for traffic sessions can be established when the analysis is carried out over a sufficient period, and the analyst can query for sessions that do not conform to the baseline. An anomaly detection technique that uses high-level network data as opposed to the more detailed types discussed for NIDS and NIPS is being used in this type of investigation. Figure 18.7 shows a representation of network session data in a graphical format. Several nodes are shown communicating with one another on the left side of the screen; the physical locations of many IP addresses of other flows are shown on the right side of the screen on the left.
