April 12, 2018
Network Monitoring: Reinforcement in the Fight
for Confidentiality, Integrity and Availability
“To be is to do”—Socrates.
“To do is to be”—Jean-Paul Sartre.
“Do be do be do”—Frank Sinatra.
When first taking on the responsibility for network monitoring, an analyst can feel overwhelmed. It seems like every single physical entity with a cord coming out of the back of it generates a log file that needs to be monitored, analyzed, and backed up. Any alarm or warning has to be tracked down to it’s source and then, while doing that, the other devices keep generating more logs that need to be monitored, analyzed and backed up. In olden days, analysts had to do this by hand, which lead to the creation of scripts and special configurations that varied from location to location, and from sysadmin to sysadmin. After many years of this, one could spot an analyst from their tendency to shave their heads to avoid the pain associated with pulling their hair out in frustration.
Evolution came along in the form of analysts looking for sanity and weekends off and they invented security information and event management (SIEM) software. At first, the software appeared to make everything better and there were fewer pagers going off at night, but in a demonstration of Murphy’s Law at it’s finest, analysts discovered that the lack of alarms and the lack of pages in the wee hours of the night was not a lullaby preceding a good night’s sleep, but in fact it was the silent scream that Edvard Munch depicted. This gave analysts and sysadmins entirely new reasons to hate Mondays and to place black gaffers tape over the voicemail indicator light on their phones.
On the way to our glorious future something went terribly wrong.
Not only did the the new tools often not trigger required alarms, they also triggered false alarms. Sometimes, they simply did nothing because the tool was not configured to look for the unexpected, like an elephant in the break room. With every network in every company being unique, and with the growing number of system administrators not wanting to face change control headaches, a unified solution to address this problem seemed like an impossibility. Many tools and software packages came out-of-the-box with some good baselines, but there never was, and there never will be, a cookie cutter solution that comes out-of-the-box, ready to handle all of your needs until Charles Forbin hands over the keys to artificial intelligence. Although modern tools have the ability to create order out of chaos, they can not make reason without the partnership, knowledge and experience of the people responsible for the network. It became the classic dilemma of having the toolbox, but no construction plans to build with.
So how is it that we do what we do? Each analyst has their own ‘secret sauce’ for making an efficient and secure security operations center. Many a white paper has been written on the subject, including one of my own. Times change, however, and every day a new threat emerges and new methods must be created to reinforce the never ending fight for the confidentiality, integrity and availability of our networks.
Over the next few blog entries I will take you on a journey, much like Carl Sagan did with his Starship of the Imagination, across a theoretical network and show how to combine technical knowledge, modern methods of detection and defense with streaming analytics, all together orchestrating a proactive security posture that can be applied to any network. I will also show how streaming analytics can be leveraged in the toolbox of the analyst to help be both reactive and proactive in the face of modern attacks.
Do you have any feedback or suggestions for The Analyst’s Shack? How about a topic you would like to see tackled? Send an email to firstname.lastname@example.org.