Friday, June 15, 2007

DHS Einstein Demonstrates Value of Session Data

If you're looking for case studies to show management to justify collecting session data, check out Einstein keeps an eye on agency networks. I've known about this program for several years but waited until a high-profile story like this to mention it in my blog. Basically:

Since 2004, Einstein has monitored participating agencies’ network gateways for traffic patterns that indicate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 presence of computer worms or ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r unwanted traffic. By collecting traffic information summaries at agency gateways, Einstein gives US-CERT analysts and participating agencies a big-picture view of bad activity on federal networks.

US-CERT’s security analysts use Einstein data to correlate cross-agency security incidents. Participating agencies can go to a secure Web portal to view cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir own network gateway data.

Einstein doesn’t eliminate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 need for intrusion-detection systems on agencies’ networks, said Mike Witt, deputy director of US-CERT. But cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 24-hour monitoring program does give individual agencies a view of activity in ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r parts of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 federal network infrastructure that could affect cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir own networks...

Ten agencies participate in Einstein, and four or five ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs have indicated cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y plan to join by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 end of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 year. Witt said DHS officials hope to have most Cabinet-level agencies in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 program by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 end of 2008. DHS will try to expand participation to more of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 midsize and small federal agencies later, he said.

“Einstein is not mandatory, so we have to do a sales job with agencies,” Witt said. Witt wouldn’t name cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 agencies that have signed up. In a public presentation last year, however, a DHS official identified eight participants. They were DHS, DOT, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 departments of State, Treasury and Education, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Federal Trade Commission, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Securities and Exchange Commission, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 U.S. Agency for International Development. The Justice Department has since joined cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 program.


This is just cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sort of project I'd like to roll out at my new job, possibly combining Argus with ArgusEye, or maybe just Sguil without Snort. The idea is to be an internal security awareness provider for business units, offering cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m better insights into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir network activity while using that data to monitor for attacks and respond to incidents more effectively.

After a pilot program to demonstrate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 value of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 approach, I would consider more robust options like an internally-developed product or a commercial option. I know of at least one large customer of mine who read my first book and built cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir own session and full content capture appliance for about $50,000, rated up to OC-48 for full content collection.

Note that Einstein is session data only, and from what I hear some people find its capabilities and data format lacking -- hence cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 desire to run something else, pairing session data with full content. Session data is very helpful but never sufficient for real investigations.

5 comments:

Anonymous said...

Sounds like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are using something like Ourmon. If you want to do something similar to what cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y're doing, Ourmon might be a better solution than Argus. There are a few chapters on using Ourmon in Botnets: The Killer Web Applications if you're interested...

Richard Bejtlich said...

They're using something like Argus, but not Argus. I've seen cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 data.

Unknown said...

So...something that you can switch into full content mode and send to bigger storage! :D

C.S.Lee said...

Rich,

Something interesting about session data is that it can give you clue about malicious event instead of relying on alert data only. It definitely increases your chance of noticing malicious activities and storing historical session data is way cheaper.

Argus allows you to read partial user data dump so sometimes it is enough to perform network forensic relying on argus itself however ourmon is more to serve as real time flow monitoring tool and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 graphs generated by it is meaningful.

Anonymous said...
This comment has been removed by a blog administrator.