Monday, December 04, 2017

On "Advanced" Network Security Monitoring

My TaoSecurity News page says I taught 41 classes lasting a day or more, from 2002 to 2014. All of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se involved some aspect of network security monitoring (NSM). Many times students would ask me when I would create cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "advanced" version of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 class, usually in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 course feedback. I could never answer cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m, so I decided to do so in this blog post.

The short answer is this: at some point, advanced NSM is no longer NSM. If you consider my collection - analysis - escalation - response model, NSM extensions from any of those phases quickly have little or nothing to do with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network.

Here are a few questions I have received concerned "advanced NSM," paired with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 answers I could have provided.

Q: "I used NSM to extract a binary from network traffic. What do I do with this binary?"

A: "Learn about reverse engineering and binary analysis."

Or:

Q: "I used NSM to extra Javascript from a malicious Web page. What do I do with this Javascript?"

A: "Learn about Javascript de-obfuscation and programming."

Or:

Q: "I used NSM to capture an exchange between a Windows client and a server. What does it mean?"

A: "Learn about Server Message Block (SMB) or Common Internet File System (CIFS)."

Or:

Q: "I used NSM to capture cryptographic material exchanged between a client and a server. How do I understand it?"

A: "Learn about cryptography."

Or:

Q: "I used NSM to grab shell code passed with an exploit against an Internet-exposed service. How do I tell what it does?"

A: "Learn about programming in assembly."

Or:

Q: "I want to design custom hardware for packet capture. How do I do that?"

A: "Learn about programming ASICs (application specific integrated circuits)."

I realized that I had cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 components of all of this "advanced NSM" material in my library. I had books on reverse engineering and binary analysis, Javascript, SMB/CIFS, cryptography, assembly programming, ASICs, etc.

The point is that eventually cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NSM road takes you to ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r aspects of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cyber security landscape.

Are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re *any* advanced area for NSM? One could argue that protocol analysis, as one finds in tools like Bro, Suricata, Snort, Wireshark, and so on constitute advanced NSM. However, you could just as easily argue that protocol analysis becomes more about understanding cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 programming and standards behind each of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 protocols.

In brief, to learn advanced NSM, expand beyond NSM.