cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

Obtaining the visibility, correlating the data, and knowing your network.

Level 10

Given the current state of networking and security and with the prevalence of DDoS attacks such as the NTP Monlist attack, SNMP and DNS amplifications as well as the very directed techniques like DoXing and most importantly to many enterprises, exfiltration of sensitive data, network and security professionals are forced to look at creative and often innovative means to ascertain information about their networks and traffic patterns. This can sometimes mean finding and collecting data from many sources and correlating it or in extreme cases, obtaining access to otherwise secure protocols.

Knowing your network and computational environment is absolutely critical to classification and detection of anomalies and potential security infractions. In today’s hostile environments that have often had to grow organically over time, and with the importance and often associated expenses of obtaining, analyzing and storing this information, what creative ways are being utilized to accomplish these tasks? How is the correlation being done? Are enterprises and other large networks utilizing techniques like full packet capture at their borders? Are you performing SSL intercept and decryption? How is correlation and cross referencing of security and log data accomplished in your environment? Is it tied into any performance or outage sources?

2 Comments
Level 17

* The trick is correlation, as we span over several departments... some departments have the tools, and when I am at we have our skills + The Orion Platform.  InfoSEC may see something, or have a red flag to investigate (they can tell you the traffic caused, locations to and from, insight into the bot/mal/virus, file patterns and even how to re-mediate some times, but when it comes to tracking the user or device I start seeing emails. Especially when tracking a wireless user and their history.

  - I often probe, query, figure out, hax, items that have limited visibility - get them setup and start a cookie cutter display for these things.  - We are so big, that several larger departments/groups of workers have their own IT group for support.

How is the correlation being done? Serveral different departments, several different monitoring and tracking solutions depending on the dept of what that dept. does and what it monitors and tracks.

Are enterprises and other large networks utilizing techniques like full packet capture at their borders? Some are, Border Edge is a good place to put a tap.. at the very least you can see them at the gates.

Are you performing SSL intercept and decryption?  I can neither confirm nor deny this statement

How is correlation and cross referencing of security and log data accomplished in your environment? It mostly get's done in another environment.

Level 10

My experience has been that a combination of full packet captures, IDS systems, flow data and syslog data in combination with reference graphs for CPU and interface statistics ends up being the necessary toolset for rooting out offenders. Correlation is the hard part in every environment I've worked in. There is so much data in so many formats it becomes unwieldily.

About the Author
15+ years IT experience ranging from networking, UNIX, security policy, incident response and anything else interesting. Mostly just a networking guy with hobbies including, film, beer brewing, boxing, MMA, jiu jitsu/catch wresting/grappling, skateboarding, cycling and being a Husband and Dad. I don't sleep much.