Recent vendor press releases by NitroSecurity and NetWitness highlight the evolving requirement for full network packet collection, indexing and reconstruction for analysis.  These products and others (including Solera Networks) illustrate an emerging market in total network awareness.  Working in conjunction with Log Management (LogLogic, Splunk, ArcSight Logger, etc) and SIEM tools (RSA, EiQNetworks and of course ArcSight ESM) these tools provide invaluable insight into your network’s behavior (not to mention the behavior of individual users and applications over the network).  NitroSecurity updated their capabilities to include what they term as “content aware SIEM” and NetWitness announced a milestone of 15,000 active users.  Both press releases highlighted quotes from Decurity, which we appreciate, but more important to us, the emergence and rapid growth of this market segment add further credibility to Security Professionals having all of the right tools and information available.  Recent news about DHS Einstein and NSA Tutelage technologies also point towards an increased trend in better, more capable Collection tools.

Security Operations and Incident Response capabilities can’t continue to function in the dark and be expected to adequately protect the enterprise.  We need to make all of the applicable information available and apply intelligent analytical techniques against the data set so that we can more rapidly and accurately identify risks to the enterprise.  These tools when used properly can reduce analytical time required to identify incidents into time segments measured in seconds and can help understand the scope of the incident much more rapidly.  You can review the artifacts (documents, files, audio, video, web, email, chat, as well as interactive sessions (ftp, telnet, ssh, etc)) instantly and determine the legitimacy of the session.  You can extract information and search log management/SIEM for related events and set up alerts and workflow along the way.  All in a matter of clicks.  Of course you can accomplish the reverse and search for anomalies identified in SIEM/Log Management or IDS/IPS in your Network Awareness tool and understand quickly what occurred.  With this level of information available to you, the limitations of the they of analysis have more to do with the level of expertise of the user/analyst than the information.

These use of these tools in the right hands allow for much more than just security “alerts” and incident identification.  They lend themselves to true security convergence concepts and overall enterprise intelligence and security operations.  More on those concepts over the next few months.

References:
NetWitness “July 27, 2009 | Security Experts Worldwide Rely Upon NetWitness® Investigator ” Link: http://www.netwitness.com/resources/pressreleases/Jul272009.aspx

NitroSecurity “NitroSecurity Heightens Enterprise Security Information Management with Real-Time Application Content and Protocol Analysis” Link: http://www.nitrosecurity.com/information/news/pr/2009/20090722.psp

Decurity Blog:  Dec 2008:  http://blog.decurity.com/index.php/dec_template/more/netwitness_investigator_summary_1/

Today Ellen Nakashima of The Washington Post published an article about DHS USCERT, NSA and Telecommunications providers collaborating to monitor Civilian Agency Internet traffic using DHS’s planned Einstein 3 tool to help defend these civilian government entities.  The article correctly illustrates that NSA has the expertise and tools like Tutelage to know more about the context of the attacks.  It also states that DHS has the authorization to monitor using Einstein (enforced by the TIC program).  If you’ll remember a while back I talked about Trusted Internet Connection (TIC) and its role in consolidating Internet points of presence and providing chokepoints to monitor and defend for the government.
For reference see:  http://blog.decurity.com/index.php/dec_template/more/dhs_einstein_tic_overview/    and   http://blog.decurity.com/index.php/dec_template/more/dhs_blog_round_table/

In short, TIC mandated government agencies to meet very stringent requirements in order to become a TICAP (provider) or use pre-approved TICAP’s (Telecom or other Agency) for all Internet traffic.  The monitoring capabilities of these TIC’s is referenced in my earlier posts, but let’s just say its EVERYTHING.  Not that I’m complaining, from a capabilities perspective I think NSA and Cyber Command should be making the most out of this information to help protect the government and as Richard Bejtlich speculates eventually “.com” .  NSA has the expertise and intelligence data while DHS has the authorization to monitor, the framework to force everyone to play (TIC) and a toolset that is evolving (Einstein v2 is still being rolled out, v3 is in development) On a side note, I do have to wonder why the government isn’t using more capable tools like NetWitness or Solera in conjunction with NSA tools and building a META SIEM to incorporate Intelligence feeds, but that’s a topic for a later post. 

My biggest question is this…. I wonder how US-CERT and NSA are going to collaborate more effectively -  Is Einstein raw data going to be handled by NSA, if so what’s the point of US-CERT in the future?

Should be interesting to see what happens once the cyber czar is appointed, from what I can tell his/her kingdom has already layed a very clear path forward, the czar may simply be along for the ride while NSA drives over everyone else.

Update 1: (3 July 2009; 0930 EDT) SIOBHAN GORMAN of The Wall Street Journal also has an article on this topic “Troubles Plague Cyberspy Defense” .  In this article takes more conservative approach in describing what is happening across government with regards to consolidated monitoring.  According to the article Einstein v3 will be updated/rebuilt to more closely align with NSA Tutelage and is at least 18 months out.  The idea is that it would start to develop full packet inspection capabilities (Like NetWitness, Solera and a few others).

My Notes:  If this perspective is more accurate it seems US-CERT would monitor using technology enabled by NSA, instead of NSA accomplishing the monitoring.  IMHO - From what I’ve seen certain executive layers at DHS have not enabled the US-CERT to be effective enough to actually function as a true analytical center, even though USCERT has some very good people capable of executing on that misson.  In fact, I’d go as far as to say DHS is at risk of losing key staff if they don’t figure out a better way to enable their team.  The place is known as a revolving door for a reason, the people they hire are very capable and motivated, the organization itself may not be best suited for that expertise and vision.