NBA for Network-wide visibility

Shimel has taken a stab at defining zero-days (here)(here) and (here). Rothman has weighed in (here), so has the Mogull (here) – good stuff!

I am going to step out of the naming convention debate, but I did want to post on a technology area that can assist an organization in identifying suspicious behavior that may be indicative of an unknown exploit taking advantage of an unknown vulnerability.

Network behavior analysis (NBA), formerly referred to as NBAD, provides network-wide visibility through the collection of netflow, and generally coupled with native packet capture, can be used to detect behaviors that may be missed by other detection methods, such as intrusion prevention systems (NBA is NOT IPS). This visibility can be used to identify worms, unauthorized protocols and suspicious behavior. Steinnon has a nice write up (here) and (here)

In the right hands, they can assist in identifying zero-day attacks so that an organization can take actions to limit their impact – which is about all you can do against these type of attacks. They are obviously not a silver-bullet, and they are not anti-zero-day tools but the level of network visibility and analysis they provide, coupled with security context can certainly raise the bar on how quickly an organization can respond to such threats. Again the goal of security is not to prevent all bad things from occurring – this is an unachievable goal – the goal of security is to limit the probability of a successful incident and when one does occur, which it will, limit its impact on the environment.

“And that’s all I have to say about that.”

8 thoughts on “NBA for Network-wide visibility

  1. “Again the goal of security is not to prevent all bad things from occurring – this is an unachievable goal”.

    It is only unachievable if one believes it is unachievable, grasshopper. A system that is deny-by-default (a la Ranum) and operates with a white list of allowable privileges will prevent all bad things from happening-by default!

    Network security will not be able to secure data at the document level, and you are therefore correct in making your statement in that context.

  2. A white-list that is deny-by-default will prevent all bad things from happening by default – A white-list will prevent all bad things huh? Not!

    Ranum is a smart guy, but there are very few enterprises that will ever come close to being able to define a white-list of allowable “things” throughout their environment, plus there is always the users, the administrators, and a whole set of methods to compromise them and other environmental variables.

    But if you want to go ahead and say that you can prevent all bad things from happening simply by believing it – be my guest

  3. I think MLS/TOS that provides user-centric security and is deny-by-default, and controls access to files on a per user basis, has far more chance of protecting data than network security, which is still reactive, ever will.

  4. BYW, did you read Decentralization and “Good Enough” Security by Gunnar Peterson?

    Here is what Mike Rothman said about that:

    ” He uses a decentralization vs. centralization metaphor to make the point that we are inextricably moving toward distributed data… That means the traditional, centralize and apply draconian policies of many security practitioners are no longer valid. Oh boy. If you aren’t following me, maybe this quote from the post will help: “The perimeter in an SOA is the document, not the network. The security model is defined by the security constructs in the document, not the network firewall.” That kind of screws everything up, no?…understanding the concept is critical. This is the case for why we need to separate out infrastructure security and data/information security.”

    However, we are probably 5-10 years away from a workable model that is information centric and manageable.

    A user-centric security approach is intuitive, logical and manageable, and we are doing it now. By asking who wants to ask data and what do they want to do with it, we reduce the need to focus on endpoint/device centric security somewhat. An endpoint device only has to be checked to be sure it is clean to enter the trusted network, but once on, if the user is not on the white list, he gets access to nothing, even if he changes endpoint devices 10 times.

  5. Far better chance of protecting data that is residing at rest, perhaps – but not in transit. Unfortunately once data leaves the box that is running whatever software you all are selling than none of it matters. Come on Rob you made a ridiculous comment that white-listing would prevent all bad things – give me a break.

  6. While white listing is going to become more and more the norm, no way does it prevent all bad things from happening. It will help limit bad things to those initiated by authorized personnel using authorized applications/protocols – the worst bad thankgs of all!

    -Stiennon (i before e Amrit! make it easier for me to find postings with Technorati πŸ™‚

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s