The Security Monitoring Five

When discussing security monitoring, or architecting solutions, I base everything in how it fits in this five-pronged approach. It both makes it easier to see how everything ties together and how it will benefit the overall solution (which is hopefully to detect, respond and resolve incidents). It has been a while since I have blogged, and mostly I do it to remember ideas, sites or particular steps I took to implement something. However, this post is more informative for shelling out a framework for future posts on security monitoring and how they fit in.

So what are the "Security Monitoring Five"?

NSM - Your network collecting sensors, for IDS alerts, flow data, full content, and statistical data. Snort, Argus, and Tshark are some of the tools I prefer to use here. I both initially learned NSM techniques and principles from using Sguil and its associated supporters/maintainers.

HIDS - The individual agents on hosts, that monitor for file changes, additions, rootkits, etc. Agents such as OSSEC and Samhain fit the bill.

Network Awareness - Encompasses various utilities and software packages, that notice changes or vulnerabilities in your environment. Various packages such as Nessus, nmap, and home-grown analysis take shape in this region. This is where you can build some logic amongst various output, for instance, trend spotting and anomalies.

Log Analysis - "Real-time" analysis of your syslog, event log, or application logs. SEC is a popular and flexible choice.

Event Management - Some call it a SIM, others call it event management. It basically encompasses a central point for correlation, alerting, reporting, etc. An open source package that I continue to be impressed with and will receive plenty of posts here, is Prelude, a so-called meta-IDS.