This is part three of a series of posts that contain key excerpts of my paper, Using Sysmon to Enrich Security Onion’s Host-Level Capabilities.
As NSM practitioners become blind to the majority of the traffic entering and exiting their networks and require the ability to generate quality indicators in both the network and host space, there needs to be a shift to include more than just network-centric data in detection and response strategies. Hosts on the network can be an extremely rich repository of data that can be extracted and used in detection and response in conjunction with NSM data. In essence, this is applying the same type of NSM mindset to host-level data. In fact, this concept has been coined “Enterprise Security Monitoring” by David Bianco. (Bianco, Enterprise Security Monitoring, 2013) ESM integrates intelligence-driven CND principles. As such, a notable point of ESM is the ability to locate relevant indicators pertinent to where an intrusion might be in relation to the kill chain. Because these indicators span both the network and host, there is a need to be able to have access to both categories of data.
Though many tools can generate both NSM and host data, the confounding issues typically revolve around how to efficiently collect the data and present it in a way that makes it usable for alerting, analysis and decision-making. This is where Security Onion brings it all together.
Bianco, D. (2013, September 14). Enterprise Security Monitoring. Retrieved February 12, 2015, from speakerdeck.com: https://speakerdeck.com/davidjbianco/enterprise-security-monitoring