Understanding NSM Tools and Data

Question 1

Session Data

Answer 1

• Summary data of network conversations.
• Who talked with whom and when.
• Examining session data is similar to a detective examining a phone bill.
• Session Data is based on IP 5-tuple.

Question 2

Full Packet Capture

Answer 2

• Records all Network Traffic; packet by packet at specific network locations.
• Data is written to disk, commonly in PCAP format.
• Examining Full packer captures is similar to a detective reviewing a wiretap information.
• Details exactly what was communicated.
• Also known as full content data

Question 3

Transaction Data

Answer 3

• Transaction Data lies between session data and full packet capture.
• Captures The Details that are associated with requests and responses.

Question 4

Alert Data

Answer 4

• Typically produced by IPS Systems.
• Alerts are generated when certain traffic matches certain conditions for which the IPS is configured to respond.
• Alert data highly depends on how well the IPS is tuned.
• Even well tuned IPS will generate false positives
• Alerts are automated judgment calls made by an engineered tool.

Question 5

Statistical Data

Answer 5

• NSM data collected over time, the data can be processed to produce statistical data.
• Statistical data collected over time produces baselines. Baselines define what is normal. Baselines should be collected long enough intervals to include deviations.

Question 6

Metadata

Answer 6

• Metadata is Data about data.
• can be used to augment the NSM data that the SOC directly collects.
• Geolocation data, reputation scores, and ownership of IP addresses.