Task 819 and 818 - 2 pages total
Task 818 - 1 page
Instructions: Use examples from the readings, or from your own research, to support your views, as appropriate. Encouraged to conduct research and use other sources to support your answers. Be sure to list your references at the end. References must be in APA citation format. A minimum of 250-300 words.
Distinguish between alert data (including generation tools) and previously covered NSM monitoring (including collection tools)
Number of Pages: 1 Page
APA referencing
Task 819 - writing responses
Part 1: 150 words
Add additional insight opinions or challenge opinions and you can visit a couple of the web sites contributed and share your opinion of these sites. Minimum of 150 words for each.
1) It is very important that the Information Technology and Security professionals are able to capture and use all available Network Security Monitoring (NSM) data sources at their disposal. This critical information is paramount for them to troubleshoot the network, reduce vulnerabilities to prevent Cyber attacks, stop attacks in progress, and conduct the post attack forensic review. Last week we spoke about the importance of full content, session, and statistical data. Statistical data types can provide a historical timeline of network events (statistical) to see if there have been a deviation from the baseline traffic patterns. Session data will reveal high level information (IP addresses, ports/protocols, timestamps, and the quantity of data transferred) about one specific communication event on the network. Full content data is a complete capture of network traffic down to the application bit level. While those three data types are different they have one commonality associated to them in that they require a manual action to view, analyze, and act upon.
On the other side of the NSM data spectrum is alert data. Bejtlich (2004) defines it as information that is generated by automated network security appliances and software based upon complex algorithms and pre-programmed notification settings. While full content, session, and statistical data is more passive in nature the alert data can be considered active in that it is created and sent in real-time as network security events are occurring. There are three very popular information security systems that create alert data; Firewalls, Layer 3 Routers, and Intrusion Detection and Prevention Systems (IDS/IPS). All three can generate alerts automatically and notify the IT security specialists when there is a security breach attempt to the network, abnormal traffic patterns, bandwidth threshold triggers, or anomalous traffic behavior. These alerts are used to actively notify the system administrators or operators by various mediums; Short Messaging Service (SMS), cell phone apps, emails, or through a network management system Like Cisco Prime or Solarwinds Orion via Simple Network Management Protocol (SNMP) trap. Next generation platforms can combine alert data to give a more holistic view on what is occurring with the network. At the end of the day all of these data types are critical to securing an information system, but the active data will keep the team proactive in stopping attacks, issues, and vulnerabilities.
Part 2: 150 Words
2) Alert data is the information that is generated when there is an indication of an intrusion of or malicious activity on the network. Alert data differs from network security monitoring in a couple ways: in the way the captured data is classified and in the way an intrusion is actioned. With network security monitoring tools (such as TCPDump and Wireshark), the determination of whether the information contained in the full content, session, or statistical data is classified as normal, suspicious, or malicious and how to action the information is the responsibility of the analyst and relies on his or her discretion. For example, if an analyst reviews a session data capture that contains an extraordinary amount of traffic going to a specific website, he or she may flag it as unusual and escalate it to the next appropriate authority. On the other hand, alert data tools are preprogrammed to draw judgment based on the traffic being inspected. The detection engine uses a set of parameters and policies to determine what data warrants an alert to be sent and what should happen (i.e. automatically sending an email to the next appropriate authority). Once an alert data tool makes a judgment about the data, it becomes an alert generation application.
Bejtlich (2005) wrote that “IDSs are the primary means of generating alert data for security incidents (p. 285). Network based IDSs (NIDS) come in two flavors: signature based and anomaly based. Signature based NIDS monitor traffic for suspicious patterns or signatures of know intrusion patterns. Anomaly based NIDS uses a baseline of the system and monitors for any unusual changes. Some popular NIDS include Snort, Bro IDS, and Suricata. Another tool used is Sguil (pronounced squeal). Sguil is a set of open source software that uses a GUI to access real-time events. It includes other components which facilitate the practice of Network Security Monitoring (NSM) and event driven analysis of IDS alerts.
Academic Level: College
Paper Format: APA
8 years ago
10
Purchase the answer to view it

- alertdata.docx
- I need this assignment, however, i need a plagiarism free document that has not been sold before. Decide upon an initiative...
- Development of a plan will require more resources and time than we have available in this class. However, I would like to see your attempt at a skeletal structure for a small corporation (500 employees), located in Billings, Montana. They produce a chemic
- Military History Part I
- < Strayer MAT 540 Quantitative Methods Mid term Exam >
- HCA Holdings
- personal statement for graduate school
- Equity value project
- 2 Page Essay
- I am looking for help with a comprehensive problem for accounting 510 at Davenport!
- Elderly in Prison