Chapter 6. Feed and Tune

You awaken to find yourself adrift on a raft in the middle of the Atlantic Ocean. The sun is blazing and you are incredibly thirsty. You look around you and see that you are surrounded by cool water, but it is saltwater, not the freshwater you so desperately need. The abundance of the wrong kind of water is akin to the deluge of useless messages experienced from untuned security alert sources such as NIDS, syslog, and application logs. Instead of useful, actionable security alerts, the lifeblood of incident response, you get a mouthful of saltwater in the form of 2 million NIDS alerts a day. An untuned security event source will generate alerts irrelevant to your policies, quickly overwhelm your security monitoring staff, and reduce the availability of useful data in your collection systems. A properly tuned data source is core to your successful security monitoring, and in this chapter, we’ll show you how to accomplish that.

We’ve defined our policies, documented knowledge of our network, and selected targets with event sources. Now we must convert this metadata into actionable incidents by mastering detection technology. We’ll explain this central concept by first introducing a network intrusion detection framework. This framework will guide our deployment and tuning, building on the data we’ve gathered in previous chapters. We will follow that framework by showing how to use custom NetFlow queries with automated reporting to catch violation of security ...

Get Security Monitoring now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.