Changing Definitions of Network Security Monitoring

I first defined Network Security Monitoring in print through my contribution to the February 2003 book Hacking Exposed, 4th Edition. Prior to that I defined NSM in a December 2002 SearchSecurity Webcast. NSM probably became more recognized in my first book, where I repeated the same definition by writing "Network security monitoring is the collection, analysis, and escalation of indications and warnings to detect and respond to intrusions."

I emphasized the role of indications and warning (I&W) because my Air Force intelligence background involved training specifically in that discipline. I recommend reading the last link above for additional insight into this approach.

Today, however, I reviewed some Department of Defense documentation that made me take a second look at my NSM definition. (You might say this proves I am not a slave to my prior writings. Then again, you won't ever hear me say a threat and a vulnerability are the same!)

I&W is defined as those intelligence activities intended to detect and report time-sensitive intelligence information on foreign developments that could involve a threat to the United States or allied and/or coalition military, political, or economic interests or to US citizens abroad. It includes forewarning of enemy actions or intentions; the imminence of hostilities; insurgency; nuclear/nonnuclear attack on the United States, its overseas forces, or allied and/or coalition nations; hostile reactions to US reconnaissance activities; terrorists' attacks; and other similar events. Also called I&W. See also information; intelligence.

Note the heavy emphasis on gaining intelligence on threats, namely their capabilities and intentions.

While reading a DoD document, I came across the term attack sensing and warning (AS&W), with which I was only vaguely familiar. AS&W is defined as the detection, correlation, identification and characterization of cyber attacks across a large spectrum coupled with the notification to command and decision makers so that an appropriate response can be developed. Attack sensing and warning also includes attack/intrusion related intelligence collection tasking and dissemination; limited immediate response recommendations; and limited potential impact assessments.

I have a feeling that AS&W might be derived from Army operations. A friend previously part of 1st Information Operations Command worked that unit's AS&W mission.

Looking at the AS&W definition, it seems more appropriate within the context of NSM than I&W. I haven't decided how I'll define NSM in my next book or major paper, but I will keep AS&W at the forefront of my thoughts.