NSM and Intrusion Detection Differences

We had a good discussion this morning in the #snort-gui channel on irc.freenode.net. I was on my usual soap box complaining that no commercial tools provide all of the data I need to implement Network Security Monitoring, while developers and employees of a certain well-known intrusion detection system didn't understand why their product didn't meet my needs.

Sguil author Bamm Visscher cut through the argument with a very astute summary. He basically said that IDS developers want "Immaculate Detection" while NSM practitioners want "Immaculate Collection." Bamm is exactly right. From my experience I know that no detection product is 100% accurate, and that even good alerts require investigation to see what is happening and what else might be happening. IDS developers are rightly trying to improve the quality of their products, but many people interpret their avoidance of NSM collection as a sign it isn't necessary. In other words, detection can be so good that you never need to investigate. I know some IDS developers don't agree with this misplaced notion but they argue it's too expensive to collect the sorts of data I advocate. I argue that it's too expensive (in terms of damage to the enterprise) not to collect that NSM data.

I think we will see commercial solutions during the next 1-3 years that will give me the NSM data I need to detect and respond to intrusions. Already network forensic appliance vendors are publishing APIs that can be called by IDS/IPS/SIM/SEM/SIEM/etc. products for access to network traffic collected independently of any alerting mechanism. This is a great development and I can't wait to see this sort of arrangement in production.