Monitoring your network can be a seriously unpleasant task. It involves everything from maintaining firewall rules, watching traffic, looking for problems, keeping track of the latest issues on the Internet, checking log data on the dashboard, correlating events—oh dear God, it keeps going!
So, what do you do? Do you use a myriad of tools, stitch them together with some scripting, document the process, and pray it never falls apart? Do you buy an expensive network security appliance from a vendor whose customer service skills leave much to be desired, and whose threat intelligence is based solely on Reddit.com/r/blackhat?
Admittedly, these reflect the worst possible scenarios, but the question is still valid: Which is best? Buying a network security appliance, designing your own, using a pre-built virtual machine, or something else?
There are plenty of choices. Security Onion, a Linux distribution for intrusion detection maintained by Doug Burks, has an amazingly complete set of tools, ranging from Snort, to Bro, OSSEC, OSSIM, and a whole host of others. It can perform a full packet capture, analysis, intrusion detection, and event correlation, just to name a few. Security Onion isn't really made for a huge enterprise, and it might be a little complex to run for a smaller company, but it's a great place to start (and it's free!). A midsize company will download the ISO file, and load it on a virtual machine.
On the other end of the spectrum, there are companies like Sophos, which bought Astaro a few years ago. The appliances from the resulting Astaro-Sophos combination are beautiful: simply plug them in and use cloud-based monitoring and threat intelligence feeds. Though many of the appliances cost thousands of dollars, you can download the community edition for free and use it as a VM.
Wait! There's more. Loggly will look at your logs, Packetloop will examine full packet captures, and boy, there are still even more. There's Custodiet, an open source framework project to build virtual machines, threat intelligence feeds, and marketing materials, so a single consultant can become a full-fledged amanaged security services provider. This open source framework allows anyone to become an MSSP and service clients with firewalls, VPN connections, and threat intelligence.
The world of network security appliances is vast. Which appliance is the best choice? Well, that depends. Do you have more money than you have time? Pick an appliance, then. Plenty of smart people, but no money to spare? Then DIY or using a pre-built framework may be your best bet. Sometimes it's appropriate to use a combination of existing tools, and sometimes you should just buy a box. What factors lead to which selection? Compliance? Security? Checking boxes? Scaling to meet the need? Expandability of features? Sometimes it's all of them.
Start with the first maxim of network monitoring: Know what you want to monitor! Are you looking to monitor outgoing network connections as well as inbound? Do you have a high threat/risk matrix? Are you worried about data loss? Do you want to monitor all files and their attributes to make sure nobody changes anything? How important is event correlation?
It's essential to plan out all the risks, threats, and assets you have, and determine what you need to monitor before you buy or build anything. Scoping out the needs will narrow down the field of competitors faster than anything else. (Well, budget is also a pretty fast winnower of products, but we're just talking about technical issues right now.)
If you don't plan, you don't win.
Disclaimer: The author used Security Onion, has used Sophos boxes, and is a member of the Custodiet team.