NetWitness Community

huanzhou1 · ‎2014-03-17

Hi Guys,

We took the exam for SA SE Pro, this question i out of idea as i cannot find anything in the documents:

I would choose Log based analysis as it contains least data. What you guys think? Thanks.

- Which has the least amount of context

-log based analysis

-visualization analysis

-packet based analysis

-session based analysis

RSAAdmin · ‎2014-03-17

I think its packet.

Anonymous · ‎2014-03-18

I agree with Fielder.

Reason being:

You see 4 options there of course, but two of them are very similar, that being session and packet. A session if I were to define it in SA is a stream of packets. The session will give you a lot of context but one packet might now give you anything. One Syn packet is not going to give you nearly as much context as the session of a handshake. In terms of context I would go Log, session, visualization, packet.

Of course the most context is a correlate log and packet session capture

huanzhou1 · ‎2014-03-18

but even a sync packet, it also contains lots of information, for log, only one single line

Anonymous · ‎2014-03-18

That is the difference, "Context" and "Information". Information is great but if you have no context it is almost useless. So in a log, you have a ton of context, because you can normally correlate it back to your own company. In a single packet, context is almost nothing, you might know what the source IP or dest IP is. But other than that, your context is very low but information is high.

At least in my company even though I show them the packet data, I better have some log data also to prove that user x did it.

huanzhou1 · ‎2014-03-18

Thanks for the clarification, i think you're correct. anyway we don't know what's the actual answer is. maybe someone from RSA training center can help to answer.

Anonymous · ‎2014-03-18

Yeah, I think from a security perspective packets are the way to go but those darn audits always seem to think not.

RSAAdmin · ‎2014-03-18

I've been meaning to write a blog or something on a concept I call the "Inverted Pyramid of Mr. Magoo."

Magoo was the blind cartoon character who was always supremely confident in his actions, while it was apparent to everyone else he had no idea what he was doing because of his blindness.

Imagine a pyramid, inverted, ranging from least visibility at the bottom to the most on the top.

At the bottom, you have a logs only solution. Logs are typically from binary systems- they only report on things that were blocked or passed, and they give you no visibility into what is really going on within the network.

Next up you have logs and some packet correlation, using an IDS or some limited capture system to help provide context around predefined signatures or alerts.

Next up the pyramid you have a full packet capture solution. Now you are almost godlike in visibility on the network.

Finally at the top you have a blended logs and full packet capture solution. Your vision is godlike and you can also see deeply into the endpoints to corroborate what you are seeing on the network.

That's the pyramid.

However, if instead of starting with log solution, I only had an IDS? That's way worse in my opinion. That would be Mr. Magoo wearing dark sunglasses.

NetWitness Community

question on the analysis context