Network Inspection Plane
SOC Integration with NIP
- Security Operations Centers (SOCs) observe real-time security events
- SOCs can be integrated with the NIP to make security event data accessible to the responsible internet
- Security events can be used to derive AS features (i.e., AS Features) to influence routing decisions
NIP Augmentations
- Network Inspection Plane (NIP) provides a wealth of network information (i.e., API)
- The information can be used to augment network security data:
- Discover certificate information
- Enumerate open ports/services (See example below)
- Identification through FQDN and other names
- Augmentations improve interpretability of security events and benefit security analyses
Integration example
- Below you can see an example of an integration of the NIP where Suricata data is augmented in Security Onion with information on open ports
- Data from the NIP confirms that the contacted port is indeed open, adding confidence to the analysis
- Moreover, we find that port 22 (SSH) is also open on the contacted host which goes against common recommendations to not expose the SSH service or to use a non-standard port
- NIP augmentations enable new hypotheses based and open up new angles for investigations
