Today's security tools used to analyze or detect suspicious activity, collect metadata which is usually refers to data about data to describe the how, when, where and who was involved. Metadata is a way of organizing, gluing together and discovering information that otherwise would be very difficult to manage, analyze and produce insightful reports.

It involves using a tool or a series of tools against other data to extract key components. It can be something as simple as the information stored in a picture (i.e. size, color content, resolution) or as complex as the information that can be parse out of TCP/IP traffic (i.e. source/destination addresses and ports, email address, website name, etc.). Computer forensics is another example of very complex metadata collection since it involves taking a device (USB stick, hard drive, etc.) and parsing every bit of content to be able to search and report on its content.

How much metadata is enough in security? There are a lot of tools out there either commercial or freeware that can be used to collect metadata to analyze network attack or system compromised. What is interesting is the fact there are many standards established for various disciplines but none of which seem to apply to network security. They can be viewed here.

All the tools used today to protect a network generate some form of metadata, whether it is a NIDS/NIPS, firewall, proxy, DNS server, etc., all produce data that can be aggregated into a Security Information and Event Management (SIEM). The metadata stored in a SIEM is used to yield insights into patterns of suspicious activity, produce trends and hopefully prevent or limit the damage early.

In the end, we all collect some form of metadata but is it useful or enough?

[1] http://en.wikipedia.org/wiki/Metadata_standards
[2] https://isc.sans.edu/diary/Collecting+Logs+from+Security+Devices+at+Home/14614

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu