230 CHAPTER 9 Monitoring Enclaves within a database rather than as log files. These events must be retrieved, either directly (by authenticating to Windows and querying the event database) or indi- rectly (via a software agent such as Snare, which retrieves the events locally and then transmits them via standard syslog). Direct Monitoring Direct monitoring refers to the use of a probe or other device to examine network traffic or hosts directly. Direct monitoring is especially useful when the system being monitored does not produce logs natively (as is the case with many indus- trial network assets, such as RTUs, PLCs and IEDs). It is also useful as a verifica- tion of activity reported by logs, as log files can be altered deliberately in order to hide evidence of malicious activities. Common monitoring devices include Firewalls, Intrusion Detection Systems (IDSs), Database Activity Monitors (DAMs), Application Monitors, and Network Probes. These are often available commercially as software or appliances, or via open source distributions such as Snort (an IDS available at www.snort.org), Wireshark (a network sniffer and traffic analyzer available at www .wireshark.org), and the wireless sniffer Kismet (www.kismetwireless.net). Often, network monitoring devices produce logs of their own, which are then collected for analysis along with other logs. Because the logs are produced without any direct interaction with the system being monitored, network monitoring devices are sometimes referred to as "passive logging" devices. Database Activity Monitors, for example, monitor database activity on the network--often on a span port or net- work tap. The DAM decodes network packets and then extracts relevant SQL trans- actions in order to produce logs. There is no need to enable logging on the database itself, and as a result there is no performance impact to the database servers. In industrial networks, it is similarly possible to monitor industrial protocol use on the network, providing "passive logging" to those industrial control assets that do not support logging. Passive monitoring is especially important in these net- works, as many industrial protocols operate in real time and are highly susceptible to network latency. This is one reason why it is difficult to deploy logging agents on the devices themselves (which would also complicate asset testing policies), mak- ing passive network logging an ideal solution. In some instances, the device may use a proprietary log format or event stream- ing protocol that must be handled specially. For example, Cisco's Security Device Event Exchange protocol (SDEE), used by most Cisco IPS products, requires a user- name and password in order to authenticate with the security device so that events can be retrieved on demand, and/or "pushed" via a subscription model. While the end result is the same, it is important to understand that syslog is not absolutely ubiquitous. Inferred Monitoring Inferred monitoring refers to situations where one system is monitored in order to infer information about another system. For example, many applications connect to