network monitoring (nmedia/

National Guard team builds open-source cyber toolkit

When the Missouri National Guard Cyber Team was called in to respond to security incidents, it used to take two days to collect information from compromised servers. 

To get better insight into attempted breaches and overall network health faster, the team built the Response Operation Collect Kit for Network Service Monitoring, a  scalable and secure open source sensor platform  that makes network monitoring more automated and easier to navigate.

RockNSM combines several open source tools in a single platform. The combination of tools allows the Missouri National Guard Cyber Team to set up their data collection for security monitoring and incident response in 20 minutes.

Part of the appeal of RockNSM is the ability to collect information on networks without needing administrative access to sensitive networks.

“If you have to run vulnerability scans or try to do things that systems aren’t designed for, those systems can crash and it could be significant because the network could stop running,” Derek Ditch, RockNSM founder and core developer and Missouri National Guard Cyber Team member, told GCN.   “Using [the] RockNSM approach, we can plug in at the network switch or use a network tap, which provides a one-way layer that data can come into our equipment but we can’t impact the network.”

For sensitive networks on hydro-electric dams or military aircraft and ships, Ditch said it makes more sense to use the network tap to detect malicious traffic. 

Since RockNSM launched in 2015, Ditch and his team have added new features that make it scalable and better able to provide analytics. The platform is generating interest from the Air Force and the Navy who want to incorporate the solution into their cyber protection teams.

“By the nature of creating a new open source platform, anyone has the ability to take the main project and add value for their specific missions,” Ditch said. 

In the upcoming 3.0 version of the platform, the Air Force is contributing code to make RockNSM more of turnkey solution so it can be deployed faster.

“The latest version will be container based, which allows us to scale the platform,” Ditch said.  “We want to provide an environment where analysts can be able to jump and look at the data with the flexibility to change the visualizations to suit mission needs.”

Editor's note: This article was changed May 14 to correct reference to a network tab to network tap. 

About the Author

Sara Friedman is a reporter/producer for GCN, covering cloud, cybersecurity and a wide range of other public-sector IT topics.

Before joining GCN, Friedman was a reporter for Gambling Compliance, where she covered state issues related to casinos, lotteries and fantasy sports. She has also written for Communications Daily and Washington Internet Daily on state telecom and cloud computing. Friedman is a graduate of Ithaca College, where she studied journalism, politics and international communications.

Friedman can be contacted at [email protected] or follow her on Twitter @SaraEFriedman.

Click here for previous articles by Friedman.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected