Synopses & Reviews
Network security is not simply about building impenetrable walls — determined attackers will eventually overcome traditional defenses. The most effective computer security strategies integrate network security monitoring (NSM): the collection and analysis of data to help you detect and respond to intrusions.
In The Practice of Network Security Monitoring, Mandiant CSO Richard Bejtlich shows you how to use NSM to add a robust layer of protection around your networks — no prior experience required. To help you avoid costly and inflexible solutions, he teaches you how to deploy, build, and run an NSM operation using open source software and vendor-neutral tools.
You'll learn how to:
- Determine where to deploy NSM platforms, and size them for the monitored networks
- Deploy stand-alone or distributed NSM installations
- Use command line and graphical packet analysis tools, and NSM consoles
- Interpret network evidence from server-side and client-side intrusions
- Integrate threat intelligence into NSM software to identify sophisticated adversaries
There's no foolproof way to keep attackers out of your network. But when they get in, you'll be prepared. The Practice of Network Security Monitoring will show you how to build a security net to detect, contain, and control them. Attacks are inevitable, but losing sensitive data shouldn't be.
An invaluable compendium of information for network and systemadministrators, this volume details a series of strategies for early incident detection and proper response to it. "Collect, analyze,escalate" is the slogan on the back cover, and the book concentrates on those three layers of the "security onion" beginning withtechniques for data collection, including access, storage and management of the huge volumes of network traffic. Several chaptersdescribing network security monitoring system deployment and housekeeping follow. Then, many tools, both command line andgraphical interface, are listed, described, and their functionality compared. Finally, the whole system is analyzed in action, includingextensions, client- and server-side compromises, day-to-day operations and the use of proxies and checksums. An appendix deals with system configuration and scripting.Annotation ©2014 Book News, Inc., Portland, OR (booknews.com)
Network Security Monitoring (NSM) is the collection, analysis, and escalation of indications and warnings to detect and respond to intrusions. The Practice of Network Security Monitoring teaches IT and security staff how to leverage powerful NSM tools and concepts to identify threats quickly and effectively. Author Richard Bejtlich is a recognized expert in NSM and shares his 15 years of incident handling experience with the reader. In addition to teaching you how to use key monitoring tools, Bejtlich demonstrates a holistic way of thinking about detecting, responding to, and containing intruders. The Practice of Network Security Monitoring assumes no prior experience with network security monitoring, and covers designing, deploying, building, and running an NSM operation. The book focuses on open source software and vendor-neutral tools, avoiding costly and inflexible solutions.
About the Author
Richard Bejtlich is Chief Security Officer at Mandiant and was previously Director of Incident Response for General Electric, where he built and led the 40-member GE Computer Incident Response Team (GE-CIRT). He is a graduate of Harvard University and the United States Air Force Academy. Bejtlich's previous works include The Tao of Network Security Monitoring, Extrusion Detection, and Real Digital Forensics (all from Addison-Wesley). He writes on his blog (taosecurity.blogspot.com) and on Twitter as @taosecurity.
Table of Contents
Dedication; Foreword; Preface; Audience; Prerequisites; A Note on Software and Protocols; Scope; Acknowledgments; Disclaimer; Getting Started; Chapter 1: Network Security Monitoring Rationale; 1.1 An Introduction to NSM; 1.2 A Sample NSM Test; 1.3 The Range of NSM Data; 1.4 What's the Point of All This Data?; 1.5 NSM Drawbacks; 1.6 Where Can I Buy NSM?; 1.7 Where Can I Go for Support or More Information?; 1.8 Conclusion; Chapter 2: Collecting Network Traffic: Access, Storage, and Management; 2.1 A Sample Network for a Pilot NSM System; 2.2 IP Addresses and Network Address Translation; 2.3 Choosing the Best Place to Obtain Network Visibility; 2.4 Getting Physical Access to the Traffic; 2.5 Choosing an NSM Platform; 2.6 Ten NSM Platform Management Recommendations; 2.7 Conclusion; Security Onion Deployment; Chapter 3: Stand-alone NSM Deployment and Installation; 3.1 Stand-alone or Server Plus Sensors?; 3.2 Choosing How to Get SO Code onto Hardware; 3.3 Installing a Stand-alone System; 3.4 Conclusion; Chapter 4: Distributed Deployment; 4.1 Installing an SO Server Using the SO .iso Image; 4.2 Installing an SO Sensor Using the SO .iso Image; 4.3 Building an SO Server Using PPAs; 4.4 Building an SO Sensor Using PPAs; 4.5 Conclusion; Chapter 5: SO Platform Housekeeping; 5.1 Keeping SO Up-to-Date; 5.2 Limiting Access to SO; 5.3 Managing SO Data Storage; 5.4 Conclusion; Tools; Chapter 6: Command Line Packet Analysis Tools; 6.1 SO Tool Categories; 6.2 Running Tcpdump; 6.3 Using Dumpcap and Tshark; 6.4 Running Argus and the Ra Client; 6.5 Conclusion; Chapter 7: Graphical Packet Analysis Tools; 7.1 Using Wireshark; 7.2 Using Xplico; 7.3 Examining Content with NetworkMiner; 7.4 Conclusion; Chapter 8: NSM Consoles; 8.1 An NSM-centric Look at Network Traffic; 8.2 Using Sguil; 8.3 Using Squert; 8.4 Using Snorby; 8.5 Using ELSA; 8.6 Conclusion; NSM in Action; Chapter 9: NSM Operations; 9.1 The Enterprise Security Cycle; 9.2 Collection, Analysis, Escalation, and Resolution; 9.3 Remediation; 9.4 Conclusion; Chapter 10: Server-side Compromise; 10.1 Server-side Compromise Defined; 10.2 Server-side Compromise in Action; 10.3 Exploring the Session Data; 10.4 Stepping Back; 10.5 Conclusion; Chapter 11: Client-side Compromise; 11.1 Client-side Compromise Defined; 11.2 Client-side Compromise in Action; 11.3 Analyzing the Bro dns.log File; 11.4 Checking Destination Ports; 11.5 Examining the Command-and-Control Channel; 11.6 Conclusion; Chapter 12: Extending SO; 12.1 Using Bro to Track Executables; 12.2 Using Bro to Extract Binaries from Traffic; 12.3 Using APT1 Intelligence; 12.4 Reporting Downloads of Malicious Binaries; 12.5 Conclusion; Chapter 13: Proxies and Checksums; 13.1 Proxies; 13.2 Checksums; 13.3 Conclusion; Conclusion; Cloud Computing; Workflow, Metrics, and Collaboration; Conclusion; SO Scripts and Configuration; SO Control Scripts; SO Configuration Files; Updating SO; Colophon; Updates;