Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Book Review: The Practice of Network Security Monitoring

samzenpus posted 1 year,6 days | from the read-all-about-it dept.

Books 15

benrothke writes "It has been about 8 years since my friend Richard Bejtlich's (note, that was a full disclosure 'my friend') last book Extrusion Detection: Security Monitoring for Internal Intrusions came out. That and his other 2 books were heavy on technical analysis and real-word solutions. Some titles only start to cover ground after about 80 pages of introduction. With this highly informative and actionable book, you are already reviewing tcpdump output at page 16. In The Practice of Network Security Monitoring: Understanding Incident Detection and Response, Bejtlich takes the approach that your network will be attacked and breached. He observes that a critical part of your security posture must be that of network security monitoring (NSM), which is the collection and analysis of data to help you detect and respond to intrusions." Read below for the rest of Ben's review.In this book, Bejtlich details how to design a NSM program from the initiation state. Being a big open source proponent, the book lists no proprietary tools and myriad open source solutions. The book is designed for system and security administrators, CIRT managers and analysts with a strong background in understanding threats, vulnerabilities and security log interpretation.

The book is about the inevitable, that attackers will get inside your network. While it's foreseeable they will get in, it's not inevitable that you have to be caught off-guard. For those who are serious about securing their network, this is an invaluable book that provides a unique and very workable model to create a fully-functioning NSM infrastructure.

The book is a hands-on guide to installing and configuring NSM tools. The reader who is comfortable using tools such as Wireshark, Nmap and the like will be quite at home here.

This is a book about how not to be surprised and its 13 chapters detail how to create and manage a NSM program, what to look for, and details myriad tools to use in the process.

The focus of the book is not on the planning and defense phases of the security cycle, hopefully, that is already in place in your organization, rather on the actions to take when handling systems that are already compromised or that are on the verge of being compromised, as detailed in the preface.

In chapter 1, the book details the difference between continuous monitoring(CM) and NSM; since their terms are similar and many people confuse the two. CM is big in the federal computing space and NIST provides an overview and definition of it here. The book notes that CM has almost nothing to do with NSM or even with trying to detect and respond to intrusions. NSM is threat-centric, meaning adversaries are the discussion of the NSM operation; while CM is vulnerability-centric; focusing on configuration and software weaknesses.

Also in chapter 1, Bejtlich asks the important question: is NSM legal? He writes that there is no easy answer to that questions and anyone using or deploying an NSM solution should first consult with their legal counsel; in order not to potentially violate the US Wiretap Act and other laws and regulations. This is especially true for those who are in European Union (EU) countries, as the EU places a high threshold on information security teams who want to monitor network traffic. Something as simple as running Wireshark on a corporate network in the US, would require court approval if done on an EU-based network.

One of the main NSM tools the book references and details is Security Onion (SO). SO is a Linux distro for IDS and NSM. Its based on Ubuntu and the distro contains Snort, Suricata, Bro, Sguil, Squert, Snorby, ELSA, Xplico, NetworkMiner and many other useful security tools.

The book details and explains how use these tools in an NSM environment. An important point Bejtlich makes in chapter 9 regarding the tools, is that analysts need tools to find intruders. But methodology is more important than just software tools. Tools collect and interpret data, but methodology provides the conceptual model. He explains that CIRT analysts must understand how to use tools to achieve a particular goal, but it is imperative and important to start with a good operational model first, and then select tools to provide data supporting that model.

The book has a short discussion of how cloud computing effects NSM. In a nutshell, the cloud throws a monkey wrench into an NSM effort. For example, it is generally not an option for SaaS offerings since customers are limited to the back-end logs.

The book closes with the observation that NSM is not just about all the tools that the author spent over 300 pages discussing, rather it is more about the workflows, metrics and collaboration. Unfortunately, this title does not detail the necessary workflows for a NSM and it is hoped that the follow-up to this book will.

The only negative in the book is that as CSO of Mandiant, Bejtlich references his firm's products, mainly their MIR appliance for a CIRT. In the spirit of objectivity and not trying to have the book come across as marketing PR, if an author is going to mention a product their firm sells, they should also mention alternative solutions.

For those looking for a comprehensive guide on the topic of NSM, written by one of the experts in the field, The Practice of Network Security Monitoring: Understanding Incident Detection and Responseis an excellent reference that is certain to make the reader a better information security practitioner, and their network more secure.

Reviewed by Ben Rothke.

You can purchase The Practice of Network Security Monitoring: Understanding Incident Detection & Response from Slashdot welcomes readers' book reviews (sci-fi included) -- to see your own review here, read the book review guidelines, then visit the submission page.

cancel ×


Sorry! There are no comments related to the filter you selected.

www (-1)

Anonymous Coward | 1 year,6 days | (#44800357)

Pay Attention To Your Network! (-1)

Anonymous Coward | 1 year,6 days | (#44800605)

If you take your eyes off your network long enough to read this book then you fail as a network admin!

Re:Pay Attention To Your Network! (1)

WarJolt (990309) | 1 year,6 days | (#44801209)

If you don't use all the tools available to you, then you fail as a network administrator.

Re:Pay Attention To Your Network! (-1)

Anonymous Coward | 1 year,6 days | (#44801789)

If you didn't fill out your Bullshit Bingo card half-way thru the review, you fail at life.

Re:Pay Attention To Your Network! (0)

Anonymous Coward | 1 year,6 days | (#44803995)

can u explain what that mean?

Re:Pay Attention To Your Network! (1)

rossz (67331) | 1 year,6 days | (#44805349)

There isn't enough time in a day to use all the tools available to me. I pick the tools that will be the most useful to my requirements.

Re:Pay Attention To Your Network! (0)

Anonymous Coward | 1 year,6 days | (#44806327)

Of course...I think there are over 100K on sourceforge alone...

Re:Pay Attention To Your Network! (3, Funny)

dremspider (562073) | 1 year,5 days | (#44807835)

I personally have an oscilloscope hooked up to my network as an IDS. I have been staring at it for 3 days straight now as my co-worker has been off. Still haven't seen any computer attacks yet, but I will be ready!

Re:Pay Attention To Your Network! (1)

Steve_Ussler (2941703) | 1 year,5 days | (#44808371)

Management is likely very impressed with your device :)

C'mon, Richard, we know it was you (0)

xxxJonBoyxxx (565205) | 1 year,6 days | (#44800609)

>> since my friend Richard Bejtlich's (note, that was a full disclosure 'my friend')

C'mon, Richard, we know this is your post.

Re:C'mon, Richard, we know it was you (1)

Steve_Ussler (2941703) | 1 year,6 days | (#44801325)

you serious or joking?

Re:C'mon, Richard, we know it was you (1)

xxxJonBoyxxx (565205) | 1 year,6 days | (#44801995)

>> you serious or joking?

Umm....joking. Typical content of "I have this friend (but it's really me)": []

Re:C'mon, Richard, we know it was you (1)

Steve_Ussler (2941703) | 1 year,6 days | (#44802075)

Okno I understand.

I'm from the future... (0)

Anonymous Coward | 1 year,6 days | (#44803629)

... what's a book?

How did you post a book review? (1)

houbou (1097327) | about a year ago | (#44917493)

There is allegedly a link to post book reviews.. and I can't find it and can't get anything useful in Google. The FAQ page refers to it, but that's it, so, how does one post a book review?
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>