Tao of Security Monitoring

Anton Chuvakin writes "Here is a really cool security book that made me lose half a night's sleep when I first got it. Richard Bejtlich's Tao of Network Security Monitoring (Tao of NSM) covers the process, tools and analysis techniques for monitoring your network using intrusion detection, session data, traffic statistical information and other data." Read on for Chuvakin's review of the book. Tao of Security Monitoring author Richard Bejtlich pages 798 publisher AWL rating 10 reviewer Anton Chuvakin ISBN 0321246772 summary Awesome and novel book on monitoring security

The book starts with an fun, exciting background section introducing security, addressing both risks and the need to monitor networks and systems. Topics such as the classic "threat x vulnerability x value = risk" formula to threat modeling and limitation of attack prevention technologies are included. A nice thing on the process side is the "assess -> protect -> detect -> respond" loop, defining at a high level a reasonable security process for an organization. The threat-analysis material seems to have military origins, but is enlightening for other types of organizations as well.

The concept of network security monitoring, as in the book's title, is introduced as being 'beyond IDS' -- with some coverage on why IDS deployments fail and what else is needed (NSM process and tools, that is).

Bejtlich makes the important, rarely appreciated point that intruders are often smarter than defenders. It presents a stark contrast to the "staying ahead of the hackers" theme of many security books, an approach which makes no sense in many cases as the attackers are in fact far ahead to start with. The NSM approach will indeed work against advanced attackers, albeit (as the author admits) at a high resource cost to the defending organization. Such 'worst case' scenario preparations are extremely rare in other security books. Detecting such intruders is covered as part of a breakdown of the compromise process into five phases (from reconnaissance to using/abusing the system).

Another gem is the idea of a "defensible network": not "secure" or "protected," but defensible. A defensible network is one that can be watched, is configured to limit possible intruder actions, can be kept up to date, and runs only the minimum necessary services. A network so configured assures that if bad things happen there, they can be handled effectively.

I liked how the tools are covered in the book. The explanation of each tool is not simply a rephrasing of that tool's manual, but rather presents the tool's best use in the context of the entire system. While the paradigm "products perform collection, people perform analysis" might grow stale as the products get smarter, having training analysts still is one of the best investments in security. On the process side, the book covers complete analyst training. People are indeed the critical component of NSM, since most of the decision-making relies on trained analysts and their investigation, classification and escalation of alerts.

A chapter on netflow and other types of session/connectivity data presents considerable interest to those monitoring networks. Example case studies show how such data helped identify intrusion action that did not directly produce IDS alerts. Same applies to traffic visualization and statistical tools that enrich the IDS data and can sometimes provide early anomaly indications as well.

NSM event-driven analysis in Tao of NSM is centered on Sguil - a new GUI frontend to NIDS, session and other context data, facilitating easy and effective event classification and escalation (if needed).

Emergency NSM vs ongoing monitoring NSM procedures are also covered in the book. Even if an organization does not maintain an ongoing security monitoring program, it can still benefit from NSM that is deployed after a suspected intrusion.

Attacks against NSM processes and technologies also fill a dedicated section. Such attacks include intruder tools as well as attacks against the human (such as simply attempting to overwhelm the analysts) and process components of the NSM.

The book should be required reading for any security professional, and for those wishing to enter the field. It helps to broaden the horizons of seasoned professionals as well as educate the beginners in monitoring techniques. While the value of NSM as an approach can be debated in modern organizations (where tuned sensors and skilled analysts are an exception rather than the rule), the book is a superb security resource even for those who do not choose to implement NSM at the moment.

info-secure.org maintainer Anton Chuvakin, Ph.D., GCIA, GCIH is a security strategist and author of Security Warrior . You can purchase Tao of Security Monitoring from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Common Sense

[MikeMacK]

A defensible network is one that can be watched, is configured to limit possible intruder actions, can be kept up to date, and runs only the minimum necessary services.

This seems like common sense. Shouldn't all network admins be doing this anyway?

Re:Common Sense

[Keruo]

NO! because Zonealarm is saying you're under ATTACK!!!

and someone is pinging your host...

Re:Common Sense

[archen]

I used to think so, then I hit the real world - where everyone seems scared shitless that patches are going to break their "system". Where I work we must have about 6 to 7 of the aforesaid systems, which involve many more computers. I sometimes wonder if this is just where I work, but I tend to find this in most other places I've seen as well.

I've seen enough bad patches/upgrades to wonder if they might be right.

Re:Common Sense

[kelnos]

This seems like common sense. Shouldn't all network admins be doing this anyway?

sure. but saying and doing are two very different things. there are lots of different things you can do to monitor your network, all with different costs (both in performance and cash), and all with different levels of required human intervention.

at the very least, i imagine many networks have an admin budget that is too small to allow as much thoroughness in securing the network as the Tao of NSM would recommend - both in money to buy proprietary products, and in manpower to set up, monitor, and maintain them.

Re:Common Sense

[khrtt]

This seems like common sense. Shouldn't all network admins be doing this anyway? All network security work is pretty much just common sense, don't you think? It's how much common sense you actually put to work that's important.

Re:Common Sense

[ahsile]

Well, it's sort of true. Have you seen the list of things SP2 breaks on XP?

Re:Common Sense

Yes. Despite what the wannabes and poseurs say, many Microsoft patches to break things. We got hit with Blaster because we couldn't patch for it because the patch broke Autodesk applications which are ctitical to our business. One patch killed one of our servers and only upon deep research did I doscover that even MS warned you that the patch would kill any system using a Compaq Smart Array RAID controller. Too late for us though. It is easy for all the computer hobbyists who don't actually work in IT to blame the sysadmin for all the security problems but the day to day reality is way more complex than that.

Re:Common Sense

[AndroidCat]

I was thinking of writing a program to continuously monitor the Zone Alarm logs and play wav sounds. As an option, people could install theme packs with various sounds depending on the port and source IP address. Repeated hits would increase the volume of the sound.

That ought to make people (and the surrounding cubicals) feel secure!

Re:Common Sense

[PetoskeyGuy]

This seems like common sense. Shouldn't all network admins be doing this anyway?

Yes of course. You should spend an hour a day in silent contemplation of the "The Spinning Cube of Potential Doom".

BTW, If you think common sense is common, your sample size is to small.

Re:Common Sense

[DNS-and-BIND]

Yes, patches frequently do break things. Especially big, complex applications that make money for the company. Support is often contingent upon running the application on a certain kernel and patchlevel. Running out and patching your system with the zero-day is fine for home systems, but it's beyond idiotic to do it in a big business.

Re:Common Sense

Way to go Captain Obvious.

I think you're missing the point d00dz0r.

He's pointing out a virtue of the author, not preaching.

Someone plz Mod the parent down.

Re:Common Sense

[linzeal]

Install a real firewall, ZA is way too flakey for me. Anytime I've been running ZA and have a connection problem 9 times out of 10 it is somehow mangling packets.

Re:Common Sense

[AndroidCat]

Neither of them are real firewalls. For light-duty protection, I've never had problems with ZA. Either product is probably better than using the software firewall from the same company that should have made their OS secure in the first place.

In any event, supporting all their log file formats should be easy. For starters I'll either go with pinball SFX or swipe the ones from Doom 2. (The port 445 sound is going to get used a hell of a lot!)

Re:Common Sense

One patch killed one of our servers and only upon deep research did I doscover that even MS warned you that the patch would kill any system using a Compaq Smart Array RAID controller.

I call BS here. My company uses thousands of Compaq systems with the Smart Array RAID controller. Not a single problem with any of them when the "Blaster" patch.

It is easy for all the computer hobbyists who don't actually work in IT to blame the sysadmin for all the security problems but the day to day reality is way more complex than that.

Agreed. But bugs in computer software are a fact of life. Even non-Microsoft software.

Re:Common Sense

[linzeal]

Yeah neither is SPI I suppose, for that I use an old via 600 underclocked to 433 running without a fan and astaro linux firewall. The CPU gets up to 60 degrees but the firewall itself runs stable. I've had uptimes in the 100 day range.

Re:Common Sense

[sharkey]

Well, MAYBE you should stop broadcasting your IP address to the Internet.

Re:Common Sense

[FlutterVertigo(gmail]

This seems like common sense. Shouldn't all network admins be doing this anyway?


Try "good sense". Common sense is not necessarily a good thing.

A good definition for should is: "ought to but not necessarily will".

Re:Common Sense

[NuclearDog]

Read it again slowly. He said that a patch conflicted with the RAID. He didn't specificy a specific patch.

ND

Re:Common Sense

[Fred_A]

I never figured that "you're broadcasting your address to the internet" thing.
Broadcasting ?

as in
# ping -b 255.255.255.255

Windows does that automatically ? Would that explain why Windows hosts generate so much traffic on Ethernets ?

Or is every packet rewritten so that the return address is 127.0.0.1 which would explain why quite a few things appear not to work for mysterious reasons when I try Windows networking (I admit to not using Windows much).

Or has somebody from the sales department been set loose again ?

Re:Common Sense

[Dabido]

This seems like common sense. Shouldn't all network admins be doing this anyway?

As someone who has worked as both a Network Engineer and a System Administrator, I can tell you that Management and common sense do not go together. Many a time we asked for tools and software to help stop the hackers, but management refused under the grounds that they thought "security through obscurity" would work. They figured no one would hack into us. When we did testing and found holes in the security that script kiddies could waltz through, Management thought we were making the holes and told us not to test.

Easy solution is to buy the book and repeatedly beat management over the head with the thing till they understand that security is important and that "security through obscurity" doesn't work. But, management do have thick heads, and it might take a long time of beating before they get it into their brain ... if it ever goes in.

Common sense ... yes ... but what to do about management. [and if someone does hack in ... guess who would have got the blame!] I think most network people like to do these common sense security things ... it's management who blocks us, or refuses to allocate funds that are the real problem. [Just after I left the last place I worked, the Network Manager who took over ran the network with no firewall between the business LAN/WAN and the internet for two months. Is he dumb .. or is he just plain stooopid? Maybe he should run for President!]

Nani-mo hoshii mono-ga nai!!!!

No need!

[StevenHenderson]

Dude, I already downloaded SP2. I'm invincible now. Looks like this guy was just a little late with the book!

But...

I bet you were too tired the next day to realize your network had been 0wned which was Mr.Bejtlich's plan all along.

Re:What?

[ledbetter]

Naked Networks perhaps...

His Other Book

[kjfitz]

His other book Incident Response covers what to do once you've been attacked.

Hmm. I wonder if it has a chapter on finger pointing and avoiding blame?

Re:His Other Book

[gnu-generation-one]

"Hmm. I wonder if it has a chapter on finger pointing and avoiding blame?"

Upon learning that your systems have been penetrated, proper incident response is as follows:

1. Scream. Hold head between hands and moan.
2. Check passport, one-way tickets to South American country of choice. Express relief that the emergency escape kit is still operational.
3. Remember advising boss to recind deparmental policy of secure sticky-note-on-the-monitor storage for passwords. Recall boss' gales of laughter in response. Take hefty swig of Jack Daniel's.
4. Remember advising boss to please not open random e-mail attachments. Recall boss' blank stare in response. Suck on barrel of .357 revolver for 5 minutes or until sufficiently calmed down.
5. Remember pleading with boss to allow filtering executable attachments. Recall boss' response. Almost pull trigger.
6. Resist urge to yank server out of rack and dump out nineth-story window.
7. Advise boss of break-in. This starts the long chain of blame-passing that ends when the CEO sacks 5 random people in middle management and below.
8. Sit back and watch the spin machine start the vital post-incident response protocol of figuring out who might know what happened and silencing them.

Re:His Other Book

[shigelojoe]

9. PROFIT!!!

Re:His Other Book

[gnu-generation-one]

"9. PROFIT!!!"

It's inevitable. The robots have finally learnt to tell joken better than humans.

I, slashdotter.

Re:All Night Long?

[StalinsNotDead]

Maybe he lost the sleep because after reading it he realized how vulnerable his network was.

Best quote from the book:

"If you're serious about security and aren't afraid of the mailing lists, OpenBSD is really the only way to go."
- Richard Bejtlich

Re:Best quote from the book:

[BlacKat]

So, by extension MacOS X would also be good since it is BDS derived? :)

Re:Best quote from the book:

No.

Re:Best quote from the book:

[falsifian]

OpenBSD is a particular flavour of BSD that is famous for its security. Mac OS X does indeed run on top of a a flavour of BSD, but the post was referring to OpenBSD in particular, which is probably the most secure flavour of BSD there is.

(No, Windows doesn't get brownie points for using BSD's TCP/IP stack.)

Re:Best quote from the book:

[Fred_A]

Actually if you want to be secure, run OpenBSD on a Vax or an Alpha, or a MIPS (not sure it's ported there) or some other exotic CPU. Or run Linux on the same for that matter.

Then you will need a very dedicated attacker to hand craft executable code for your architecture and not for some generic Intel box. Exit all the script kiddies.

Not the ultimate solution but it will certainly make things more complicated for attackers.

Re:Best quote from the book:

[BlacKat]

Ahh, ok, I understand the differences now... thank you for the clarification. :)

Re:Best quote from the book:

Unless you have a modern server, one that will come with several processors and high-end stuff.

It's easy to call OpenBSD the secure be-all end-all operating system when you only use it to secure your ADSL connection with an old P133.

It is Officially . . .

[pete-classic]

. . . no longer clever to use the word "Tao" or "Zen" in your book title.

Thank you for your attention regarding this matter.

-Peter

Re:It is Officially . . .

So my plans to publish "The Tao of Zen" should be put on hold?

Re:It is Officially . . .

[pete-classic]

I'm just passing on what my publisher told me when I pitched "Zen and the Art of Tao Maintenance" to him.

-Peter

Re:It is Officially . . .

[grub]

You needed more catchphrases. Might I suggest "Pushing the Envelope While Thinking Outside the Box: The Paradigm Shifts of Zen and the Art of Tao Maintenance"?

Re:It is Officially . . .

[jayhawk88]

It is the destiny of this title to one day rise up and destroy all mankind.

Re:It is Officially . . .

[Some+Dumbass...]

You needed more catchphrases. Might I suggest "Pushing the Envelope While Thinking Outside the Box: The Paradigm Shifts of Zen and the Art of Tao Maintenance"?

Dangit, that's the name of my blog!

Re:It is Officially . . .

[linzeal]

At least it is not the Tao of Pooh which demonstrates alarmingly 'untaoistic' gems like all scientists are unhappy, and if you sometimes put things off till the last minute it could or maybe or should allow you to sometimes get ahead of people who do everything on time.

Re:It is Officially . . .

[identity0]

... you mean it's not Kosher?

But "Tantric Security Monitoring" brings up nasty images of overweight guys screwing their networks, and "Pray for Security Monitoring" doesn't inspire confidence...

Re:It is Officially . . .

[identity0]

That would never sell in America. You need "Jesus is My Zen Motorcycle Repairman Who Taught Me The Six Sigma Habits of Highly Synergized Dot-Com Billionaires Who Won Friends, Influenced People And Went From Good To Great By Moving Their Cheese In A Mythical Man-Month 2.0"

Yes folks, Jesus is coming, and he's bringing that book with him. Pheer.

Re:It is Officially . . .

... Moving Their Cheese In A Mythical Man-Month...

I was managing *not* to laugh out loud till I hit that bit. Sir, or ma'am, I salute your humorousness.

Re:It is Officially . . .

I try so hard to make a fortune and retire, but then these douchebags (I'm being kind) pull it over the people (other douchebags?) with...

Nevermind.

Re:It is Officially . . .

Pushing the Envelope

This may not always mean what you think it means. In most of the Western world, it means to improve the performance of a system or product, quite literally "push the design envelope". In India (and other places), it's common slang for sliding across a brown envelope filled with cash. Though I hear that they have graduated to suitcases of cash the last few years, which you leave under the official's desk as you depart his office.

Cautionary note: If you're ever setting up a business in India, don't use "We Push The Envelope Proactively" as a corporate slogan. It might end up as an addendum to those famous stories of dubious origin about "Bite The Wax Tadpole".

Re:Join the Crusade!!!!

no no.. linux users just don't have sex.

That's nice..

but this is where it's at..

author's blog

[coolguy81]

I have been reading this authors blog for a while now...

If you are in to BSD/Security, you should really check it out.

Finding a trojan

[noerej]

I'am also a application maintainer of some web application. During mine holliday the application started to have some random problems. When I returned I begin the investigation to the cause.
I Couldn't reproduce the errors, so it took some time to get futher with finding the cause. After some time I looked at the eventviewer (Yes it is Win2000 and not linux) and saw that the computer rebooted on average twice a day. The error messages said "Unexpected reboot". The sysadmin could find a cause also. In most cases this error was caused by a hardware error. So what I did is download etherreal and monitor the network traffic from the server. (This shows how nice opensource is. You just download in for free as in bear. If there was not FOSS i couldn't do this). I saw some strange network trafic to port 445 on the computer. I also saw that it uses a specific function. When I googled with this function I saw that there was I bug in the 'lsass' program regarding this bug. Then I checked the network traffic from the source host and saw some strange network traffic to outside the organisation on port 445, what is verry strange. After the investigation of the computer (desktop) they found the pedodo (I think it is called this way) trojan. (It collect passwords and creditcard numbers)
Now we patched the server (it was only SP4) and every thing was fine. This solved the problem. So I think this solved the problem. Mine conclusion was that this trojan disturbed the server.
This showes how fucked windows is and how great foss is.

Re:Finding a trojan

[BenjiTheGreat98]

I like FOSS too, but be reasonable. There are flaws in FOSS, as well. Do you remember this from not too long ago?

Re:Finding a trojan

[noerej]

I dit forget to mention that this trojan was spread by a firus wich uses a bug in IE

Re:Finding a trojan

[djdavetrouble]

he says:
This showes how fucked windows is and how great foss is.

Really? Maybe you haven't heard of all of the kernel level rootkits available for cracking linux boxes. Crackers don't really discriminate. They will use ANY exploit on ANY platform.

Re:Finding a trojan

[SoSueMe]

Most up-to-date virus scanners will be easier than monitoring the network traffic to find a trojan.

Re:Finding a trojan

[noerej]

The server wich is used by the web application was never infected with a virus. We scanned the computer and it was clean. The server was disturbed by a virus on a other desktop wich hadn't any up to date virus scanner. I couln't know also because i'm not a sysadmin.
Btw they changed the virus scanner, such that it is update daily.... better late than never.

Re:Finding a trojan

[BlueNexus]

You and your sysadmin are fools. Ever hear of PATCHING??? Sure Windows has it's problems, but most of them are people who don't pay attention to the fact that you must patch EVERY month. (You do know that Microsoft releases patches every month, right?)

If you did that, your "bug" would never had surfaced.

If only people stop running Windows servers the same way they run thier switches and routers. the Internet might be a better place.

-B

---
I had a sig once... Then I didn't.

Re:Finding a trojan

[noerej]

Don't call me fool.
I'm not responsebel for patching because I can't. I'm just a softwareprogrammer and a application maintainer.

Re:Finding a trojan

So what I did is download etherreal and monitor the network traffic from the server. (This shows how nice opensource is. You just download in for free as in bear. If there was not FOSS i couldn't do this).

Only because you're ignorant about things:

"Microsoft ships two versions of Network Monitor (Netmon): a basic version that ships with Windows NT 4.0 and Windows 2000 server products, and full version that ships as part of Systems Management Server (SMS) 1.2 and 2.0."

"netmon" is a network packet capturing utility much like ethereal.

Geez, the open source community is very ignorant about Windows. It's no wonder they don't like Windows. They know nothing about it.

Re:Finding a trojan

[altamira]

No, I think it shows that your network design and firewall configuration was really dumb to begin with, not to mention OS hardening.

Why was it reachable on port 445? Why could the box connect to outside hosts AT ALL?

Re:Finding a trojan

[noerej]

I got many critical comments from this post, and would like response to all this way.
* Yes there is much wrong with our IT. But i'm not a sysadmin and I'am not part of the IT department so i can't change anything about that.
* The sysadmin with I needed to deel with is a mcse
* I even need to explain to them that the need to protected their citrix servers for spyware. The mcse guy didn't even know what spywhare was (even he was a mcse).
* And yes there is a lot wrong with firewalling. But that is not mine reponsibility.
* I know and then give comments to them to improve things,but i need to keep working with them so I can't be to harsh to them.
* And yes it is easier to find a virus with a virus scanner. But i didn't know that it was a virus. The server had a uptodate virus scanner, and we checked it and the server was clean. Only the problems was caused by a desktop wich was not uptodate. That is not mine responisbility.
* And yes it is the server was not up to date regarding service packs and hardening, but that is the responisbility of the sysadmin, not me. I would like to do that, but i can't

Re:Finding a trojan

[noerej]

First the desktop was inside the firewall and the desktop only tried to reach an outside host, but failed.

Re:Finding a trojan

[altamira]

Sorry then, but you didn't mention this anywhere in the original post, and "web application" and "server" somehow didn't indicate to me that we were talking about infection on a local network. Even then, there should be some hardening and some degree of separation of the server LAN from the desktop machines, even though this is rarely fully implemented in actual environments.

Another Great book

[chadwbennett]

If you like this one, or are interested in these books, another good read is

1. Stealing the network: How to Own a Continent

This one is co-authored by a bunch of well know hackers/crackers ie ... Fyodor, FX, Joe Grand, Kevin Mitnick, Ryan Russell, Jay Beale, and several others.

It's for real. I normally don't go for these things but...Free ipods (click here to get yours) .

Re:Another Great book

[PitaBred]

I'd get a free iPod if I didn't have a moral issue with fucking other people over. Same as with Ponzi schemes, and all other multi-level marketing scams. Someone is making money, and it usually isn't you.

Tao of Zen?

[khrtt]

So my plans to publish "The Tao of Zen" should be put on hold? "The Tao of Zen" - double whammy. How about "The Zen of Tao?"

Re:Tao of Zen?

[user32.ExitWindowsEx]

"that was zen and this is tao"...need i say any more? :P

p.s. someone help me, please! I've chipped in to the community. You should too.

Re:Join the Crusade!!!!

[Blackbrain]

That's not true, Linux users do it in clusters...and they don't have to pay.

SGUIl

[scottder]

Shameless Plug: Check out SGUIl if you have a chance. http://sguil.net/

Linux kernel "security problem"

[Dr.Dubious+DDQ]

I know I've said this before, but that particular report of a "security problem" (why that's in quotes, I'll get to in a moment) in the Linux kernel is an excellent illustration of the difference between Microsoft's (and presumably other proprietary vendors) attitude to "security" vs. most open source projects.

This problem can be simplistically summarized thusly: "Someone who can log into a linux system can conceivably run a malicious program that might crash or lock up the Operating System". In Linux, this is characterized as a "Security Problem".

Now, think about it - if you called Microsoft (picking on them since that's the proprietary vendor we're talking about at the moment) and said "Hey, I have a program that when I run it, it crashes the system"...what kind of response will you get? "Well, don't run that program. It's obviously either defective or a trojan." Which would be the truth. But they have historically not considered that a problem in the OS AT ALL, let alone a security problem. Remember all those years ago when they claimed that most windows crashes are caused by anti-virus software?...)

Yes, FOSS also has flaws. Sometimes even serious ones. But it usually seems like FOSS projects more readily and more quickly address those flaws than proprietary ones do.

Re:Linux kernel "security problem"

[slittle]

Maybe they'd care if you were more specific about the fault. That BSOD is there for a reason, you know.

Yes, FOSS has it's faults. The same ones it would seem. Nobody wants to chase bugs in other people's compiled crud.

My own personal pet peeve

[PitaBred]

I hate when people assume they're smarter than I am. I hate those "For Dummies" and "For Idiots" books, because I am in no way a dummy nor an idiot. I simply don't have the same information.
Tell me I'm misinformed, tell me I don't know everything, I'll agree with you. Tell me that some hacker is smarter than I am, and I'll tell you that you need to find a new definition of smarter. The only thing that hacker might have on me is knowledge of a few things I don't.
Anyway, rant over, and this actually sounds like a good book otherwise. I'll probably pick it up.

Re:My own personal pet peeve

Tell me that some hacker is smarter than I am, and I'll tell you that you need to find a new definition of smarter. The only thing that hacker might have on me is knowledge of a few things I don't.

Since you find it unacceptable that anybody could be smarter than you, it follows that you consider yourself the smartest person on Earth. IMHO you need to get a better grip on reality.

Re:My own personal pet peeve

One definition for stupid does not assume that you have low intelligence. Only that you are not educated on that specific subject. Only people make it personal and call you stupid, rather than saying you are stupid on this subject.

Of course many people get some kind of pleasure putting others down. But that's another topic too.

Re:My own personal pet peeve

[BlacKat]

"The only thing that hacker might have on me is knowledge of a few things I don't."

Uh, which would make them SMARTER then you, on that particular subject.

Hell, I know virtually nothing about automotive things, nor really want to, and my friend who is a wiz on cars knows precious little about programming...

So, we're smarter then each other in our respective fields, but stupid in the field we're not strong in.

Somehow I also doubt you are the "smartest" person in your field either... actually, I don't think *anyone* is /the/ smartest at anything really, it's all down to experience and the moment at hand. :)

Re:My own personal pet peeve

[FlutterVertigo(gmail]

"The only thing that hacker might have on me is knowledge of a few things I don't."
Uh, which would make them SMARTER then you, on that particular subject.

First of all, it's than not then.

Smart != Knowledge
My little, silver-dapple dachshund is not very smart (compared to some people...there's a fairly good-sized overlap between the smartest animals and the dumbest people), but she's knowledgeable enough to know that when I put a shirt on at suppertime, I'm getting ready to go pick up food and she's at the door waiting to go along.

Just remember:
________________________________________
My Trunk Monkey can beat up your Trunk Monkey.
http://www.suburbanautogroup.com/ford/trunkmonkey. html

Re:My own personal pet peeve

[NuclearDog]

Often when it comes to computer security it is knowledge not intelligence that will help you. This still leaves the problem that there isn't really a concrete && satisfactory definition of intelligence.

ND

How does it compare

[akad0nric0]

to the bible of all IDS analysts, Network Intrusion Detection by Stephen Northcutt & Judy Novak (ISBN# 0735712654)?

Would you consider this a compliment to, or overlap of aforementioned text? If so, in what ways?

Re:How does it compare

[bamm]

How does it compare to the bible of all IDS analysts, Network Intrusion Detection by Stephen Northcutt & Judy Novak

That's a really good question. To me the bible is Stevens TCP/IP Illustrated Vol I. While Northcutt's book is a great introduction to IDS and anaylsis for beginners, I think Rich's book goes beyond that (as evident in reviews from respected members in the community like Lance Spitzner from the Honey Net Project). To quote Ron Gula from the foreword of Richard's book.

If you've learned the basics of TCP/IP protocols and run an open source or commercial intrusion detection system, you may be asking, "What's next" If so, this book is for you.

You can also read a couple of sample chapters from the book.

Of course, I am a little bias. Rich is a great friend, but I truly think he did an awesome job of creating something that should be required reading for anyone involved in network secuirty.

Bammkkkk

So much for that...

[SaDan]

Guess I won't be buying that book.

Free bear!

[Xel'Naga]

This shows how nice opensource is. You just download in for free as in bear.

Free bears? What next, Armed bears?

Re:Free bear!

[noerej]

I think i meant 'free beer' . But free bear is also possible. The place i work, is in the middle of a forrest, so a free bear is possible.

Once we had a herd of 40 mad cows walking on the field near our office. They where broken out some grazing land. One of the cows spoke to me , and said that he was Durl MoeBride. He kept repeating ' I need Scoe Code , I need Scoe Code'. I don't know what he was talking about. Nobody did either.

Any way ...

A half a night's sleep?!

[lukewarmfusion]

I haven't slept for ten days!
.
.
.
Because that would be too long.

Re:A half a night's sleep?!

Dude, try nanosleep() then.

Absolutely essential!

[Paws+Across+the+Keyb]

OMFG, this is sooooo important. Infosec is my bread and butter, and has been for about six years, now. You simply would not believe the shannigans you can catch wise to if you monitor your system, A/V, and firewalls on a daily basis.

Things like fast-spreading infectors that got past your A/V proxies because they got to them before the vendor's new pattern file did.

Attempts by employees to download things like Back Orifice for use as revenge tools.

Engineering failures.

Misconfigurations.

Vendor screwups.

Stealthy host sweeps that dribble one TCP/21 packet every 75 minutes into your Internet-facing DMZ. No, that last one totally blew by our worthless network IDS; we ended up blackholing the IP at the border router. No choice, our DMZ ftp server used wu-ftpd.

Porn download attempts.

Boxes in your trusted network infected by viruses.

I spent twenty months doing log monitoring. I caught all these event types and more. There is a whole wide, wacky wonderful World Of Hurt out there that you can duck or mitigate if you just monitor your logfiles. And most shops never really do.

This fit surprisingly well

[sammyo]

27.
A good traveler leaves no trail.
A good speaker leaves no argument.
A good planner needs no sketch.
A good door needs no latch.
A good binding needs no rope.
Thus the sage is good at helping, so no one is rejected;
Good at saving, so nothing is wasted.
This is called Stealing the Light.
Good is the model for bad, but bad is the origin of good.

I dislike this author just from the title.

[Kiyooka]

This is not OT, but I know it's probably irrelevent for most of you, but what is it with the abuse of people who write "The Tao of Management" and "The Tao of Security MOnitoring" and "The Tao of Funds Management" and "The Tao of trying-to-use-the-word-tao-to-seem-really-cool"?

As a Taoist, I'm more than a little bugged that the word Tao is used haphazardly by every joe shmoe to title their new instructional book.

Using the word without understanding it or true reverance is almost sacreligous for me.

Re:Tao Now, Brown Cow!

[UserGoogol]

The sound, my friend, is *fwapfwapfwapfwapfwapfwapfwapfwap*

Just goes to show that no matter what religion

[Flower]

There has got to be a fanatic somewhere. Why as a Taoist would you ever allow yourself to get worked up over a trivial issue like a book title? So the author uses Tao instead of the saying Way. And you don't even know the guy or why he chose the title. Or maybe he didn't. It could have been the publisher which chose the title.

Maybe when you have a little less ego and a bit more Tao in you you can come back and do something Lao Tzu would have appreciated.

Laugh at it.

Re:Just goes to show that no matter what religion

[Kiyooka]

I already considered that I may have been taking it too seriously before posting, but I thought that my opinions were, too a certain extent, justified. After all, I don't say "Jesus Christ!" as an exclamation of surprise out of respect for my Christian friends. A certain respect for the perceived holiness of certain words by others is a good thing. Not everyone who is offended by misuse of his/her holy word is a "fanatic".

Finally, even if I did become too attached to the word "Tao", it doesn't mean I need "a little less ego and a bit more Tao". This is not really an issue of ego, but one of attachment. You speak as if you're understanding of Taoism is deep and know what Lao Tzu would have approved of. However, if you disagreed, you should have taught, enlightened, and instilled peace, not rant about fanatics everywhere and make a superfluous personal attack.

To assert my point again: would you name your dog "Jesus Christ" or "Buddha"? Why not? It's just a name, isnt' it? Why, are you some fanatic?

No, it's simply about respect.

Lost sleep?

"Here is a really cool security book that made me lose half a night's sleep when I first got it."

I read that book, it wasn't that scary...

Re:Join the Crusade!!!!

Clusters? So that's what you kids are calling a circle jerk now?

Different authors, no?

[scruffyMark]

Incident response is by Mandia, Procise and Pepe. Tao of NSM is by Bejtlich.

Has someone gotten married in some unknown country where men take their wives' family names? Or are was your comment in response to a parent that has been modded into oblivion?

At any rate, Incident Response is an excellent book, whoever it's by.