Slashdot Mirror

← Back to Stories (view on slashdot.org)

Tao of Security Monitoring

Posted by timothy on from the first-tao-no-harm dept.

Anton Chuvakin writes "Here is a really cool security book that made me lose half a night's sleep when I first got it. Richard Bejtlich's Tao of Network Security Monitoring (Tao of NSM) covers the process, tools and analysis techniques for monitoring your network using intrusion detection, session data, traffic statistical information and other data." Read on for Chuvakin's review of the book. Tao of Security Monitoring author Richard Bejtlich pages 798 publisher AWL rating 10 reviewer Anton Chuvakin ISBN 0321246772 summary Awesome and novel book on monitoring security

The book starts with an fun, exciting background section introducing security, addressing both risks and the need to monitor networks and systems. Topics such as the classic "threat x vulnerability x value = risk" formula to threat modeling and limitation of attack prevention technologies are included. A nice thing on the process side is the "assess -> protect -> detect -> respond" loop, defining at a high level a reasonable security process for an organization. The threat-analysis material seems to have military origins, but is enlightening for other types of organizations as well.

The concept of network security monitoring, as in the book's title, is introduced as being 'beyond IDS' -- with some coverage on why IDS deployments fail and what else is needed (NSM process and tools, that is).

Bejtlich makes the important, rarely appreciated point that intruders are often smarter than defenders. It presents a stark contrast to the "staying ahead of the hackers" theme of many security books, an approach which makes no sense in many cases as the attackers are in fact far ahead to start with. The NSM approach will indeed work against advanced attackers, albeit (as the author admits) at a high resource cost to the defending organization. Such 'worst case' scenario preparations are extremely rare in other security books. Detecting such intruders is covered as part of a breakdown of the compromise process into five phases (from reconnaissance to using/abusing the system).

Another gem is the idea of a "defensible network": not "secure" or "protected," but defensible. A defensible network is one that can be watched, is configured to limit possible intruder actions, can be kept up to date, and runs only the minimum necessary services. A network so configured assures that if bad things happen there, they can be handled effectively.

I liked how the tools are covered in the book. The explanation of each tool is not simply a rephrasing of that tool's manual, but rather presents the tool's best use in the context of the entire system. While the paradigm "products perform collection, people perform analysis" might grow stale as the products get smarter, having training analysts still is one of the best investments in security. On the process side, the book covers complete analyst training. People are indeed the critical component of NSM, since most of the decision-making relies on trained analysts and their investigation, classification and escalation of alerts.

A chapter on netflow and other types of session/connectivity data presents considerable interest to those monitoring networks. Example case studies show how such data helped identify intrusion action that did not directly produce IDS alerts. Same applies to traffic visualization and statistical tools that enrich the IDS data and can sometimes provide early anomaly indications as well.

NSM event-driven analysis in Tao of NSM is centered on Sguil - a new GUI frontend to NIDS, session and other context data, facilitating easy and effective event classification and escalation (if needed).

Emergency NSM vs ongoing monitoring NSM procedures are also covered in the book. Even if an organization does not maintain an ongoing security monitoring program, it can still benefit from NSM that is deployed after a suspected intrusion.

Attacks against NSM processes and technologies also fill a dedicated section. Such attacks include intruder tools as well as attacks against the human (such as simply attempting to overwhelm the analysts) and process components of the NSM.

The book should be required reading for any security professional, and for those wishing to enter the field. It helps to broaden the horizons of seasoned professionals as well as educate the beginners in monitoring techniques. While the value of NSM as an approach can be debated in modern organizations (where tuned sensors and skilled analysts are an exception rather than the rule), the book is a superb security resource even for those who do not choose to implement NSM at the moment.

info-secure.org maintainer Anton Chuvakin, Ph.D., GCIA, GCIH is a security strategist and author of Security Warrior . You can purchase Tao of Security Monitoring from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

17 of 107 comments (clear)

  1. Re:Common Sense by Keruo · · Score: 4, Funny

    NO! because Zonealarm is saying you're under ATTACK!!!

    and someone is pinging your host...

    --
    There are no atheists when recovering from tape backup.
  2. No need! by StevenHenderson · · Score: 4, Funny

    Dude, I already downloaded SP2. I'm invincible now. Looks like this guy was just a little late with the book!

  3. But... by Anonymous Coward · · Score: 0, Funny

    I bet you were too tired the next day to realize your network had been 0wned which was Mr.Bejtlich's plan all along.

  4. Re:All Night Long? by StalinsNotDead · · Score: 4, Funny

    Maybe he lost the sleep because after reading it he realized how vulnerable his network was.

    --
    Thanks to the internet, we can now all die alone together! -SomeWoman
  5. It is Officially . . . by pete-classic · · Score: 5, Funny

    . . . no longer clever to use the word "Tao" or "Zen" in your book title.

    Thank you for your attention regarding this matter.

    -Peter

    1. Re:It is Officially . . . by Anonymous Coward · · Score: 5, Funny


      So my plans to publish "The Tao of Zen" should be put on hold?

    2. Re:It is Officially . . . by pete-classic · · Score: 2, Funny

      I'm just passing on what my publisher told me when I pitched "Zen and the Art of Tao Maintenance" to him.

      -Peter

    3. Re:It is Officially . . . by grub · · Score: 5, Funny


      You needed more catchphrases. Might I suggest "Pushing the Envelope While Thinking Outside the Box: The Paradigm Shifts of Zen and the Art of Tao Maintenance"?

      --
      Trolling is a art,
    4. Re:It is Officially . . . by jayhawk88 · · Score: 2, Funny

      It is the destiny of this title to one day rise up and destroy all mankind.

  6. Re:Join the Crusade!!!! by Anonymous Coward · · Score: 3, Funny

    no no.. linux users just don't have sex.

  7. Re:Join the Crusade!!!! by Blackbrain · · Score: 2, Funny

    That's not true, Linux users do it in clusters...and they don't have to pay.

    --
    Where would we be if Wheel had hid her round rock in a cave instead of showing everyone how it rolls?
  8. Re:Common Sense by PetoskeyGuy · · Score: 2, Funny

    This seems like common sense. Shouldn't all network admins be doing this anyway?

    Yes of course. You should spend an hour a day in silent contemplation of the "The Spinning Cube of Potential Doom".

    BTW, If you think common sense is common, your sample size is to small.

  9. Re:His Other Book by gnu-generation-one · · Score: 3, Funny

    "Hmm. I wonder if it has a chapter on finger pointing and avoiding blame?"

    Upon learning that your systems have been penetrated, proper incident response is as follows:

    1. Scream. Hold head between hands and moan.
    2. Check passport, one-way tickets to South American country of choice. Express relief that the emergency escape kit is still operational.
    3. Remember advising boss to recind deparmental policy of secure sticky-note-on-the-monitor storage for passwords. Recall boss' gales of laughter in response. Take hefty swig of Jack Daniel's.
    4. Remember advising boss to please not open random e-mail attachments. Recall boss' blank stare in response. Suck on barrel of .357 revolver for 5 minutes or until sufficiently calmed down.
    5. Remember pleading with boss to allow filtering executable attachments. Recall boss' response. Almost pull trigger.
    6. Resist urge to yank server out of rack and dump out nineth-story window.
    7. Advise boss of break-in. This starts the long chain of blame-passing that ends when the CEO sacks 5 random people in middle management and below.
    8. Sit back and watch the spin machine start the vital post-incident response protocol of figuring out who might know what happened and silencing them.

  10. Re:Tao of Zen? by user32.ExitWindowsEx · · Score: 2, Funny
    "that was zen and this is tao"...need i say any more? :P

    p.s. someone help me, please! I've chipped in to the community. You should too.

    --
    "Evil will always triumph because good is dumb." -- Dark Helmet
  11. A half a night's sleep?! by lukewarmfusion · · Score: 2, Funny

    I haven't slept for ten days!
    .
    .
    .
    Because that would be too long.

  12. Re:Common Sense by sharkey · · Score: 2, Funny

    Well, MAYBE you should stop broadcasting your IP address to the Internet.

    --

    --
    "Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
  13. Re:Common Sense by Fred_A · · Score: 2, Funny

    I never figured that "you're broadcasting your address to the internet" thing.
    Broadcasting ?

    as in
    # ping -b 255.255.255.255

    Windows does that automatically ? Would that explain why Windows hosts generate so much traffic on Ethernets ?

    Or is every packet rewritten so that the return address is 127.0.0.1 which would explain why quite a few things appear not to work for mysterious reasons when I try Windows networking (I admit to not using Windows much).

    Or has somebody from the sales department been set loose again ?

    --

    May contain traces of nut.
    Made from the freshest electrons.