Slashdot Mirror
Tao of Security Monitoring
The book starts with an fun, exciting background section introducing security, addressing both risks and the need to monitor networks and systems. Topics such as the classic "threat x vulnerability x value = risk" formula to threat modeling and limitation of attack prevention technologies are included. A nice thing on the process side is the "assess -> protect -> detect -> respond" loop, defining at a high level a reasonable security process for an organization. The threat-analysis material seems to have military origins, but is enlightening for other types of organizations as well.
The concept of network security monitoring, as in the book's title, is introduced as being 'beyond IDS' -- with some coverage on why IDS deployments fail and what else is needed (NSM process and tools, that is).
Bejtlich makes the important, rarely appreciated point that intruders are often smarter than defenders. It presents a stark contrast to the "staying ahead of the hackers" theme of many security books, an approach which makes no sense in many cases as the attackers are in fact far ahead to start with. The NSM approach will indeed work against advanced attackers, albeit (as the author admits) at a high resource cost to the defending organization. Such 'worst case' scenario preparations are extremely rare in other security books. Detecting such intruders is covered as part of a breakdown of the compromise process into five phases (from reconnaissance to using/abusing the system).
Another gem is the idea of a "defensible network": not "secure" or "protected," but defensible. A defensible network is one that can be watched, is configured to limit possible intruder actions, can be kept up to date, and runs only the minimum necessary services. A network so configured assures that if bad things happen there, they can be handled effectively.
I liked how the tools are covered in the book. The explanation of each tool is not simply a rephrasing of that tool's manual, but rather presents the tool's best use in the context of the entire system. While the paradigm "products perform collection, people perform analysis" might grow stale as the products get smarter, having training analysts still is one of the best investments in security. On the process side, the book covers complete analyst training. People are indeed the critical component of NSM, since most of the decision-making relies on trained analysts and their investigation, classification and escalation of alerts.
A chapter on netflow and other types of session/connectivity data presents considerable interest to those monitoring networks. Example case studies show how such data helped identify intrusion action that did not directly produce IDS alerts. Same applies to traffic visualization and statistical tools that enrich the IDS data and can sometimes provide early anomaly indications as well.
NSM event-driven analysis in Tao of NSM is centered on Sguil - a new GUI frontend to NIDS, session and other context data, facilitating easy and effective event classification and escalation (if needed).
Emergency NSM vs ongoing monitoring NSM procedures are also covered in the book. Even if an organization does not maintain an ongoing security monitoring program, it can still benefit from NSM that is deployed after a suspected intrusion.
Attacks against NSM processes and technologies also fill a dedicated section. Such attacks include intruder tools as well as attacks against the human (such as simply attempting to overwhelm the analysts) and process components of the NSM.
The book should be required reading for any security professional, and for those wishing to enter the field. It helps to broaden the horizons of seasoned professionals as well as educate the beginners in monitoring techniques. While the value of NSM as an approach can be debated in modern organizations (where tuned sensors and skilled analysts are an exception rather than the rule), the book is a superb security resource even for those who do not choose to implement NSM at the moment.
info-secure.org maintainer Anton Chuvakin, Ph.D., GCIA, GCIH is a security strategist and author of Security Warrior . You can purchase Tao of Security Monitoring from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
His other book Incident Response covers what to do once you've been attacked.
Hmm. I wonder if it has a chapter on finger pointing and avoiding blame?
I have been reading this authors blog for a while now...
If you are in to BSD/Security, you should really check it out.
- Stealing the network: How to Own a Continent
This one is co-authored by a bunch of well know hackers/crackers ieIt's for real. I normally don't go for these things but...Free ipods (click here to get yours) .
That's a really good question. To me the bible is Stevens TCP/IP Illustrated Vol I. While Northcutt's book is a great introduction to IDS and anaylsis for beginners, I think Rich's book goes beyond that (as evident in reviews from respected members in the community like Lance Spitzner from the Honey Net Project). To quote Ron Gula from the foreword of Richard's book.
You can also read a couple of sample chapters from the book.
Of course, I am a little bias. Rich is a great friend, but I truly think he did an awesome job of creating something that should be required reading for anyone involved in network secuirty.
Bammkkkk
www.sguil.net
The Analyst Console for NSM