Tao of Security Monitoring

Anton Chuvakin writes "Here is a really cool security book that made me lose half a night's sleep when I first got it. Richard Bejtlich's Tao of Network Security Monitoring (Tao of NSM) covers the process, tools and analysis techniques for monitoring your network using intrusion detection, session data, traffic statistical information and other data." Read on for Chuvakin's review of the book. Tao of Security Monitoring author Richard Bejtlich pages 798 publisher AWL rating 10 reviewer Anton Chuvakin ISBN 0321246772 summary Awesome and novel book on monitoring security

The book starts with an fun, exciting background section introducing security, addressing both risks and the need to monitor networks and systems. Topics such as the classic "threat x vulnerability x value = risk" formula to threat modeling and limitation of attack prevention technologies are included. A nice thing on the process side is the "assess -> protect -> detect -> respond" loop, defining at a high level a reasonable security process for an organization. The threat-analysis material seems to have military origins, but is enlightening for other types of organizations as well.

The concept of network security monitoring, as in the book's title, is introduced as being 'beyond IDS' -- with some coverage on why IDS deployments fail and what else is needed (NSM process and tools, that is).

Bejtlich makes the important, rarely appreciated point that intruders are often smarter than defenders. It presents a stark contrast to the "staying ahead of the hackers" theme of many security books, an approach which makes no sense in many cases as the attackers are in fact far ahead to start with. The NSM approach will indeed work against advanced attackers, albeit (as the author admits) at a high resource cost to the defending organization. Such 'worst case' scenario preparations are extremely rare in other security books. Detecting such intruders is covered as part of a breakdown of the compromise process into five phases (from reconnaissance to using/abusing the system).

Another gem is the idea of a "defensible network": not "secure" or "protected," but defensible. A defensible network is one that can be watched, is configured to limit possible intruder actions, can be kept up to date, and runs only the minimum necessary services. A network so configured assures that if bad things happen there, they can be handled effectively.

I liked how the tools are covered in the book. The explanation of each tool is not simply a rephrasing of that tool's manual, but rather presents the tool's best use in the context of the entire system. While the paradigm "products perform collection, people perform analysis" might grow stale as the products get smarter, having training analysts still is one of the best investments in security. On the process side, the book covers complete analyst training. People are indeed the critical component of NSM, since most of the decision-making relies on trained analysts and their investigation, classification and escalation of alerts.

A chapter on netflow and other types of session/connectivity data presents considerable interest to those monitoring networks. Example case studies show how such data helped identify intrusion action that did not directly produce IDS alerts. Same applies to traffic visualization and statistical tools that enrich the IDS data and can sometimes provide early anomaly indications as well.

NSM event-driven analysis in Tao of NSM is centered on Sguil - a new GUI frontend to NIDS, session and other context data, facilitating easy and effective event classification and escalation (if needed).

Emergency NSM vs ongoing monitoring NSM procedures are also covered in the book. Even if an organization does not maintain an ongoing security monitoring program, it can still benefit from NSM that is deployed after a suspected intrusion.

Attacks against NSM processes and technologies also fill a dedicated section. Such attacks include intruder tools as well as attacks against the human (such as simply attempting to overwhelm the analysts) and process components of the NSM.

The book should be required reading for any security professional, and for those wishing to enter the field. It helps to broaden the horizons of seasoned professionals as well as educate the beginners in monitoring techniques. While the value of NSM as an approach can be debated in modern organizations (where tuned sensors and skilled analysts are an exception rather than the rule), the book is a superb security resource even for those who do not choose to implement NSM at the moment.

info-secure.org maintainer Anton Chuvakin, Ph.D., GCIA, GCIH is a security strategist and author of Security Warrior . You can purchase Tao of Security Monitoring from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Common Sense

[MikeMacK]

A defensible network is one that can be watched, is configured to limit possible intruder actions, can be kept up to date, and runs only the minimum necessary services.

This seems like common sense. Shouldn't all network admins be doing this anyway?

Re:Common Sense

[kelnos]

This seems like common sense. Shouldn't all network admins be doing this anyway?

sure. but saying and doing are two very different things. there are lots of different things you can do to monitor your network, all with different costs (both in performance and cash), and all with different levels of required human intervention.

at the very least, i imagine many networks have an admin budget that is too small to allow as much thoroughness in securing the network as the Tao of NSM would recommend - both in money to buy proprietary products, and in manpower to set up, monitor, and maintain them.

Re:Common Sense

Yes. Despite what the wannabes and poseurs say, many Microsoft patches to break things. We got hit with Blaster because we couldn't patch for it because the patch broke Autodesk applications which are ctitical to our business. One patch killed one of our servers and only upon deep research did I doscover that even MS warned you that the patch would kill any system using a Compaq Smart Array RAID controller. Too late for us though. It is easy for all the computer hobbyists who don't actually work in IT to blame the sysadmin for all the security problems but the day to day reality is way more complex than that.

Re:Common Sense

[Dabido]

This seems like common sense. Shouldn't all network admins be doing this anyway?

As someone who has worked as both a Network Engineer and a System Administrator, I can tell you that Management and common sense do not go together. Many a time we asked for tools and software to help stop the hackers, but management refused under the grounds that they thought "security through obscurity" would work. They figured no one would hack into us. When we did testing and found holes in the security that script kiddies could waltz through, Management thought we were making the holes and told us not to test.

Easy solution is to buy the book and repeatedly beat management over the head with the thing till they understand that security is important and that "security through obscurity" doesn't work. But, management do have thick heads, and it might take a long time of beating before they get it into their brain ... if it ever goes in.

Common sense ... yes ... but what to do about management. [and if someone does hack in ... guess who would have got the blame!] I think most network people like to do these common sense security things ... it's management who blocks us, or refuses to allocate funds that are the real problem. [Just after I left the last place I worked, the Network Manager who took over ran the network with no firewall between the business LAN/WAN and the internet for two months. Is he dumb .. or is he just plain stooopid? Maybe he should run for President!]

Nani-mo hoshii mono-ga nai!!!!

Linux kernel "security problem"

[Dr.Dubious+DDQ]

I know I've said this before, but that particular report of a "security problem" (why that's in quotes, I'll get to in a moment) in the Linux kernel is an excellent illustration of the difference between Microsoft's (and presumably other proprietary vendors) attitude to "security" vs. most open source projects.

This problem can be simplistically summarized thusly: "Someone who can log into a linux system can conceivably run a malicious program that might crash or lock up the Operating System". In Linux, this is characterized as a "Security Problem".

Now, think about it - if you called Microsoft (picking on them since that's the proprietary vendor we're talking about at the moment) and said "Hey, I have a program that when I run it, it crashes the system"...what kind of response will you get? "Well, don't run that program. It's obviously either defective or a trojan." Which would be the truth. But they have historically not considered that a problem in the OS AT ALL, let alone a security problem. Remember all those years ago when they claimed that most windows crashes are caused by anti-virus software?...)

Yes, FOSS also has flaws. Sometimes even serious ones. But it usually seems like FOSS projects more readily and more quickly address those flaws than proprietary ones do.

Re:Another Great book

[PitaBred]

I'd get a free iPod if I didn't have a moral issue with fucking other people over. Same as with Ponzi schemes, and all other multi-level marketing scams. Someone is making money, and it usually isn't you.