Slashdot Mirror
Tao of Security Monitoring
The book starts with an fun, exciting background section introducing security, addressing both risks and the need to monitor networks and systems. Topics such as the classic "threat x vulnerability x value = risk" formula to threat modeling and limitation of attack prevention technologies are included. A nice thing on the process side is the "assess -> protect -> detect -> respond" loop, defining at a high level a reasonable security process for an organization. The threat-analysis material seems to have military origins, but is enlightening for other types of organizations as well.
The concept of network security monitoring, as in the book's title, is introduced as being 'beyond IDS' -- with some coverage on why IDS deployments fail and what else is needed (NSM process and tools, that is).
Bejtlich makes the important, rarely appreciated point that intruders are often smarter than defenders. It presents a stark contrast to the "staying ahead of the hackers" theme of many security books, an approach which makes no sense in many cases as the attackers are in fact far ahead to start with. The NSM approach will indeed work against advanced attackers, albeit (as the author admits) at a high resource cost to the defending organization. Such 'worst case' scenario preparations are extremely rare in other security books. Detecting such intruders is covered as part of a breakdown of the compromise process into five phases (from reconnaissance to using/abusing the system).
Another gem is the idea of a "defensible network": not "secure" or "protected," but defensible. A defensible network is one that can be watched, is configured to limit possible intruder actions, can be kept up to date, and runs only the minimum necessary services. A network so configured assures that if bad things happen there, they can be handled effectively.
I liked how the tools are covered in the book. The explanation of each tool is not simply a rephrasing of that tool's manual, but rather presents the tool's best use in the context of the entire system. While the paradigm "products perform collection, people perform analysis" might grow stale as the products get smarter, having training analysts still is one of the best investments in security. On the process side, the book covers complete analyst training. People are indeed the critical component of NSM, since most of the decision-making relies on trained analysts and their investigation, classification and escalation of alerts.
A chapter on netflow and other types of session/connectivity data presents considerable interest to those monitoring networks. Example case studies show how such data helped identify intrusion action that did not directly produce IDS alerts. Same applies to traffic visualization and statistical tools that enrich the IDS data and can sometimes provide early anomaly indications as well.
NSM event-driven analysis in Tao of NSM is centered on Sguil - a new GUI frontend to NIDS, session and other context data, facilitating easy and effective event classification and escalation (if needed).
Emergency NSM vs ongoing monitoring NSM procedures are also covered in the book. Even if an organization does not maintain an ongoing security monitoring program, it can still benefit from NSM that is deployed after a suspected intrusion.
Attacks against NSM processes and technologies also fill a dedicated section. Such attacks include intruder tools as well as attacks against the human (such as simply attempting to overwhelm the analysts) and process components of the NSM.
The book should be required reading for any security professional, and for those wishing to enter the field. It helps to broaden the horizons of seasoned professionals as well as educate the beginners in monitoring techniques. While the value of NSM as an approach can be debated in modern organizations (where tuned sensors and skilled analysts are an exception rather than the rule), the book is a superb security resource even for those who do not choose to implement NSM at the moment.
info-secure.org maintainer Anton Chuvakin, Ph.D., GCIA, GCIH is a security strategist and author of Security Warrior . You can purchase Tao of Security Monitoring from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
I used to think so, then I hit the real world - where everyone seems scared shitless that patches are going to break their "system". Where I work we must have about 6 to 7 of the aforesaid systems, which involve many more computers. I sometimes wonder if this is just where I work, but I tend to find this in most other places I've seen as well.
I've seen enough bad patches/upgrades to wonder if they might be right.
"If you're serious about security and aren't afraid of the mailing lists, OpenBSD is really the only way to go."
- Richard Bejtlich
I'am also a application maintainer of some web application. During mine holliday the application started to have some random problems. When I returned I begin the investigation to the cause.
I Couldn't reproduce the errors, so it took some time to get futher with finding the cause. After some time I looked at the eventviewer (Yes it is Win2000 and not linux) and saw that the computer rebooted on average twice a day. The error messages said "Unexpected reboot". The sysadmin could find a cause also. In most cases this error was caused by a hardware error. So what I did is download etherreal and monitor the network traffic from the server. (This shows how nice opensource is. You just download in for free as in bear. If there was not FOSS i couldn't do this). I saw some strange network trafic to port 445 on the computer. I also saw that it uses a specific function. When I googled with this function I saw that there was I bug in the 'lsass' program regarding this bug. Then I checked the network traffic from the source host and saw some strange network traffic to outside the organisation on port 445, what is verry strange. After the investigation of the computer (desktop) they found the pedodo (I think it is called this way) trojan. (It collect passwords and creditcard numbers)
Now we patched the server (it was only SP4) and every thing was fine. This solved the problem. So I think this solved the problem. Mine conclusion was that this trojan disturbed the server.
This showes how fucked windows is and how great foss is.
Shameless Plug: Check out SGUIl if you have a chance. http://sguil.net/
------------ scottder
I hate when people assume they're smarter than I am. I hate those "For Dummies" and "For Idiots" books, because I am in no way a dummy nor an idiot. I simply don't have the same information.
Tell me I'm misinformed, tell me I don't know everything, I'll agree with you. Tell me that some hacker is smarter than I am, and I'll tell you that you need to find a new definition of smarter. The only thing that hacker might have on me is knowledge of a few things I don't.
Anyway, rant over, and this actually sounds like a good book otherwise. I'll probably pick it up.
My blog. Good stuff (when I remember to update it). Read it.
Guess I won't be buying that book.
Things like fast-spreading infectors that got past your A/V proxies because they got to them before the vendor's new pattern file did.
Attempts by employees to download things like Back Orifice for use as revenge tools.
Engineering failures.
Misconfigurations.
Vendor screwups.
Stealthy host sweeps that dribble one TCP/21 packet every 75 minutes into your Internet-facing DMZ. No, that last one totally blew by our worthless network IDS; we ended up blackholing the IP at the border router. No choice, our DMZ ftp server used wu-ftpd.
Porn download attempts.
Boxes in your trusted network infected by viruses.
I spent twenty months doing log monitoring. I caught all these event types and more. There is a whole wide, wacky wonderful World Of Hurt out there that you can duck or mitigate if you just monitor your logfiles. And most shops never really do.