Slashdot Mirror

← Back to Stories (view on slashdot.org)

Tao of Security Monitoring

Posted by timothy on from the first-tao-no-harm dept.

Anton Chuvakin writes "Here is a really cool security book that made me lose half a night's sleep when I first got it. Richard Bejtlich's Tao of Network Security Monitoring (Tao of NSM) covers the process, tools and analysis techniques for monitoring your network using intrusion detection, session data, traffic statistical information and other data." Read on for Chuvakin's review of the book. Tao of Security Monitoring author Richard Bejtlich pages 798 publisher AWL rating 10 reviewer Anton Chuvakin ISBN 0321246772 summary Awesome and novel book on monitoring security

The book starts with an fun, exciting background section introducing security, addressing both risks and the need to monitor networks and systems. Topics such as the classic "threat x vulnerability x value = risk" formula to threat modeling and limitation of attack prevention technologies are included. A nice thing on the process side is the "assess -> protect -> detect -> respond" loop, defining at a high level a reasonable security process for an organization. The threat-analysis material seems to have military origins, but is enlightening for other types of organizations as well.

The concept of network security monitoring, as in the book's title, is introduced as being 'beyond IDS' -- with some coverage on why IDS deployments fail and what else is needed (NSM process and tools, that is).

Bejtlich makes the important, rarely appreciated point that intruders are often smarter than defenders. It presents a stark contrast to the "staying ahead of the hackers" theme of many security books, an approach which makes no sense in many cases as the attackers are in fact far ahead to start with. The NSM approach will indeed work against advanced attackers, albeit (as the author admits) at a high resource cost to the defending organization. Such 'worst case' scenario preparations are extremely rare in other security books. Detecting such intruders is covered as part of a breakdown of the compromise process into five phases (from reconnaissance to using/abusing the system).

Another gem is the idea of a "defensible network": not "secure" or "protected," but defensible. A defensible network is one that can be watched, is configured to limit possible intruder actions, can be kept up to date, and runs only the minimum necessary services. A network so configured assures that if bad things happen there, they can be handled effectively.

I liked how the tools are covered in the book. The explanation of each tool is not simply a rephrasing of that tool's manual, but rather presents the tool's best use in the context of the entire system. While the paradigm "products perform collection, people perform analysis" might grow stale as the products get smarter, having training analysts still is one of the best investments in security. On the process side, the book covers complete analyst training. People are indeed the critical component of NSM, since most of the decision-making relies on trained analysts and their investigation, classification and escalation of alerts.

A chapter on netflow and other types of session/connectivity data presents considerable interest to those monitoring networks. Example case studies show how such data helped identify intrusion action that did not directly produce IDS alerts. Same applies to traffic visualization and statistical tools that enrich the IDS data and can sometimes provide early anomaly indications as well.

NSM event-driven analysis in Tao of NSM is centered on Sguil - a new GUI frontend to NIDS, session and other context data, facilitating easy and effective event classification and escalation (if needed).

Emergency NSM vs ongoing monitoring NSM procedures are also covered in the book. Even if an organization does not maintain an ongoing security monitoring program, it can still benefit from NSM that is deployed after a suspected intrusion.

Attacks against NSM processes and technologies also fill a dedicated section. Such attacks include intruder tools as well as attacks against the human (such as simply attempting to overwhelm the analysts) and process components of the NSM.

The book should be required reading for any security professional, and for those wishing to enter the field. It helps to broaden the horizons of seasoned professionals as well as educate the beginners in monitoring techniques. While the value of NSM as an approach can be debated in modern organizations (where tuned sensors and skilled analysts are an exception rather than the rule), the book is a superb security resource even for those who do not choose to implement NSM at the moment.

info-secure.org maintainer Anton Chuvakin, Ph.D., GCIA, GCIH is a security strategist and author of Security Warrior . You can purchase Tao of Security Monitoring from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

21 of 107 comments (clear)

  1. Common Sense by MikeMacK · · Score: 4, Insightful
    A defensible network is one that can be watched, is configured to limit possible intruder actions, can be kept up to date, and runs only the minimum necessary services.

    This seems like common sense. Shouldn't all network admins be doing this anyway?

    1. Re:Common Sense by Keruo · · Score: 4, Funny

      NO! because Zonealarm is saying you're under ATTACK!!!

      and someone is pinging your host...

      --
      There are no atheists when recovering from tape backup.
    2. Re:Common Sense by kelnos · · Score: 3, Insightful
      This seems like common sense. Shouldn't all network admins be doing this anyway?
      sure. but saying and doing are two very different things. there are lots of different things you can do to monitor your network, all with different costs (both in performance and cash), and all with different levels of required human intervention.

      at the very least, i imagine many networks have an admin budget that is too small to allow as much thoroughness in securing the network as the Tao of NSM would recommend - both in money to buy proprietary products, and in manpower to set up, monitor, and maintain them.
      --
      Xfce: Lighter than some, heavier than others. Just right.
    3. Re:Common Sense by Anonymous Coward · · Score: 4, Insightful

      Yes. Despite what the wannabes and poseurs say, many Microsoft patches to break things. We got hit with Blaster because we couldn't patch for it because the patch broke Autodesk applications which are ctitical to our business. One patch killed one of our servers and only upon deep research did I doscover that even MS warned you that the patch would kill any system using a Compaq Smart Array RAID controller. Too late for us though. It is easy for all the computer hobbyists who don't actually work in IT to blame the sysadmin for all the security problems but the day to day reality is way more complex than that.

  2. No need! by StevenHenderson · · Score: 4, Funny

    Dude, I already downloaded SP2. I'm invincible now. Looks like this guy was just a little late with the book!

  3. His Other Book by kjfitz · · Score: 4, Informative

    His other book Incident Response covers what to do once you've been attacked.

    Hmm. I wonder if it has a chapter on finger pointing and avoiding blame?

    1. Re:His Other Book by gnu-generation-one · · Score: 3, Funny

      "Hmm. I wonder if it has a chapter on finger pointing and avoiding blame?"

      Upon learning that your systems have been penetrated, proper incident response is as follows:

      1. Scream. Hold head between hands and moan.
      2. Check passport, one-way tickets to South American country of choice. Express relief that the emergency escape kit is still operational.
      3. Remember advising boss to recind deparmental policy of secure sticky-note-on-the-monitor storage for passwords. Recall boss' gales of laughter in response. Take hefty swig of Jack Daniel's.
      4. Remember advising boss to please not open random e-mail attachments. Recall boss' blank stare in response. Suck on barrel of .357 revolver for 5 minutes or until sufficiently calmed down.
      5. Remember pleading with boss to allow filtering executable attachments. Recall boss' response. Almost pull trigger.
      6. Resist urge to yank server out of rack and dump out nineth-story window.
      7. Advise boss of break-in. This starts the long chain of blame-passing that ends when the CEO sacks 5 random people in middle management and below.
      8. Sit back and watch the spin machine start the vital post-incident response protocol of figuring out who might know what happened and silencing them.

  4. Re:All Night Long? by StalinsNotDead · · Score: 4, Funny

    Maybe he lost the sleep because after reading it he realized how vulnerable his network was.

    --
    Thanks to the internet, we can now all die alone together! -SomeWoman
  5. Best quote from the book: by Anonymous Coward · · Score: 4, Interesting


    "If you're serious about security and aren't afraid of the mailing lists, OpenBSD is really the only way to go."
    - Richard Bejtlich

  6. It is Officially . . . by pete-classic · · Score: 5, Funny

    . . . no longer clever to use the word "Tao" or "Zen" in your book title.

    Thank you for your attention regarding this matter.

    -Peter

    1. Re:It is Officially . . . by Anonymous Coward · · Score: 5, Funny


      So my plans to publish "The Tao of Zen" should be put on hold?

    2. Re:It is Officially . . . by grub · · Score: 5, Funny


      You needed more catchphrases. Might I suggest "Pushing the Envelope While Thinking Outside the Box: The Paradigm Shifts of Zen and the Art of Tao Maintenance"?

      --
      Trolling is a art,
  7. Re:Join the Crusade!!!! by Anonymous Coward · · Score: 3, Funny

    no no.. linux users just don't have sex.

  8. author's blog by coolguy81 · · Score: 5, Informative

    I have been reading this authors blog for a while now...

    If you are in to BSD/Security, you should really check it out.

  9. Finding a trojan by noerej · · Score: 4, Interesting

    I'am also a application maintainer of some web application. During mine holliday the application started to have some random problems. When I returned I begin the investigation to the cause.
    I Couldn't reproduce the errors, so it took some time to get futher with finding the cause. After some time I looked at the eventviewer (Yes it is Win2000 and not linux) and saw that the computer rebooted on average twice a day. The error messages said "Unexpected reboot". The sysadmin could find a cause also. In most cases this error was caused by a hardware error. So what I did is download etherreal and monitor the network traffic from the server. (This shows how nice opensource is. You just download in for free as in bear. If there was not FOSS i couldn't do this). I saw some strange network trafic to port 445 on the computer. I also saw that it uses a specific function. When I googled with this function I saw that there was I bug in the 'lsass' program regarding this bug. Then I checked the network traffic from the source host and saw some strange network traffic to outside the organisation on port 445, what is verry strange. After the investigation of the computer (desktop) they found the pedodo (I think it is called this way) trojan. (It collect passwords and creditcard numbers)
    Now we patched the server (it was only SP4) and every thing was fine. This solved the problem. So I think this solved the problem. Mine conclusion was that this trojan disturbed the server.
    This showes how fucked windows is and how great foss is.

  10. Another Great book by chadwbennett · · Score: 4, Informative
    If you like this one, or are interested in these books, another good read is
    1. Stealing the network: How to Own a Continent
    This one is co-authored by a bunch of well know hackers/crackers ie ... Fyodor, FX, Joe Grand, Kevin Mitnick, Ryan Russell, Jay Beale, and several others.

    It's for real. I normally don't go for these things but...Free ipods (click here to get yours) .

    1. Re:Another Great book by PitaBred · · Score: 3, Insightful

      I'd get a free iPod if I didn't have a moral issue with fucking other people over. Same as with Ponzi schemes, and all other multi-level marketing scams. Someone is making money, and it usually isn't you.

      --
      My blog. Good stuff (when I remember to update it). Read it.
  11. SGUIl by scottder · · Score: 4, Interesting

    Shameless Plug: Check out SGUIl if you have a chance. http://sguil.net/

    --
    ------------ scottder
  12. Linux kernel "security problem" by Dr.Dubious+DDQ · · Score: 3, Insightful

    I know I've said this before, but that particular report of a "security problem" (why that's in quotes, I'll get to in a moment) in the Linux kernel is an excellent illustration of the difference between Microsoft's (and presumably other proprietary vendors) attitude to "security" vs. most open source projects.

    This problem can be simplistically summarized thusly: "Someone who can log into a linux system can conceivably run a malicious program that might crash or lock up the Operating System". In Linux, this is characterized as a "Security Problem".

    Now, think about it - if you called Microsoft (picking on them since that's the proprietary vendor we're talking about at the moment) and said "Hey, I have a program that when I run it, it crashes the system"...what kind of response will you get? "Well, don't run that program. It's obviously either defective or a trojan." Which would be the truth. But they have historically not considered that a problem in the OS AT ALL, let alone a security problem. Remember all those years ago when they claimed that most windows crashes are caused by anti-virus software?...)

    Yes, FOSS also has flaws. Sometimes even serious ones. But it usually seems like FOSS projects more readily and more quickly address those flaws than proprietary ones do.

    --
    Hacker Public Radio is our Friend
  13. Absolutely essential! by Paws+Across+the+Keyb · · Score: 5, Interesting
    OMFG, this is sooooo important. Infosec is my bread and butter, and has been for about six years, now. You simply would not believe the shannigans you can catch wise to if you monitor your system, A/V, and firewalls on a daily basis.

    Things like fast-spreading infectors that got past your A/V proxies because they got to them before the vendor's new pattern file did.

    Attempts by employees to download things like Back Orifice for use as revenge tools.

    Engineering failures.

    Misconfigurations.

    Vendor screwups.

    Stealthy host sweeps that dribble one TCP/21 packet every 75 minutes into your Internet-facing DMZ. No, that last one totally blew by our worthless network IDS; we ended up blackholing the IP at the border router. No choice, our DMZ ftp server used wu-ftpd.

    Porn download attempts.

    Boxes in your trusted network infected by viruses.

    I spent twenty months doing log monitoring. I caught all these event types and more. There is a whole wide, wacky wonderful World Of Hurt out there that you can duck or mitigate if you just monitor your logfiles. And most shops never really do.

  14. Re:How does it compare by bamm · · Score: 4, Informative

    How does it compare to the bible of all IDS analysts, Network Intrusion Detection by Stephen Northcutt & Judy Novak

    That's a really good question. To me the bible is Stevens TCP/IP Illustrated Vol I. While Northcutt's book is a great introduction to IDS and anaylsis for beginners, I think Rich's book goes beyond that (as evident in reviews from respected members in the community like Lance Spitzner from the Honey Net Project). To quote Ron Gula from the foreword of Richard's book.
    If you've learned the basics of TCP/IP protocols and run an open source or commercial intrusion detection system, you may be asking, "What's next" If so, this book is for you.

    You can also read a couple of sample chapters from the book.

    Of course, I am a little bias. Rich is a great friend, but I truly think he did an awesome job of creating something that should be required reading for anyone involved in network secuirty.

    Bammkkkk
    --
    www.sguil.net
    The Analyst Console for NSM