In a rare day off today with nothing planned, I had the opportunity to eventually get around to reading Richard Bejtlich's new book, the Practice of Network Security Monitoring.
I've been a huge fan of Richard's for over ten years, both intially of his blog and then also of both his books; Tao of Network Security Monitoring and Extrusion Detection. In fact, his blog was the first blog I ever subscribed to and read on a regular basis back in 2003!
Having heard in May that he had a new book on the cards I was really looking forward to getting a copy and it definitely didn't disappoint.
Network security monitoring (NSM) is something that's close to my heart as when I started out in information security, this was one of the first areas I worked in. I was responsible for setting up a network monitoring solution for a very large and diverse network in order to try and give our team greater visibility of incidents, particularly for post incident analysis. This involved setting up network taps at key network points to get full packet capture data, setting up Netflow to aggregate session data from network devices and trying to piece all this together using a variety of dodgy Perl scripts and PHP code written by myself!
However, over the years I've moved into wider information security roles and have had less and less time to work in the area of NSM and so I was really looking forward to this book as a good refresher on what's happening in the space.
For those of you who haven't read any of Richard's previous books, his style is very much on explanation through practical exercises with a focus on theory only where necessary. This book follows the same format and uses packet captures and sample data that you can download yourself and follow along with each of the examples. What is particularly handy is the availability of the Security Onion Linux distribution, which has all the tools you'll need installed by default. This dramatically speeds up getting stuck into the actual practical exercises, without the need to install and configure each tool.
The first few chapters of the book give an introduction to NSM, covering what NSM is all about including the different types of NSM data (full content data, session data, transaction data, statistical data, metadata and alert data) and what considerations there are in relation to the placing of network taps to gain a full picture of network traffic. These fundamentals are essential to a good understanding of NSM so worth spending the time on these chapters if you're new to the area.
The book then runs through installation of Security Onion. As mentioned above, Security Onion is an Linux distribution specifically for NSM and comes with the majority of the tools you'll want to try out installed by default. It's very similar in idea to Helix for forensics and Backtrack/Kali for penetration testing. I've been looking for a reason to play around with Security Onion for the last year or so and this book was the perfect excuse for me. I did run into a few problems getting it installed on my ESXi server so that slowed me down a bit but nothing that couldn't be solved so within an hour or so I was up and running with it.
The book then looks at the key command line and gui based tools that you'll use as part of NSM including tcpdump, tshark and wireshark, argus, bro, xplico and networkminer. The last two (xplico and network miner) were new to me so it was interested to play around with these on my network.
Once you have an understanding of the basic NSM tools, Richard then looks at NSM consoles and how these correlate data from the various tools and allow an NSM analyst to easily pivot between the different levels of data during analysis. This section covers Sguil, Squert, Snorby and Enterprise Log Search and Archive (ELSA) and section was particularly interesting for me as this is exactly what I was trying to create with my very basic Perl and PHP scripts years ago. It's great to see how far this side of the NSM space has evolved in the open source space as Sguil and ELSA were really only just starting out when I last looked at them!
The book then moves more towards the theory of incident response and setting up CIRTs. I found this very interesting from a management perspective as it outlines at a high level what roles you should have in place in a CIRT, some of the different approaches to prioritising incidents (such as threat focused and asset focused) and some thoughts on how to share data between the team and stakeholders during an incident.
Richard then takes two examples of incidents; one server side compromise and one client side compromise, and walks through the identification and analysis of the incidents using the tools previously explained. Again, this is a really practical example and is easy to understand and follow and goes to show not just how to use the various tools, but why to use them to get different views of data during an incident.
The remainder of the book looks at extending the build in functionality in Security Onion and also outlines some common issues with regard to dealing with incident response in the real world (proxies and IP checksum failures). There is also a final set of thoughts on applying NSM in the cloud which mentions ThreatStack (which I wasn't previously aware of) and Packetloop (which is a company I've been intrested in since the start of the year when the beta was released). NSM for the cloud is a really interesting area that I'm hoping will be the area of research over the next few years.
As expected, I thoroughly enjoyed this book and would highly recommend this to anyone who has an interest in incident response or network security.
If you're new to NSM or incident response, then this should be the first book you go to on the topic. And even if you've read Richard's previous books, then I'd still recommend this to get back up to speed on what's happening in the area.
Links:
NoStrach Press http://www.nostarch.com/nsm
Amazon http://www.amazon.com/Practice-Network-Security-Monitoring-Understanding/dp/1593275099
I've been a huge fan of Richard's for over ten years, both intially of his blog and then also of both his books; Tao of Network Security Monitoring and Extrusion Detection. In fact, his blog was the first blog I ever subscribed to and read on a regular basis back in 2003!
Having heard in May that he had a new book on the cards I was really looking forward to getting a copy and it definitely didn't disappoint.
Network security monitoring (NSM) is something that's close to my heart as when I started out in information security, this was one of the first areas I worked in. I was responsible for setting up a network monitoring solution for a very large and diverse network in order to try and give our team greater visibility of incidents, particularly for post incident analysis. This involved setting up network taps at key network points to get full packet capture data, setting up Netflow to aggregate session data from network devices and trying to piece all this together using a variety of dodgy Perl scripts and PHP code written by myself!
However, over the years I've moved into wider information security roles and have had less and less time to work in the area of NSM and so I was really looking forward to this book as a good refresher on what's happening in the space.
For those of you who haven't read any of Richard's previous books, his style is very much on explanation through practical exercises with a focus on theory only where necessary. This book follows the same format and uses packet captures and sample data that you can download yourself and follow along with each of the examples. What is particularly handy is the availability of the Security Onion Linux distribution, which has all the tools you'll need installed by default. This dramatically speeds up getting stuck into the actual practical exercises, without the need to install and configure each tool.
The first few chapters of the book give an introduction to NSM, covering what NSM is all about including the different types of NSM data (full content data, session data, transaction data, statistical data, metadata and alert data) and what considerations there are in relation to the placing of network taps to gain a full picture of network traffic. These fundamentals are essential to a good understanding of NSM so worth spending the time on these chapters if you're new to the area.
The book then runs through installation of Security Onion. As mentioned above, Security Onion is an Linux distribution specifically for NSM and comes with the majority of the tools you'll want to try out installed by default. It's very similar in idea to Helix for forensics and Backtrack/Kali for penetration testing. I've been looking for a reason to play around with Security Onion for the last year or so and this book was the perfect excuse for me. I did run into a few problems getting it installed on my ESXi server so that slowed me down a bit but nothing that couldn't be solved so within an hour or so I was up and running with it.
The book then looks at the key command line and gui based tools that you'll use as part of NSM including tcpdump, tshark and wireshark, argus, bro, xplico and networkminer. The last two (xplico and network miner) were new to me so it was interested to play around with these on my network.
Once you have an understanding of the basic NSM tools, Richard then looks at NSM consoles and how these correlate data from the various tools and allow an NSM analyst to easily pivot between the different levels of data during analysis. This section covers Sguil, Squert, Snorby and Enterprise Log Search and Archive (ELSA) and section was particularly interesting for me as this is exactly what I was trying to create with my very basic Perl and PHP scripts years ago. It's great to see how far this side of the NSM space has evolved in the open source space as Sguil and ELSA were really only just starting out when I last looked at them!
The book then moves more towards the theory of incident response and setting up CIRTs. I found this very interesting from a management perspective as it outlines at a high level what roles you should have in place in a CIRT, some of the different approaches to prioritising incidents (such as threat focused and asset focused) and some thoughts on how to share data between the team and stakeholders during an incident.
Richard then takes two examples of incidents; one server side compromise and one client side compromise, and walks through the identification and analysis of the incidents using the tools previously explained. Again, this is a really practical example and is easy to understand and follow and goes to show not just how to use the various tools, but why to use them to get different views of data during an incident.
The remainder of the book looks at extending the build in functionality in Security Onion and also outlines some common issues with regard to dealing with incident response in the real world (proxies and IP checksum failures). There is also a final set of thoughts on applying NSM in the cloud which mentions ThreatStack (which I wasn't previously aware of) and Packetloop (which is a company I've been intrested in since the start of the year when the beta was released). NSM for the cloud is a really interesting area that I'm hoping will be the area of research over the next few years.
As expected, I thoroughly enjoyed this book and would highly recommend this to anyone who has an interest in incident response or network security.
If you're new to NSM or incident response, then this should be the first book you go to on the topic. And even if you've read Richard's previous books, then I'd still recommend this to get back up to speed on what's happening in the area.
Links:
NoStrach Press http://www.nostarch.com/nsm
Amazon http://www.amazon.com/Practice-Network-Security-Monitoring-Understanding/dp/1593275099
No comments:
Post a Comment