Friday, 23 August 2013

Book Review: Practice Of Network Security Monitoring

In a rare day off today with nothing planned, I had the opportunity to eventually get around to reading Richard Bejtlich's new book, the Practice of Network Security Monitoring.

I've been a huge fan of Richard's for over ten years, both intially of his blog and then also of both his books; Tao of Network Security Monitoring and Extrusion Detection. In fact, his blog was the first blog I ever subscribed to and read on a regular basis back in 2003!

Having heard in May that he had a new book on the cards I was really looking forward to getting a copy and it definitely didn't disappoint.

Network security monitoring (NSM) is something that's close to my heart as when I started out in information security, this was one of the first areas I worked in. I was responsible for setting up a network monitoring solution for a very large and diverse network in order to try and give our team greater visibility of incidents, particularly for post incident analysis. This involved setting up network taps at key network points to get full packet capture data, setting up Netflow to aggregate session data from network devices and trying to piece all this together using a variety of dodgy Perl scripts and PHP code written by myself!

However, over the years I've moved into wider information security roles and have had less and less time to work in the area of NSM and so I was really looking forward to this book as a good refresher on what's happening in the space.

For those of you who haven't read any of Richard's previous books, his style is very much on explanation through practical exercises with a focus on theory only where necessary. This book follows the same format and uses packet captures and sample data that you can download yourself and follow along with each of the examples. What is particularly handy is the availability of the Security Onion Linux distribution, which has all the tools you'll need installed by default. This dramatically speeds up getting stuck into the actual practical exercises, without the need to install and configure each tool.

The first few chapters of the book give an introduction to NSM, covering what NSM is all about including the different types of NSM data (full content data, session data, transaction data, statistical data, metadata and alert data) and what considerations there are in relation to the placing of network taps to gain a full picture of network traffic. These fundamentals are essential to a good understanding of NSM so worth spending the time on these chapters if you're new to the area.

The book then runs through installation of Security Onion. As mentioned above, Security Onion is an Linux distribution specifically for NSM and comes with the majority of the tools you'll want to try out installed by default. It's very similar in idea to Helix for forensics and Backtrack/Kali for penetration testing. I've been looking for a reason to play around with Security Onion for the last year or so and this book was the perfect excuse for me. I did run into a few problems getting it installed on my ESXi server so that slowed me down a bit but nothing that couldn't be solved so within an hour or so I was up and running with it.

The book then looks at the key command line and gui based tools that you'll use as part of NSM including  tcpdump, tshark and wireshark, argus, bro, xplico and networkminer. The last two (xplico and network miner) were new to me so it was interested to play around with these on my network.

Once you have an understanding of the basic NSM tools, Richard then looks at NSM consoles and how these correlate data from the various tools and allow an NSM analyst to easily pivot between the different levels of data during analysis. This section covers Sguil, Squert, Snorby and Enterprise Log Search and Archive (ELSA) and  section was particularly interesting for me as this is exactly what I was trying to create with my very basic Perl and PHP scripts years ago. It's great to see how far this side of the NSM space has evolved in the open source space as Sguil and ELSA were really only just starting out when I last looked at them!

The book then moves more towards the theory of incident response and setting up CIRTs. I found this very interesting from a management perspective as it outlines at a high level what roles you should have in place in a CIRT, some of the different approaches to prioritising incidents (such as threat focused and asset focused) and some thoughts on how to share data between the team and stakeholders during an incident.

Richard then takes two examples of incidents; one server side compromise and one client side compromise, and walks through the identification and analysis of the incidents using the tools previously explained.  Again, this is a really practical example and is easy to understand and follow and goes to show not just how to use the various tools, but why to use them to get different views of data during an incident.

The remainder of the book looks at extending the build in functionality in Security Onion and also outlines some common issues with regard to dealing with incident response in the real world (proxies and IP checksum failures). There is also a final set of thoughts on applying NSM in the cloud which mentions ThreatStack (which I wasn't previously aware of) and Packetloop (which is a company I've been intrested in since the start of the year when the beta was released). NSM for the cloud is a really interesting area that I'm hoping will be the area of research over the next few years.

As expected, I thoroughly enjoyed this book and would highly recommend this to anyone who has an interest in incident response or network security.

If you're new to NSM or incident response, then this should be the first book you go to on the topic. And even if you've read Richard's previous books, then I'd still recommend this to get back up to speed on what's happening in the area.


Links:
NoStrach Press http://www.nostarch.com/nsm
Amazon http://www.amazon.com/Practice-Network-Security-Monitoring-Understanding/dp/1593275099

Tuesday, 11 June 2013

Book Review: Seven Databases in Seven Weeks - A Guide to Modern Databases and the NoSQL Movement

During some holiday downtime, I took the opportunity to have a skim through my latest Amazon recommendations and came across two titles outside of the information security space that I thought would be interesting reads.

The two books were Seven Databases in Seven Weeks - A Guide to Modern Databases and the NoSQL Movement and Cloud Architecture Patterns. In short, both are excellent books and if you're anyway interested in cloud and databases, then both are thoroughly recommended.

I'll hopefully get some time to review Cloud Architecture Patterns over the next few weeks but for the moment I'll cover off Seven Databases in Seven Weeks.

If you hear the title "seven databases in seven weeks" and think this is a book covering Oracle, SQL Server, MySQL, DB2, PostgreSQL and whatever other two relational databases that spring to mind, then you probably need to go and buy this book immediately!

While this book covers relational databases briefly in one chapter (PostgreSQL specifically), it's primarily written to give a broad overview of the new suite of databases that fall under the banner of NoSQL.

As I haven't been exposed to NoSQL databaes in any particular hands on manner, I thought this book would be a good overview to get me up and running and I wasn't wrong.

NoSQL databases are the suite of databases that don't follow the conventional relational database model and are designed to serve specific purposes such as speed of response, flexibility of data storage and horizontal scalability.

The book specifically looks at some of the most common NoSQL database types; key-value store, columnar, document and graph.

The whole book is very practical oriented with each chapter dedicated to a single implementation of a NoSQL database type, with multiple implementations covered for certain types. In total it covers six NoSQL databaes; Riak and Redis (key-value store), HBase (columnar), MongoDB and CouchDB (document) and Neo4J (graph).

Each chapter follows roughly the same format; explain the theory of the particular database type, provide examples as to how data is created, read, updated and deleted, explain in more detail the specific benefits of the database and then tie it all together with some real data import and analysis examples.

The chapters are short and easily digested and the style of writing makes for an easy read, despite discussing some pretty technical topics. The examples are also short and easy to run through and one idea that I really liked was that they show how to download large, pre-existing datasets from Wikipedia and Freebase, which can be imported into the particular database under review. This is excellent because it quickly provides a large dataset that can be used to demonstrate the benefits of each database.

The final chapter is particularly interesting as it provides a simple example as to how the different NoSQL database types can be combined into a single system in order to maximise the potential advantages that each can provide.

While this book isn't going to make you a database expert in any of the NoSQL databases it covers, this isn't the purpose of this book. What it does do exceptionally well is give a really concise, but highly practical introduction to a broad range of NoSQL databases, which for someone like myself is a perfect introduction to the topic.

Overall, I can't recommend this book highly enough if you want to quick and practical introduction to NoSQL databases.


Links:
The Pragmatic Bookshelf http://pragprog.com/book/rwdata/seven-databases-in-seven-weeks
Amazon http://www.amazon.com/Seven-Databases-Weeks-Modern-Movement/dp/1934356921/

Thursday, 10 January 2013

Book Review: Risk Intelligence - How to Live with Uncertainty


A number of years ago when writing my masters thesis I had the great pleasure of meeting the author of this book (Dylan Evans) and got some fantastic insights into how he viewed risk. At the time he was in the middle of writing this book but after I finished my thesis and went back to the focusing on the day job, I somehow managed to completely forget that the book was being written.

However, during one of my random walks around the bookshop before Christmas, I accidentally stumbled upon it and picked it up immediately as I knew it was going to be interesting. And I can safely say it didn't disappoint.

Working in information security you're surrounded by the concept of risk. Every day you make judgement calls on the risk of particular scenarios and advise as on controls to help manage these risks.

However, have you ever asked yourself how sure you are of these decisions? How sure are you about the likelihood of this threat occurring and that it will actually have that level of impact? If you haven't then skip the rest of this review and just go out and buy this book!

If you have thought about this, then you'll know that ultimately, when we evaluate risks, we estimate. Yes, we try and use any existing data that we have but ultimately we need to estimate based on our experience and judgement.

Why? Well, there are many reasons for this but here's a few; we don't have enough data, historical data isn't a predictor of future security events and ultimately we can't predict the future with certainty.

By the way, if by chance you can predict the future with absolute certainty, then give me a ring and we'll do the lottery this Saturday!

So if we are providing estimates every day, how good are we are at making those estimations?

That's exactly the topic of the book Risk Intelligence. While there are many interpretations of the term risk intelligence, Evans defines risk intelligence as the ability to estimate probabilities accurately. It's about gaining a better insight into our own inherent over or under confidence, along with gaining an understanding of the natural biases that we all are subject to and then consciously forcing ourselves to try and counteract these in order to improve our ability to estimate risk.

I first came across this concept three years ago when investigating quantitative approaches to optimising information security investment for my master thesis through the books Risk Analysis by David Vose and How to Measure Anything by Doug Hubbard. However, both only touch quickly on the topic and I was always interested in reading a more detailed discussion on the topic. By the way, if you haven't read any of Doug Hubbard's books, put them on your reading list too!

This book is an effortlessly easy read and covers the many challenges to making more accurate estimates along with examples of how to identify these challenges and reduce their influence.

These challenges cover topics such as over and under confidence, accuracy vs. precision, biases such as availability, source credibility and confirmation, organisational culture, interpretation of statistics, black swans and many more.

What I particularly liked about the book is that each concept is linked back to an easy to understand example or anecdote, making the book far more accessible than your average risk textbook.

Additionally, Evans' company ProjectionPoint has a free online test that allows you to evaluate your own risk intelligence through a quick test and I found this a really practical way to illustrate the point and gain a better insight into your own current state of risk intelligence.The book also contains data on the results of previous exam takers so you can baseline your level against others.

If you work in any kind of risk management, or even if you would just like to better understand how good (or bad) decisions can be made in your everyday life, I'd highly recommend reading this book.

Links:
Amazon http://www.amazon.co.uk/Risk-Intelligence-How-Live-Uncertainty/dp/1451610904

Thursday, 3 January 2013

Book Review: Practical Packet Analysis: Using Wireshark to Solve Real-World Network Problems (Second Edition)


One of the most startling problems I find when interviewing is that the majority of people don't seem to have a good grasp of basic networking.

Ask someone what happens at a packet level when they type www.google.com into their browser and you are often met with blank response.

If you can't rattle off how DNS, ARP, basic routing, the TCP three way handshake and high level HTTP, I'm going to be disappointed!

What I've found over the years is that a solid, fundamental knowledge of networking is absolutely essential for any kind of hands on information security work. Be it understanding firewall rules, reviewing system design documentation, performing penetration testing or during incident response.

The problem with fully understanding networking is that, as with many things, it's all well and good reading it in a book but what you really need to do is see it in action in a network sniffer.

The problem with that of course is that most people don't have enterprise networks in their house for testing, and I wouldn't recommend digging around on production systems unless you fancy a rather abrupt end to your career!

This is where I think Practical Packet Analysis really comes into its own. The book takes you step by step through the fundamentals of networking, but provides sample packet captures in PCAP format and talks through each capture and how it's displayed and analysed in Wireshark.

The later sections of the book dig more into troubleshooting network problems, which may not be relevant for information security on a day to day basis but always handy to have as a resource in the back pocket.

Does this book explain every single protocol in a deep dive technical approach? No, definitely not. But what it does is give you one better. It gives you the basics, allowing you to better understand new protocols when you come across them. And if you're interested in more packet captures than you can shake your tcpdump at, check out Open Packet (https://www.openpacket.org/).

Taking this book, along with a good TCP/IP reference, such as TCP/IP Illustrated Vol 1, will get you up to speed in networking in short time and will dramatically increase your confidence in reviewing packet captures.

And it should also answer my interview questions if we ever cross paths!


Links:
NoStrach Press http://nostarch.com/packet2.htm
Amazon http://www.amazon.com/Practical-Packet-Analysis-Wireshark-Real-World/dp/1593272669