Book Review: Designing and Building A Security Operations Centre

When I first came across this book, I really wasn't sure what level of detail or focus the author would be taking so I'll cover that off straight away. While this book touches on some technical areas, this book is very much focused on the organisational, operational and managerial aspects of building and running SoCs.

If you're looking for a book to tell you what tools to select for a SoC, how to architect them, what types of monitoring and response you should be doing then probably best to look elsewhere.

However, if you are interested in working in a SoC, are currently working in a SoC at a junior level or planning to set up or outsource a SoC and new to the area then I'd definitely recommend you read this book.

The first chapter walks through some basics around the types of operations centres and talks through the key phases in developing a SoC, which the author then uses as the basis for the structure of the book.

The second and third chapters discusses SoC customers, event/alert/incident definitions, SLAs and service catalogs before moving onto the various systems and supporting processes that need to be in place to support a SoC, with a particular focus placed on ticketing systems.

I particularly liked chapters four and five, which give good insight into some potential organisational structures and reporting lines for SOCs, high level roles and key considerations in terms responsibilities, breaking it out into options for smaller and larger SoCs. This chapter alone is worth a read if you're new to SoCs as it'll give a good insight into the kind of resources you'll need and ideas on how these might overlap with your existing team.

Chapter six moves into covering the daily operations that should take place within a SoC. It doesn't go into details on incident response but does highlight the importance of root cause analysis and review documentation after the incident has been resolved and the need for communication plans to be in place. It also highlights some of the key challenges in follow the sun models around duplication of technical resources, inefficient handovers and inconsistent training/knowledge sharing and the positives of such models including local data storage for regulatory reasons and reduced local cultural/language barriers.

Chapter seven covers the importance of training and potential approaches to training your SoC team. I really liked the emphasis that the author placed on this aspect of SoC management but I think this chapter could have been incorporated into the previous chapters around teams and people resources.

Chapter eight touches briefly on metrics but rather than dive into long lists of potential metrics, discusses some of the potential approaches to metrics. The section here on vulnerability prioritisation is interesting but for me felt a little out of place within the overall context of the book.

Chapter nine runs through the threat intelligence that will normally be required within a SoC and covers off some of the publicly available resources along with touching on the types of commercial offerings in the area without diving into any particular vendor's commercial offering.

The last few chapters wrap up with some material on outsourcing that is very much worth a read if you're planing on outsource a SoC or engaging with a MSSP. One really nice aspect is that it contains a list of seventy four questions that to consider when selecting an MSSP. I always like to see guidance like this on the selection process for outsourced service as often there's a huge information asymmetry between clients and vendors in info sec and this guidance can at least help clients ask the right questions.

Overall, for the audience I outlined at the start of the review, this books is well structured and a solid introduction to the managerial aspects of SoCs. I felt it could have been shorted down a bit to make it more concise, but other than that it was an informative read and worthwhile for the right audience.

Links:
Amazon http://www.amazon.com/Designing-Building-Security-Operations-Center/dp/0128008997/
Safari http://techbus.safaribooksonline.com/book/networking/security/9780128008997

Book Review: The Frugal CISO

I came across The Frugal CISO purely by accident over Christmas as it popped up as a new addition to Safari and as I'm always on the look out for security books that are a little bit different and non-technical, I figured it would be worth a read.

I'm really happy that I did because the Frugal CISO is a really solid book on both information security management and management in general. This is definitely a book I'd recommend to anyone either taking up a leadership position in an info sec team or setting up a new security team in an organisation. For me personally there were a lot of points that resonated me with as I've spent the last year putting in place a new regional security team from scratch for a large multinational and there's definitely some good lessons that I learned along the way that are included in this book!

I do feel that the title of the book doesn't do it justify however, as while the title seems to indicate that this book will be very focused on cost saving, it's really much more than that. This book is more about being a realistic CISO.. and if there wasn't already a book called the Pragmatic CSO, I'd have called it that!

The book starts off on some very interesting points on the stages of maturity for an info sec team. The approach used differs from the usual maturity levels that we often see in info sec books and focuses more on the organisational aspects of maturity covering things like funding and resource allocation, planning intervals, alignment with business strategy and stability of the team.

The next few chapters of the book focus on giving solid management advice in light of the challenges faced in info sec such as reduced budgets, increasing threats, and competition for staff, with particularly good chapters on team management and hiring that any hiring manager should read.

The book then moves onto a few chapters focusing on alternative views of policy definition and security awareness and a good chapter on taking stock of your info sec program and always considered why you're doing what you do and whether it's still necessary.

The final few chapters have some great advice on budgeting, appreciating that what works in one company, may not work in all companies and on being flexible and aiming to engage rather than block the business.

Overall, this book is full of good insights and ideas for info sec managers and while some of the material will be more general management focused, it's definitely a very highly recommended read for anyone in information security management and one that I'll definitely be recommending. I'd also love to see a follow up book that deep dives a bit more into some of the areas around maturity and engaging with the business as while these are oft discussed topics, they rarely get the level of detail that I think a lot of people would benefit from.


Links:
CRC http://www.crcpress.com/product/isbn/9781482220070
Amazon http://www.amazon.com/The-Frugal-CISO-Innovation-Approaches/dp/1482220075
Safari http://techbus.safaribooksonline.com/book/networking/security/9781482220070

Book Review: AWS System Administration

First of all I would note that my review of this book is based on the rough cuts edition published on Safari and as such is not a fully final version of the text.

However, even at this stage, I'd highly recommend this book to anyone looking to get started with AWS. While there is huge amounts of material already on the web about AWS, it can be overwhelming for a newbie due to the huge range of services offered by AWS and this book is a create summary and introduction.

The author starts off by introducing the basic concepts around EC2, which is pretty much the first thing everyone with an AWS account looks at. The book touches very briefly on the GUI aspects of the AWS management console but very quickly forgoes this quickly to focus exclusively on how to programatically administer AWS.

The book then starts looking at instances, CloudFormation (a rather neat provisioning tool covering a lot of AWS services) and AMIs, before explaining the fundamentals around securing access with IAM and network security with security groups.

Following this the author then touches on configuration management using Puppet, and then ties all this together by walking through an example setup of a web based application within AWS that utilises the majority of the most common AWS services.

The final few chapters touch on log management, DNS, monitoring and backups, but these chapters at present are much lighter than the others. The focus of these chapters seem to be really about helping the sys admin understand some of the main caveats when considering these activities in AWS, rather than being a detailed discussion on how each can be implemented within AWS. I'm not sure if this is a result of the book not being fully finalised or simply due to the potentially huge scope that would exist if the author tried to cover these topics in more detail.

Throughout the book I particularly liked how the author highlights not only the good points of AWS, but also where there are gaps in the various services and the potential issues that a sys admin may hit when trying to work around there. It's these bits of info that I think differentiate the book from the material you'll get online as obviously sometimes that published material on AWS can be very focused on how everything "just works".

If you're looking for a high level introduction to the fundamentals of AWS system administration, then I'd definitely recommend this book.

Combining this book with a higher level cloud architecture book such as Cloud Architecture Patterns, make for an ideal quick intro to cloud computing and AWS.

I really hope the author goes on to develop a further more advanced book covering some of the other AWS services and more complex use cases within enterprises as I think this would be a great addition to my library!

Links:
Safari: http://techbus.safaribooksonline.com/book/operating-systems-and-server-administration/9781449342562/

Book Review: Measuring and Managing Information Risk

I first came across Factor Analysis of Information Risk (FAIR) in around 2007 when I was looking into various risk analysis methods but couldn't find too much about it other than a white paper and a high level Cisco presentation.

Then in 2010, I did my MSc thesis on investigating quantifying information security investment decisions and this led me closer and closer towards FAIR and the approaches used by it such as quantified estimates, subject matter expert calibration and Monte Carlo simulations.

At the time I had a great chat with Jack Jones (one of the authors of this book and original creator of FAIR) and even attended the FAIR Basic Analyst training course delivered by CXOWARE.

However, most people aren't this lucky and while FAIR has been adopted by the Open Group and even has a certification in place with the OpenFAIR program, there hasn't been great material to self study for the exam. So when I heard this book was going to be published, I was really excited.

The book starts off by first explaining what FAIR is, walks through the FAIR model  and explains each variable within the model. The authors highlight some of the changes to the model since the original whitepaper on FAIR and cover why the changes have taken place.

It then moves on to provide a number of different worked scenarios using the FAIR approach, covering discussions on assets, threat communities, threat profiles, scenario building and actual analysis. This is the first time I've seen someone other than myself really walk through some FAIR analysis examples and these are great to see if you've never touched on FAIR before.

The book then shifts tact a little and looks at how controls are viewed from the authors' perspectives; covering asset level controls, variance controls and decision making controls. The sections on variance and decision controls will definitely require a second read before I fully get to grips with the nuances of what the authors were highlighting. However, these chapters bring a level of depth of discussion on controls that I've never seen elsewhere, and something that I think would feed very well into ISACA or other similar groups with a strong control focus.

The book then goes on to cover risk management briefly, and the moves to risk metrics, using the Goal, Question, Metric approach. What I liked particularly about the metrics section is that they didn't simply just list a long number of metrics, but approached is more like a worked example of the approach to defining the metrics. First they look at the goals of risk management, then break these down into sub-goals in order find the questions that match these sub-goals, and finally identify the metrics that you may wish to gather. This chapter also introduces probably the best description of the difference between risk appetite and risk tolerance; comparing risk appetite with the speed limit on a motorway, and risk tolerance the variance around that speed limit in which the police would accept.

What's fantastic is that throughout the book there's a real sense of practical, real world application of this risk analysis approach. There are practical examples of analysis scenarios and even an entire chapter outlying where you can go wrong. This is something that I've often seen lacking other books on information or IT risk analysis, which are often full of theoretical approaches, but which lack any relevant examples and definitely don't outline where you'll have problems. This gives the book a practical credibility that I believe will find favor with info sec professionals who normally would shy away from risk management books.

I would say that the book definitely assumes some prior knowledge in approaches such as Monte Carlo simulations and why you may use them, but if you haven't come across these before, then I'd highly recommend The Failure of Risk Management by Doug Hubbard to get you up to speed.

Overall, this is the book I was looking for on information risk analysis four years ago… and I'm thrilled to see it's finally arrived. Even if you never plan to use FAIR as your risk analysis methodology, there's enough in this book that it will help anyone's critical thinking in relation to information security and I can't recommend it highly enough. Everyone in info sec should read it!


Links:
Elsevier http://store.elsevier.com/product.jsp?isbn=9780124202313
Amazon http://www.amazon.com/Measuring-Managing-Information-Risk-Approach/dp/0124202314/

Book Review: IPv6 Security

Last February, RFC 7123 was published which outlines a number of key security issues with IPv6 and some of the potential approaches to mitigating them. Seeing as I haven't come across many IPv6 networks yet in my travels, I figured it was as good a time as any to get up to speed on IPv6 security in general.

As I started out working on networking with Cisco kit, I've always gone back to their books whenever I need a re-fresher on what's feasible in the world of networking and not surprisingly when I checked the Cisco Press website, IPv6 Security sounded like exactly what I was looking for! Also, after a bit more research I saw that it got an excellent review from Richard Bejtlich a few years ago, which is always a good sign!

The book starts off by introducing the fundamental security issues within IPv6 and then walks through in detail the issues at the protocol header layer before moving to discuss security issues at the local link level, perimeter security and filtering

During the first few chapters there were two aspects that I really liked. Firstly, the authors constantly try to link IPv6 vulnerabilities and attacks to similar IPv4 issues, which makes it very easy to get your head around the issues if you're familiar with attacks against IPv4. Secondly, for each vulnerability the authors demonstrate the attack using tools such as scapy6, phonoelit, thc-ipv6 and then show how various features within IOS can be used to mitigate or reduce the impact of the issue. This really drives home how feasible the attacks are and also shows what logs you should look out for to detect attacks.

However, for me the book lost it's way a bit in chapters 6 to 8 which cover network device hardening, host based security and IPSec. For me these chapters covered too much of an overview of each topic and not enough specifics for IPv6 security issues.

Thankfully, things get very much back on track for the remainder of the book, which security issues within IPv6 Mobility, dual stack systems, tunnels and monitoring, all of which are great chapters.

Overall, if you're familiar with the basics of IPv6 and Cisco IPv4 network security functionality within IOS, this is an easy and light read that will get you up to speed very quickly both on the fundamental security issues with IPv6 and the controls that Cisco have available on their kit.

As such, I highly recommend it if you're looking for a solid intro to IPv6 security. I really enjoyed it.

Following on from this book, I'd recommend having a look at the presentations from last years IPv6 Hacker's meeting in Berlin and I'm hearing great things about the Hacking IPv6 Networks course home from SI6 networks so may have to give that a look!

Amazon: http://www.amazon.com/IPv6-Security-Scott-Hogg/dp/1587055945
Cisco Press: http://www.ciscopress.com/store/ipv6-security-9781587055942

Book Review: Data-Driven Security - Analysis, Visualization and Dashboards

Ever since I read The New School of Information Security back in 2008, I've been interested to looking at how data can drive better decision making in information security.

At first this started with looking at security metrics and then progressed into looking at economics of information security and quantitative risk assessment, touching on statistics and machine learning along the way and leading towards the whole concept of data science.

During these years, I've come across both the authors of this book (Jay Jacobs and Bob Rudis) through forums such as SIRA and Security Metrics so when I heard back in January that they were releasing this book I knew it was going to be worth a read!

By pure chance I ended up attending RSA this year and so had the pleasure of meeting both Jay and Bob where they were signing copies of Data Driven Security so I am the very happy owner of a signed copy.. thanks guys!

The book covers the concepts, tools and techniques that can be used to analyze different types of information security data sets and explains many of the common pitfalls in both approach and interpretation of the results of this analysis. It's effectively a perfect introduction to data science/analysis for information security!

The book starts off by introducing the reader to what data analysis is, covering historical concepts and how to create a good question to answer with analysis, rather than simply analysing data for the sake of it.

It then moves on to provide an introduction to the R programming language, a free statistical programming language, and also how they us Python in conjunction with R to analyze data.

The book is very practically oriented, encouraging the reader to start playing around with both Python and R by providing full coded examples of all the analysis performed in each chapter. To make life easier, all the code examples can be downloaded from the books website and any data sets used for analysis are either publicly available already or can be downloaded with the source code.

Once you get your head around the basics of using the tools for analysis, the book then walks through examples of the different types of analysis that information security data sets may require, covering things like exploring data sets of malware infections, performing regression analysis on malware data and applying machine learning to breach data. Throughout the examples, the book puts a strong emphasis on visualization of data including both the common mistakes in presenting data analysis and also looks both at static and interactive visualization.

The book also briefly touches on NoSQL databases but this is very much just to show that they exist and where they may be used. I'd highly recommend Seven Databases in Seven Weeks if you're looking for a bit more info on this side of things.

The book finishes off with a look at what a data driven approach means for information security, what core skillsets are needed and how a team can be built. It ends on a very interesting example of how Bob's team started off focusing on just one single question to answer "Have we seen this IP before in our external perimeter logs", which is a perfect illustration of finding a single framed question to answer through analysis, rather than trying to boil the ocean on your first attempt at analysis.

One other excellent aspect of the book is that at the end of each chapter, a number of other books are highlighted as further reading, but with brief summary of why each book is interesting in relation to the chapter. What was very interesting for myself was that I'd actually read many of the books referenced, but hadn't put it all together in the context of information security.

Overall I thoroughly enjoyed reading this book and while I haven't had the time to start looking at applying the ideas in the book to my own data sets, it's opened up a whole world of analysis tools and techniques and has effectively shortcutted my learning in the area dramatically.

The biggest benefit I see from this book is the highly practical oriented approach, which allows anyone with an interest in information security data analysis to quickly get up to speed in the basics, allowing for them to at least have the tools and knowledge to start trying to ask interesting questions and get results, without having to re-invent the wheel.

If you've ever been sitting in front of a huge set of firewall or webserver logs during an incident trying to figure things out by greping, cuting and counting results you're going to get a lot from this book!

Links:
Wiley http://www.wiley.com/go/datadrivensecurity/
Amazon http://www.amazon.com/Data-Driven-Security-Analysis-Visualization-Dashboards/dp/1118793722

Book Review: Practice Of Network Security Monitoring

In a rare day off today with nothing planned, I had the opportunity to eventually get around to reading Richard Bejtlich's new book, the Practice of Network Security Monitoring.

I've been a huge fan of Richard's for over ten years, both intially of his blog and then also of both his books; Tao of Network Security Monitoring and Extrusion Detection. In fact, his blog was the first blog I ever subscribed to and read on a regular basis back in 2003!

Having heard in May that he had a new book on the cards I was really looking forward to getting a copy and it definitely didn't disappoint.

Network security monitoring (NSM) is something that's close to my heart as when I started out in information security, this was one of the first areas I worked in. I was responsible for setting up a network monitoring solution for a very large and diverse network in order to try and give our team greater visibility of incidents, particularly for post incident analysis. This involved setting up network taps at key network points to get full packet capture data, setting up Netflow to aggregate session data from network devices and trying to piece all this together using a variety of dodgy Perl scripts and PHP code written by myself!

However, over the years I've moved into wider information security roles and have had less and less time to work in the area of NSM and so I was really looking forward to this book as a good refresher on what's happening in the space.

For those of you who haven't read any of Richard's previous books, his style is very much on explanation through practical exercises with a focus on theory only where necessary. This book follows the same format and uses packet captures and sample data that you can download yourself and follow along with each of the examples. What is particularly handy is the availability of the Security Onion Linux distribution, which has all the tools you'll need installed by default. This dramatically speeds up getting stuck into the actual practical exercises, without the need to install and configure each tool.

The first few chapters of the book give an introduction to NSM, covering what NSM is all about including the different types of NSM data (full content data, session data, transaction data, statistical data, metadata and alert data) and what considerations there are in relation to the placing of network taps to gain a full picture of network traffic. These fundamentals are essential to a good understanding of NSM so worth spending the time on these chapters if you're new to the area.

The book then runs through installation of Security Onion. As mentioned above, Security Onion is an Linux distribution specifically for NSM and comes with the majority of the tools you'll want to try out installed by default. It's very similar in idea to Helix for forensics and Backtrack/Kali for penetration testing. I've been looking for a reason to play around with Security Onion for the last year or so and this book was the perfect excuse for me. I did run into a few problems getting it installed on my ESXi server so that slowed me down a bit but nothing that couldn't be solved so within an hour or so I was up and running with it.

The book then looks at the key command line and gui based tools that you'll use as part of NSM including  tcpdump, tshark and wireshark, argus, bro, xplico and networkminer. The last two (xplico and network miner) were new to me so it was interested to play around with these on my network.

Once you have an understanding of the basic NSM tools, Richard then looks at NSM consoles and how these correlate data from the various tools and allow an NSM analyst to easily pivot between the different levels of data during analysis. This section covers Sguil, Squert, Snorby and Enterprise Log Search and Archive (ELSA) and  section was particularly interesting for me as this is exactly what I was trying to create with my very basic Perl and PHP scripts years ago. It's great to see how far this side of the NSM space has evolved in the open source space as Sguil and ELSA were really only just starting out when I last looked at them!

The book then moves more towards the theory of incident response and setting up CIRTs. I found this very interesting from a management perspective as it outlines at a high level what roles you should have in place in a CIRT, some of the different approaches to prioritising incidents (such as threat focused and asset focused) and some thoughts on how to share data between the team and stakeholders during an incident.

Richard then takes two examples of incidents; one server side compromise and one client side compromise, and walks through the identification and analysis of the incidents using the tools previously explained.  Again, this is a really practical example and is easy to understand and follow and goes to show not just how to use the various tools, but why to use them to get different views of data during an incident.

The remainder of the book looks at extending the build in functionality in Security Onion and also outlines some common issues with regard to dealing with incident response in the real world (proxies and IP checksum failures). There is also a final set of thoughts on applying NSM in the cloud which mentions ThreatStack (which I wasn't previously aware of) and Packetloop (which is a company I've been intrested in since the start of the year when the beta was released). NSM for the cloud is a really interesting area that I'm hoping will be the area of research over the next few years.

As expected, I thoroughly enjoyed this book and would highly recommend this to anyone who has an interest in incident response or network security.

If you're new to NSM or incident response, then this should be the first book you go to on the topic. And even if you've read Richard's previous books, then I'd still recommend this to get back up to speed on what's happening in the area.


Links:
NoStrach Press http://www.nostarch.com/nsm
Amazon http://www.amazon.com/Practice-Network-Security-Monitoring-Understanding/dp/1593275099