September 22, 2013, 4:35 PM — If you want to know what to do when intruders arrive on your network and how to best prepare for that eventuality, you must read this book. Written by one of the most brilliant and insightful proponents of network monitoring, The Practice of Network Security Monitoring wastes little time introducing you to network and security basics and, instead, quickly gets you up to speed on some of the best tools for collecting and analyzing data so that you can detect and respond to attacks.
This kind of material and this level of insight are no surprise when you learn that the author, Richard Bejtlich, is Chief Security Officer at Mandiant and was previously Director of Incident Response at General Electric. He has written previous books such as The Tao of Network Security Monitoring, Extrusion Detection, and Real Digital Forensics. He also teaches classes at Black Hat conferences and blogs on http://taosecurity.blogspot.com and twitter (I'm his 20,961st follower!). This book is very likely his best.
What is NSM? How will you recognize it when you see it? What tools does it involve? How can you make the tools and techniques work in your organization? This book will answer all these questions. It's a great book for anyone starting into the field, though it expects that you have a fairly good knowledge of TCP/IP. It gets off the ground with questions such as:
- how should you collect data?
- where to position your NSM and why -- where will you get the best network visibility?
These are questions that you need to give serious thought to before you run out and aquire your tools.
The first part of the book gets into looking at Security Onion -- a Linux IDS distro based on Ubuntu -- that is an NSM that is, according to the author, easy both to deploy and operate. It includes tools like Snort and Snorby and others I will soon mention. The book walks you through installing and configuring "sensors". It also helps you make decisions about hard disk and memory that you will need to provide to the sensors.
The book also covers housekeeping tasks -- what you need to do to keep your NSM working smoothly. It introduces the reader to both command line and GUI updates. And it shows you how to limit access.
It also covers a lot of additional tools for data collection and analysis -- tools like tcpdump, dumpcap and tshark plus the argus data generation and analysis suite. It has quite a bit of material on doing graphical packet analysis with tools like wireshark. It also introduces Xplico forensic analysis tool and NetworkMiner.
In Chapter 8 (NSM consoles), the author introduces tools built specifically for network security monitoring. Specifically:
- squil -- open source NSM
- Squert -- open source web interface
- Snorby -- open source web interface
- ELSA -- the Enterprise Log Search and Archive that normalizes log files
And the focus isn't just on tools but on methodologies that will help you make the best use of the tools. After all, you need a lot more than just tools but plans
on how to deploy and use tools if you hope to get some value out of them.
In the final chapters, the book demonstrates both a server-side and a client-side ompromise so that you get a realistic view of what the tools can do for you when you are dealing with an intrusion. These sample breach investigations help bring an "aha!" kind of focus on everything the book is trying to teach you.
The book also supplies suggestions on ways to extend Security Onion and ends with a chapter full of scripts and configuration files.
No doubt about it. This is an amazingly useful book and one that will introduce you not just to some of the best tools of the trade but will offer tried and tested advice on how to get these tools working in your organization. It is also extremely well written and easy to follow. It is definitely one of the best security books I have ever read and one that everyone involved in network security monitoring ought to read.
Read more of Sandra Henry-Stocker's Unix as a Second Language blog and follow the latest IT news at ITworld, Twitter and Facebook.