Practical Intrusion Analysis: Prevention and Detection for the Twenty-First Century [Paperback]

Ryan Trost (Author)

Editorial Reviews

Product Description

“Practical Intrusion Analysis provides a solid fundamental overview of the art and science of intrusion analysis.”

   –Nate Miller, Cofounder, Stratum Security

 

The Only Definitive Guide to New State-of-the-Art Techniques in Intrusion Detection and Prevention

 

Recently, powerful innovations in intrusion detection and prevention have evolved in response to emerging threats and changing business environments. However, security practitioners have found little reliable, usable information about these new IDS/IPS technologies. In Practical Intrusion Analysis, one of the field’s leading experts brings together these innovations for the first time and demonstrates how they can be used to analyze attacks, mitigate damage, and track attackers.

 

Ryan Trost reviews the fundamental techniques and business drivers of intrusion detection and prevention by analyzing today’s new vulnerabilities and attack vectors. Next, he presents complete explanations of powerful new IDS/IPS methodologies based on Network Behavioral Analysis (NBA), data visualization, geospatial analysis, and more.

 

Writing for security practitioners and managers at all experience levels, Trost introduces new solutions for virtually every environment. Coverage includes

 

• Assessing the strengths and limitations of mainstream monitoring tools and IDS technologies
• Using Attack Graphs to map paths of network vulnerability and becoming more proactive about preventing intrusions
• Analyzing network behavior to immediately detect polymorphic worms, zero-day exploits, and botnet DoS attacks
• Understanding the theory, advantages, and disadvantages of the latest Web Application Firewalls
• Implementing IDS/IPS systems that protect wireless data traffic
• Enhancing your intrusion detection efforts by converging with physical security defenses
• Identifying attackers’ “geographical fingerprints” and using that information to respond more effectively
• Visualizing data traffic to identify suspicious patterns more quickly
• Revisiting intrusion detection ROI in light of new threats, compliance risks, and technical alternatives

 

Includes contributions from these leading network security experts:

 

Jeff Forristal, a.k.a. Rain Forest Puppy, senior security professional and creator of libwhisker

Seth Fogie, CEO, Airscanner USA; leading-edge mobile security researcher; coauthor of Security Warrior

 

Dr. Sushil Jajodia, Director, Center for Secure Information Systems; founding Editor-in-Chief, Journal of Computer Security

 

Dr. Steven Noel, Associate Director and Senior Research Scientist, Center for Secure Information Systems, George Mason University

 

Alex Kirk, Member, Sourcefire Vulnerability Research Team

 

From the Back Cover

“Practical Intrusion Analysis provides a solid fundamental overview of the art and science of intrusion analysis.”

   –Nate Miller, Cofounder, Stratum Security

 

The Only Definitive Guide to New State-of-the-Art Techniques in Intrusion Detection and Prevention

 

Recently, powerful innovations in intrusion detection and prevention have evolved in response to emerging threats and changing business environments. However, security practitioners have found little reliable, usable information about these new IDS/IPS technologies. In Practical Intrusion Analysis, one of the field’s leading experts brings together these innovations for the first time and demonstrates how they can be used to analyze attacks, mitigate damage, and track attackers.

 

Ryan Trost reviews the fundamental techniques and business drivers of intrusion detection and prevention by analyzing today’s new vulnerabilities and attack vectors. Next, he presents complete explanations of powerful new IDS/IPS methodologies based on Network Behavioral Analysis (NBA), data visualization, geospatial analysis, and more.

 

Writing for security practitioners and managers at all experience levels, Trost introduces new solutions for virtually every environment. Coverage includes

 

• Assessing the strengths and limitations of mainstream monitoring tools and IDS technologies
• Using Attack Graphs to map paths of network vulnerability and becoming more proactive about preventing intrusions
• Analyzing network behavior to immediately detect polymorphic worms, zero-day exploits, and botnet DoS attacks
• Understanding the theory, advantages, and disadvantages of the latest Web Application Firewalls
• Implementing IDS/IPS systems that protect wireless data traffic
• Enhancing your intrusion detection efforts by converging with physical security defenses
• Identifying attackers’ “geographical fingerprints” and using that information to respond more effectively
• Visualizing data traffic to identify suspicious patterns more quickly
• Revisiting intrusion detection ROI in light of new threats, compliance risks, and technical alternatives

 

Includes contributions from these leading network security experts:

 

Jeff Forristal, a.k.a. Rain Forest Puppy, senior security professional and creator of libwhisker

Seth Fogie, CEO, Airscanner USA; leading-edge mobile security researcher; coauthor of Security Warrior

 

Dr. Sushil Jajodia, Director, Center for Secure Information Systems; founding Editor-in-Chief, Journal of Computer Security

 

Dr. Steven Noel, Associate Director and Senior Research Scientist, Center for Secure Information Systems, George Mason University

 

Alex Kirk, Member, Sourcefire Vulnerability Research Team

 

See all Editorial Reviews

Product Details

• Paperback: 480 pages
• Publisher: Addison-Wesley Professional; 1 edition (July 4, 2009)
• Language: English
• ISBN-10: 0321591801
• ISBN-13: 978-0321591807
• Product Dimensions: 9.1 x 6.9 x 1 inches
• Shipping Weight: 1.7 pounds (View shipping rates and policies)
• Average Customer Review: 4.0 out of 5 stars  See all reviews (9 customer reviews)
• Amazon Bestsellers Rank: #26,139 in Books (See Top 100 in Books)

  #36 in	Books > Computers & Internet > Security & Encryption
  #26 in	Books > Computers & Internet > Networking > Network Security
  #16 in	Books > Computers & Internet > Business & Culture > Privacy

Customer Reviews

Most Helpful Customer Reviews

6 of 7 people found the following review helpful:

3.0 out of 5 stars Disjointed collection of chapters that doesn't practically analyze any intrusions, July 11, 2009

By	Richard Bejtlich "TaoSecurity.com" (Metro Washington, DC) - See all my reviews (TOP 500 REVIEWER)    (REAL NAME)

This review is from: Practical Intrusion Analysis: Prevention and Detection for the Twenty-First Century (Paperback)

I must start this review by stating the lead author lists me in the Acknowledgments and elsewhere in the book, which I appreciate. I also did consulting work years ago for the lead author's company, and I know the lead author to be a good guy with a unique eye for applying geography to network security data. Addison-Wesley provided me a review copy.

I did not participate in the writing process for Practical Intrusion Analysis (PIA), but after reading it I think I know how it unfolded. The lead author had enough material to write his two main sections: ch 10, Geospatial Intrusion Detection, and ch 11, Visual Data Communications. He realized he couldn't publish a 115-page book, so he enlisted five contributing authors who wrote chapters on loosely related security topics. Finally the lead author wrote two introductory sections: ch 1, Network Overview, and ch 2, Infrastructure Monitoring. This publication-by-amalgamation method seldom yields coherent or helpful material, despite the superior production efforts of a company like Addison-Wesley. To put a point on PIA's trouble, there's only a single intrusion analyzed in the book, and it's in the lead author's core section. The end result is a book you can skip, although it would be good for chapters 4 and 10 to be published separately as digital "Short Cuts" on InformIT.

Chapters 1 and 2 are not needed. Anyone who needs to learn about networking can read a basic book already published. Ch 2 does mention that 802.1AE (if ever implemented) will hamper network traffic inspection, but you could read that online.

Ch 3 is odd because it begins by mentioning well-worn methods to evade network detection, followed by a discussion of the merits of Snort vs Bro. Someone who had to read the material in chapters 1 and 2 is not going to understand the Snort discussion, especially when it mentions byte_test, depth, regex, http_inspect, uricontent, Structured Exception Handlers, and 16 line Snort signatures. I liked seeing Bro mentioned, but the people who are going to be able to follow the sample Bro policy scripts on pages 75-78 are not the ones reading this book.

Ch 4 outlines several examples of writing signatures for Snort. This section is actually interesting, but you have to know Snort and certain advanced topics pretty well to get value from this section. Readers need to compensate for the far-too-small screenshots and lack of supporting details while reading the examples. Readers also need to figure out what the author is doing, such as when he sets up a client-side exploit against FlashGet by starting a malicious FTP server with flashget-overflow.pl. By the second example he's dropping warnings like "Had Core's advisory told you from where the size of the call to memcpy was coming, you might have to refine the signature to check for the appropriate behavior; unfortunately, the disassembly left out that argument:" [cue the ASM]. The bottom line with this chapter is this: know your audience, and write for them -- not your buddies. People who can follow contributions like this "at line speed" aren't going to read this book.

By ch 5 the "practical" aspect of this book has been left behind, with a discussion of "proactive intrusion prevention and response via attack graphs, which is really an academically-derived discussion of "topological vulnerability analysis." No one does this in the operational world, and no one will. Pages 143-144 talk about IDMEF, even though that specification died years ago. (There is still an independently-maintained -- as of Feb 09 -- Snort-IDMEF plugin. I don't know anyone in industry using it.)

Ch 6 is a generic overview of using network flows. The only new material is less than a page on IPFIX, which is just a table comparing that newer format with NetFlow. Ch 7 is called "Web Application Firewalls," but it's just an overview. Read Ivan Ristic's Apache Security or Ryan Barnett's Preventing Web Attacks with Apache if you want to know this topic. Ch 7 is titled "Wireless IDS/IPS," which is an even shallower overview than the previous topic. In none of these chapters do we have anything practical nor any intrusions analyzed. Ch 9 discusses physical security, but I didn't think it fit with the intended theme for the book.

I thought chapter 10 was interesting. Geospatial and visualization techniques do have a role in many operations, and ch 10 had the only example of an intrusion analysis. Unfortunately I don't think readers could take ch 10 and implement their own operational system. Ch 11 seemed irrelevant in light of the excellent visualization books by Raffy Marty and Greg Conti.

The book finishes with ch 12, Return on Investment: Business Justification. It was totally unnecessary: cite some regulations, list some breach costs, then compare ROI, NPV, and IRR. Talk a little about MSSPs and cyber liability insurance, then end. If you really want the best discussion of security costs, read Managing Cybersecurity Resources by Gordon and Loeb.

The subtitle for PIA is "Prevention and Detection for the Twenty-First Century." Readers will not find that in PIA. The lead author started with a kernel of a good idea, but the end result does not deliver enough real value to to readers. The lead author's material, and the chapter on Snort signature writing, could have been published as digital Short Cuts, or including in a compendium of chapters in a "survey" book. If you want to read a book intrusion analysis, you're more likely to be satisfied reading a book on intrusion forensics.

2 of 2 people found the following review helpful:

3.0 out of 5 stars Some good ideas, no consistency, September 30, 2009

By	Dr Anton Chuvakin (CA, USA) - See all my reviews

This review is from: Practical Intrusion Analysis: Prevention and Detection for the Twenty-First Century (Paperback)

This book is not really a book: it is a collection of papers about security and intrusion detection. The book bears unfortunate, but noticeable signs of being written by multiple people who didn't talk to each other much.

I just finished reading the book and I can say I enjoyed it. It does have interesting ideas peppered in some places. Overall presentation consistency, however, is not lacking - it is absent. Also, the book is not terribly practical if you define practice as "protection of systems and networks from attacks." Many chapters are shallow and make the impression of being added to get the book to 450 pages threshold.

So, some chapters are fun and insightful ("Geospatial ID", "Physical IDS", the sections on signature tuning), some are funny (example: one chapter talks about SIEM, SIM and SEM, but errs about what "M" in those stands for... seriously!) and some are sad (example: the one that mentions IDMEF), while others are very shallow ("Wireless IDS/IPS"). The chapter on ROI made me fall under my desk; I experience an actual literal ROFL.

Here are some of the highlights. Ch3 has a lot of useful Bro NIDS tips; if you have never used Bro in production, give it a try. In Ch4, I liked vulnerability-based signature definition worklfow, which takes into account sig performance tuning. Ch5 was written by an academic, who doesn't get out much; if works great if you want to really know what the word "befuddled" means (it also mentioned IDMEF for extra punch :-)) Ch6 is fine if you never dealt with network flows; not a bad intro. Ch7 is a very shallow intro to web application firewalls, while ch8 is the same for wireless IDS/IPS. Ch9 deals with physical security and I loved; such information rarely shows in IT books and it was great to learn it. Ch10 that deals with geospatial intrusion detection is another good one; the approach looks a bit weird (example: all events with the sources address close to a company facility are considered "false positives"...). Ch 11 on visualization mentions all the right books on the subject, but then chooses to makes itself a bad comparison to them.

Now, ch12 ("Return on Investment: Business Justification") is pure freakshow; I have not laughed that hard for a few months a least. After I had a chance to think about, I realized that maybe it was intended for humorous relief since it is the last chapter. In any case, the work computes the precise ROI for any IDS system like this: ALE = SBE x ARO = $517,580...

Overall, if you want a moderately interesting security read with some good ideas, get it. If you are looking for information on practical intrusion analysis in whatever century, skip it.

Finally, Addison-Wesley provided me with a review copy.

1 of 1 people found the following review helpful:

4.0 out of 5 stars Modern Intrusion Analysis, September 3, 2009

By	Jeyaprakash Kopula "JP Kopula" (San Jose, CA, USA) - See all my reviews

This review is from: Practical Intrusion Analysis: Prevention and Detection for the Twenty-First Century (Paperback)

My search for one book that gives me a bird's eye view of enterprise Intrusion detection and preventions systems process ends with this book. Any one who climbs up the ladder from different back ground in Information Security can easily understand the `ABCD' of Intrusion Prevention/Detection Analysis by reading this book. The author explained everything from the ground up. For e.g. when he writes about Network Intrusion Analysis, he started to explain from basic OSI reference model and TCP/IP model and goes on explaining how to capture data at various levels of the network.

This book starts with explaining how Enterprise IT infrastructure looks like and explained in brief what each technology mean for the reader. Another good outcome of reading this book is to understand the management aspect of handling Intrusion detection/ Prevention systems and process.

Let me briefly describe how this book is structured in terms of chapters and technology implementations. First the author went ahead and described two open source IDS/IPS platforms namely Snort and Bro. He then analyzed and compared (Apple to Orange) both tools to give us an idea which one is best. Obviously snort came out as winner. The reason quoted is that Bro is not a simple solution to implement. You have to define what is normal so that you can trigger abnormal if some intrusion happens. Second, Vulnerability lifecycle which describes how vulnerability goes through a cycle from detection to patching the systems. Other Chapters are arranged in this order to provide a holistic approach to Intrusion Analysis. Prevention techniques, Anomaly detection using NetFlows, Web APP Firewall techniques, Wireless IDS/IPS, Physical Intrusion Detection for IT, Geospatial Intrusion detection and finally ROI factors for business justification.


To the best of my knowledge the Snort/Bro type of implementations are merely secondary types in any enterprise security. Big IT organization today needs some one to take responsibility of the security vulnerability exposures. Hiring such a professional is costlier than paying support cost for maintaining Vendor products. But if you are really looking for crash course on IPS/IDS, I certainly recommend this book.

Advanced Examples given in Chapte 4, "Life Cycle of vulnerability" opens up a new horizon for Infosec professionals who are starting their career in network security. Author took diversified examples to attract all sorts of industry audience. For example SCADA is mostly used in process industries, Bitmap vulnerability targets PC users and DNS vulnerability targets Internet Industry. Author also provides some helpful tools and websites for your reference.

Analytical approach to proactive intrusion prevention and response is another favorite subject of mine. Author explains how an IT security analyst can use attack graphs to prevent any unforeseen incidents. Anomaly detection techniques using Network Flows are described in Chapter 6. Author weighed Multi-Vendor products which support Netflow technology is"must know" information.

Some of the important Chapter I liked was Web Application Firewall. Author goes on explaining various security models that one can apply according to their need and environment. Author also emphasizes on Physical intrusion detection that are mostly ignored in enterprise security. In analyzing ROI, author describes importance of cost/ benefit analysis and goes on explaining various mandatory compliance obligations to be taken in to consideration. He also introduced MSSP model and analysis the Pro's and Con's of outsourcing security operations. Finally, various insurance options are discussed in order to mitigate huge liability in case of any security breach.

Overall, the author covered the whole nine yards of Intrusion Prevention techniques. I highly recommend this book for all Security Analysts and anyone who oversees security operations. This book can also be a very good reference point for CISSP and CISM certifications. At the end, as network security professional, I would like to have this as one of the companion in my INFOSEC library.