19 of 19 people found the following review helpful
on September 6, 2013
If you are in cyber security this is a must read. It starts off with a preface by Todd Heberlein, the guy who started the craft of network monitoring. Richard spares us the rehash of things like the TCP 3 way handshake and jumps into actionable content very quickly. The book is the best resource for tools I have seen anywhere. The charts, diagrams, and screen shots bring the information to life. It was particularly great to see the focus on Security Onion.
The favorite part for me was the Collection, Analysis, Escalation and Resolution section. Mr. Bejtlich has a lot of experience in incident response and I am thankful he is willing to share his insights.
My advice is that you buy the book, read it, download Security Onion and learn to use some of the tools.
25 of 32 people found the following review helpful
on August 18, 2013
Most computer books are badly written. The information in the book is fine (usually, hopefully), but the actual craft of writing is poor. They read like computer programs. This isn't surprising, as most computer books are written by computer professionals. By the time you're good enough at a computing topic to write a book about it, your brain automatically arranged things in machine-friendly order. That's human nature. The downside of this, however, is that most computing books lack the things that make books interesting to human beings. We readers grit our teeth and plow through them because we need the information.
I'm pleased to say that Richard Bejtlich's The Practice of Network Security Monitoring is not one of those books. The damn thing is actually readable. By normal people.
That's a vague assertion. How about a metric? Season 6 of Burn Notice just hit Netflix streaming. I watched a few episodes Saturday. They ended on a tense cliffhanger, but I finally had to go to bed. Sunday, I finished reading this book before seeing how Westin and company got out of their fix. (Okay, that's not exactly a metric, but it's a good sign.)
Bejtlich graduated from Harvard and the Air Force Academy graduate. He led CIRT teams in the Air Force, built a security team at General Electric, and is now Chief Security Officer at Mandiant. He's on television as an electronic security guru. And for the last decade-plus, he's been beating the drum about intelligent attackers and the need for a holistic approach to security. When everybody else was going on about firewalls and antivirus and access controls and penetration testing, he wrote books like The Tao of Network Security Monitoring arguing that we need to think about network defense as an ongoing activity. He made absurd claims like "prevention eventually fails" and "there are smart people slowly breaking into your network," lumping these into an overall practice called Network Security Monitoring.
Time has proved that he was right.
Books like Tao and Extrusion Detection had a lot about the business process of security. They had specific examples of how to respond to security incidents. Other books, like my own Network Flow Analysis, cover using a specific tool that's usable in a NSM context. But there hasn't been a good book on how to deploy real security monitoring in your organization, across all tools -- and, just as importantly, how to get buy-in from the business side on this.
The Practice of Network Security Monitoring does all that and more.
The book starts with an overview of the NSM philosophy and practice, and what makes it different from the conventional "we respond to intrusions" perspective. He spends some time going over the Security Onion toolkit. For those readers not familiar with SO Security Onion is to security monitoring what PfSense is for firewalls -- an integrated toolkit built atop a free operating system. You can build everything you need for NSM without Security Onion, but like PfSense, why bother?
Richard gives a brief overview of the various tools in SO, from Sguil to Bro to Snort to Xplico and on and on and on. While you can hook these tools together yourself so they operate more or less seamlessly, again, SO has done all the work for you.
The best part of the book, however, is where Bejtlich takes us through two security incidents. He uses various Security Onion tools to dissect the data from an intrusion response system alert. He backtracks both a client-side and a server-side intrusion, and shows how to accurately scope the intrusion. Was only one server broken into? What data was stolen? What action can you take in response?
What really makes this book work is that he humanizes the security events. Computing professionals think that their job is taking care of the machine. That's incorrect. Their main job is to interface between human beings and the computer. Sometimes this takes the form of implementing a specification from a written document, or solving a bug, or figuring out why your SSL web site is running slowly. Maybe most of your professional skill lies in running the debugger. That's fine, and your skill is admirable. But the reason you get paid is because you interact with other human beings.
Bejtlich pays attention to this human interface. The security incidents happen because people screw up. And they screw up in believable ways -- I read the server compromise walkthrough and thought "This could be me." (Actually, it probably has been me, I just didn't know it.) Deploying network security monitoring takes hardware, which means you need money and staff. Bejtlich advises the reader on how to approach this conversation, using metrics that competent managers understand. His scenarios include discouragement and even fear. If you've ever worked in intrusion response, you know those emotions are very much a part of cleaning up.
But he shows you how to deal with those problems and the attendant emotions: with data.
He even demonstrates practical, real-world examples in how to get that data when the tools fail.
Humanizing a tech book is no easy task. Most authors fail, or don't even try. But Bejtlich pulls it off. He applies "prevention eventually fails" to both the people and the software, and the result is both readable and useful.
Is this book perfect for me? No. The sections on how to install Security Onion are written so that Windows administrators can use them. I don't need that level of detail. But the end result is that tPoNSM is usable by people unfamiliar with Unix-like systems, so I can't really fault him for that.
tPoNSM is useful for anyone interested in the security of their own network. Many of the tools can actually be used outside of a security context, to troubleshoot network and system problems. Deploying NSM not only means you can quickly identify, contain, and remediate intrusions, it gives you insight into the network as a whole. You might start off looking for intrusions, but you'll end up with a more stable network as a side effect.
Now if you'll excuse me, there's another dozen or so episodes of Burn Notice that need watching.
7 of 8 people found the following review helpful
on August 13, 2013
This book covers almost everything from network security monitoring perspective. It also covers basic things such as Session Data, Transaction Data, Statistical Data and Metadata. What I most like is Chapter 4, "Distributed Deployment". I remember that I spent tons of time for trouble shootings to finalize all distributed server plus sensor systems. This chapter makes network engineers' life easier than before. Other than WireShark, it covers Xplico, one of open source network forensic analysis tool and Network Miner. I haven't used these tools before for my e forensic. However, I realized that these tools are pretty useful tools to save my time and visualize stuffs from my research. I like his approcahses for Servier Side Compromise and Client Side Compromise. I completely agree with his methdologies to investigate those on their own way. Don't forget to refer the following chapters regarding SO SCRIPTS and CONFIGURATION. Even if those were placed at last chapter, you will use those information usefully anytime if you want.
5 of 6 people found the following review helpful
on September 9, 2013
It has been about 8 years since my friend Richard Bejtlich's (note, that was a full disclosure `my friend') last book Extrusion Detection: Security Monitoring for Internal Intrusions came out. That and his other 2 books were heavy on technical analysis and real-word solutions. Some titles only start to cover ground after about 80 pages of introduction. With this highly informative and actionable book, you are already reviewing tcpdump output at page 16.
In The Practice of Network Security Monitoring: Understanding Incident Detection and Response, Bejtlich takes the approach that your network will be attacked and breached. He observes that a critical part of your security posture must be that of network security monitoring (NSM), which is the collection and analysis of data to help you detect and respond to intrusions.
In this book, Bejtlich details how to design a NSM program from the initiation state. Being a big open source proponent, the book lists no proprietary tools and myriad open source solutions. The book is designed for system and security administrators, CIRT managers and analysts, incident handlers, NSM architects and engineers with a strong background in understanding threats, vulnerabilities and security log interpretation.
The book is about the inevitable, that attackers will get inside your network. While it's foreseeable they will get in, it's not inevitable that you have to be caught off-guard. For those who are serious about securing their network, this is an invaluable book that provides a unique and very workable model to create a fully-functioning NSM infrastructure.
The book is a hands-on guide to installing and configuring NSM tools. The reader who is comfortable using tools such as Wireshark, Nmap and the like will be quite at home here.
This is a book about how not to be surprised and its 13 chapters detail how to create and manage a NSM program, what to look for, and details myriad tools to use in the process.
The focus of the book is not on the planning and defense phases of the security cycle, hopefully, that is already in place in your organization, rather on the actions to take when handling systems that are already compromised or that are on the verge of being compromised.
In chapter 1, the book details the difference between continuous monitoring (CM) and NSM; since their terms are similar and many people confuse the two. CM is big in the federal computing space. The book notes that CM has almost nothing to do with NSM or even with trying to detect and respond to intrusions. NSM is threat-centric, meaning adversaries are the discussion of the NSM operation; while CM is vulnerability-centric; focusing on configuration and software weaknesses.
Also in chapter 1, Bejtlich asks the important question: is NSM legal? He writes that there is no easy answer to that questions and anyone using or deploying an NSM solution should first consult with their legal counsel; in order not to potentially violate the US Wiretap Act and other laws and regulations. This is especially true for those who are in European Union (EU) countries, as the EU places a high threshold on information security teams who want to monitor network traffic. Something as simple as running Wireshark on a corporate network in the US, would require court approval if done on an EU-based network.
One of the main NSM tools the book references and details is Security Onion (SO). SO is a Linux distro for IDS and NSM. It's based on Ubuntu and the distro contains Snort, Suricata, Bro, Sguil, Squert, Snorby, ELSA, Xplico, NetworkMiner and many other useful security tools.
The book details and explains how use these tools in an NSM environment. An important point Bejtlich makes in chapter 9 regarding the tools, is that analysts need tools to find intruders. But methodology is more important than just software tools. Tools collect and interpret data, but methodology provides the conceptual model. He explains that CIRT analysts must understand how to use tools to achieve a particular goal, but it is imperative and important to start with a good operational model first, and then select tools to provide data supporting that model.
The book has a short discussion of how cloud computing effects NSM. In a nutshell, the cloud throws a monkey wrench into an NSM effort. For example, it is generally not an option for SaaS offerings since customers are limited to the back-end logs.
The book closes with the observation that NSM is not just about all the tools that the author spent over 300 pages discussing, rather it is more about the workflows, metrics and collaboration. Unfortunately, this title does not detail the necessary workflows for a NSM and it is hoped that the follow-up to this book will.
The only negative in the book is that as CSO of Mandiant, Bejtlich references his firm's products, mainly their MIR appliance for a CIRT. In the spirit of objectivity and not trying to have the book come across as marketing PR, if an author is going to mention a product their firm sells, they should also mention alternative solutions.
For those looking for a comprehensive guide on the topic of NSM, written by one of the experts in the field, The Practice of Network Security Monitoring: Understanding Incident Detection and Response is an excellent reference that is certain to make the reader a better information security practitioner, and their network more secure.
5 of 6 people found the following review helpful
on August 22, 2013
This was a technical text I had been waiting to get my hands on for some time. Having heard Richard Bejtlich speak and give various presentations, I knew that his delivery and style would make network security monitoring fun to learn about. I wasn't disappointed.
I would say that my all-time favorite IT security book traditionally has been "Network Intrusion Detection (3rd Edition)" by Stephen Northcutt. I have read and re-read it several times not due to the highly technical and pertinent subject matter, but because of the flowing style that makes the book readable. "The Practice of Network Security Monitoring" has just eclipsed the top of my favorites list.
All-in-all, Bejtlich does an amazing job not only defining network security monitoring and explaining how it will benefit an organization, but he ties in current concepts like cloud computing, the relationship among network security monitoring and more traditional defenses such as Firewalls, DLP, DRM, anti-malware, etc. He explains in detail how network security monitoring can be integrated into your environment, and everything from how to get started to how to interpret the data you'll collect.
If you're looking to start a network security monitoring operation at your company, this is the book to read. If you're an IT security professional who wants a more in-depth look at how network security monitoring can help you, this is the book to read. If you're at all interested in computer penetrations, the hows and whys, or how best to defend against them, this is the book to read.
Again, this is a great book for professionals and beginners alike. I highly recommend it!
2 of 2 people found the following review helpful
on January 10, 2014
For going on close to two decades, Richard Bejtlich has been leading expert on networking monitor. He has been the author of many important books and articles focusing on different elements of proper cybersecurity, along with his posts on Twitter, his blog and interviews. Richard is the rare expert that can discuss cybersecurity on both a strategic and a tactical level.
In Richard Bejtlich's latest book, `The Practice of Network Security Monitoring' (PoNSM), he walks the readers through various cyber data breaches, detailing how to scope the intrusion and take rapid corrective action. He details how to architect a complete networking monitor solution, from sensor deployment, to data aggregation and analysis. PoNSM demonstrates how to use critical open source tools, including Wireshark, Xplico and Sguil, among others. There must be upwards of 100 screen-shots, demonstrating what information to focus on when analyzing information in these tools.
PoNSM is an invaluable resource for anyone interested in network monitoring. I cannot imagine a better source on the subject of NSM.
I give PoNSM 5 pings out of 5:
1 of 1 people found the following review helpful
on September 3, 2015
As we enter the murky age of Internet of Things (or "Internet of Insecure Things", "Internet of Evil Things", "Botnet of Things", take your pick) monitoring your home network has to become a common skill. Although by no means confined to application in home environments, The Practice of Network Security Monitoring does allow a modestly technically adept user to do just that. This book walks you through understanding the concepts, installing the needed software, configuring network monitoring components, and using some of the many free solutions for detecting unwanted or malicious traffic.
For those who want to apply this work at home, allow me to make a few suggestions about corollary purchases you may need to make. I recommend dedicating a desktop or tower computer to the task of server. It doesn't need an especially powerful CPU, but it should have a lot of RAM, at least 8 GB. Purchase your RAM with a view to exanding; using 8GB as an example, don't buy 4 2GB sticks, but rather 2 4GB sticks. Later you could by 2 x 4GB or 2 x 8GB sticks to upgrade memory. You will also need at least 1 extra NIC (Network Interface Card), which will be in permanent 'listen only' (aka "promiscuous") mode. You will be using the free Security Onion solution, running on the free Ubuntu 12.04 Linux, so you can skip buying a license for Windows if you purchase everything from scratch. Finally you will need at least one network device that can duplicate traffic. The book will explain the difference between spanning (or 'mirroring') and tapping, but unless you are a sufficiently knowledgeable about networking, you will probably do well to buy a Dualcomm DCSW-1005 USB Powered 5-Port 10/100 Fast Ethernet Switch TAP (Port Mirroring) - it is drop dead simple to install and use.
You really can do this - enjoy!
1 of 1 people found the following review helpful
on September 23, 2013
This certainly fell into my lap at an opportune time. With the various revelations being made about the NSA and its tactics, as well as the upsurge in attention being paid to network and application security in general, this book was a welcome arrival in and of itself. There's a lot of attention paid to the "aftermath" of security breaches. We see a lot of books that talk about what to do after you've been hacked, or tools that can help determine if your application can be penetrated, along with tools and recommendations for performing that kind of testing. Less often asked (or covered) is "what can we do to see if people are actually trying to get into our network or applications in the first place?" While it's important to know how we got hacked, I'd like to see where we might get hacked, and sound an early warning to stop those hackers in their tracks.
To that end, Network Security Monitoring (NSM) makes a lot of sense, and an important line of defense. If the networks can be better monitored/protected, our servers are less likely to be hacked. We cannot prevent all breaches, but if we understand them and can react to them, we can make it harder for hackers to get to anything interesting or valuable.
It's with this in mind that Richard Bejtlich has written "The Practice of Network Security Monitoring", and much of the advice in this book focuses on monitoring and protecting the network, rather than protecting end servers. The centerpiece of this book (at least from a user application standpoint) is the open source Security Onion (SO) NSM suite from Doug Burks ([...] The descriptions and the examples provided (as well as numerous sample scripts in the back of the book) help the user get a good feel for the operations they could perform (and control) to collect network data, as well as how to analyze the collected data.
The tools can be run from a single server, but to get the maximum benefit, a more expansive network topology would be helpful. I can appreciate that my ops people didn't quite want to see me "experiment" on a broader network for this book review. After reading it, though, they may be willing to give me the benefit of the doubt going forward ;).
There are lots of individual tools (graphical and command line) that can be used to help collect and analyze network traffic details. Since there are a variety of tools that can be used, the author casts a broad net. Each section and tool gets its own setup, and an explanation as to how to use them. The examples are straightforward and easy enough to follow to get a feel as to how they can be used.
The last part of the book puts these tools into action, and demonstrates examples as to how and where they can be used. The enterprise security cycle is emphasized (planning, resistance, detection, and response), with an emphasis on the last two items. NSM uses its own process flow (collection, analysis, escalation, and resolution). By examining a variety of server side and client side compromises, and how those compromises can be detected and ultimately frustrated, we get a sense of the value and power of this model.
My approach to learning about NSM in general comes from being a software tester, and therefore I'm very interested in tools that I can learn and implement quickly. More important, though is the ability to apply a broad array of options. Since I don't really know what I may be called on to test, this varied model of NSM interests me greatly. From an understanding level, i.e. an ease of following along and seeing how it could work and where, I give the book high marks. I'm looking forward to when I can set up a broader and more varied network so I can try out some of the more expansive options.
On the whole, "The Practice of Network Security Monitoring" gets the reader excited about getting deeper into the approach, and looking to where they can get more engaged. As tech books go, it's a pretty fun ride :).
1 of 1 people found the following review helpful
on December 4, 2014
This is a great book to get a security monitoring tool up and running in your organization. It is a complex topic and this book takes you through a difficult process and gets you up and running with a real soluiton that immediately brings value to your organization.
on October 29, 2013
"This may be one of the most important books you ever read."
The book begins with this ambitious intention to say of how critical the role of Network Security was over last years.
The foreword is an excursus in the recent past of the author who warns that "security companies' marketing department still promote the magic box solution and investors buy into it".
There's not a single definitive solution to insecurity, "products and technologies are not solutions. They are just tools. [...] Almost all future conflicts - whether economic, religious, political, or military - will include cyber component. The more defensive we have, and the more effectively we use them, the better off we will all be. This book will help with that noble effort."
The author still dedicates a Preface and the whole Chapter 1 of the Part 1 (Network Security Monitor Rationale) to make this point even more crucial, reporting events and stories from his important work experience, alternating a nice novelistic style to a more technical tone.
This dual approach has the benefit to draw the reader's attention with both simplicity and accuracy but without boring him, like possibly other books about this topics do.
NSM is the acronym for Network Security Monitor which is the central point of this book. The initialdiscursive approachshould not deceive, this is a technical book: in the first Chapter you will be quite requested to put your hand on the device: "Installing a Tap", like in a lab exercise.
But before installing a Tab, you must be able to answer questions like "Why Does NSM Work" or "When NSM Won't Work" or "What is the difference between NSM and Continuous Monitoring?".
How large must a hard drive be to accommodate all the captured traffic?
The book drives the reader into the forest bit by bit, starting from the Stand-alone NSM Deployment and Installation that shows how to install the open source Security Onion (SO) NSM suite from Doug Burks ([...] and going on with the description of the tools provided by it (Tshark, Dumpcap, Argus, RA, Tcpdump Wireshark, Xplico, Sguil, Squerty, Snorby, ELSA, and others.
"Tools collect and interpret data, but methodology provides the conceptual model". So the Part IV is oriented to the management of the Enterprise security cycle: Plan, Resist, Detect, Respond.
Positive: technical aspects are always accompanied by a methodology. The focus that the author puts on the practical experience is never unmotivated, every single tool is useless if taken alone. The consciousness of a structured method and practice comes first.
Negative: The division intoparts and chapters is so accurate and granular to result very complex. If you look at the index it could be a little tedious to find the topic you're looking for.
I would definitely suggest this book to all thosewho deal with IT Security.