The Tao of Network Security Monitoring: Beyond Intrusion Detection

by Richard Bejtlich

"The book you are about to read will arm you with the knowledge you need to defend your network from attackers--both the obvious and the not so obvious.... If you are new to network security, don't put this book back on the shelf! This is a great book for beginners and I wish I had access to it many years ago. If you've learned the basics of TCP/IP protocols and run an open source or commercial IDS, you may be asking 'What's next?' If so, this book is for you."--Ron Gula, founder and CTO, Tenable Network Security, from the Foreword"Richard Bejtlich has a good perspective on Internet security--one that is orderly and practical at the same time. He keeps readers grounded and addresses the fundamentals in an accessible way."--Marcus Ranum, TruSecure"This book is not about security or network It's about both, and in reality these are two aspects of the same problem. You can easily find people who are security experts or network monitors, but this book explains how to master both topics."--Luca Deri, ntop.org"This book will enable security professionals of all skill sets to improve their understanding of what it takes to set up, maintain, and utilize a successful network intrusion detection strategy." --Kirby Kuehl, Cisco SystemsEvery network can be compromised. There are too many systems, offering too many services, running too many flawed applications. No amount of careful coding, patch management, or access control can keep out every attacker. If prevention eventually fails, how do you prepare for the intrusions that will eventually happen?Network security monitoring (NSM) equips security staff to deal with the inevitable consequences of too few resources and too many responsibilities. NSM collects the data needed to generate better assessment, detection, and response processes--resulting in decreased impact from unauthorized activities.In "The Tao of Network Security Monitoring", Richard Bejtlich explores the products, people, and processes that implement the NSM model. By focusing on case studies and the application of open source tools, he helps you gain hands-on knowledge of how to better defend networks and how to mitigate damage from security incidents.Inside, you will find in-depth information on the following areas. The NSM operational framework and deployment considerations. How to use a variety of open-source tools--including Sguil, Argus, and Ethereal--to mine network traffic for full content, session, statistical, and alert data. Best practices for conducting emergency NSM in an incident response scenario, evaluating monitoring vendors, and deploying an NSM architecture. Developing and applying knowledge of weapons, tactics, telecommunications, system administration, scripting, and programming for NSM. The best tools for generating arbitrary packets, exploiting flaws, manipulating traffic, and conducting reconnaissance.Whether you are new to network intrusion detection and incident response, or a computer-security veteran, this book will enable you to quickly develop and apply the skills needed to detect, prevent, and respond to new and emerging threats.

Genres: Technology, Reference, Computer Science, Technical, Computers, Nonfiction

833 pages, Kindle Edition

First published July 1, 2004

Reviews

[Jack · Rating 3 out of 5]

I thought too much time was spent on overview and examples of specific tools, when I was really hoping for more discussion of network layout, broad techniques, and analysis mentality. What Richard had to say in these areas was interesting and informative, so the relatively short page count alloted to it was pretty disappointing.

I found myself skipping through pages and pages of example of using tools like tcpdump, ethereal, p0f, bpf, etc - if I need to learn more about these I'll read the relevant man pages or source code. Several of the tools overview chapters seemed like filler to me, to be frank - not in enough depth to be really that useful if you've never used the tools before, but far far too long if you are already familiar with them.

The repeated shoutouts for certain commercial vendors struck an odd chord with me. I guess there is no problem with someone recommending a product that they think works well, but Net Optics in particular got repeated mentions and two photos, which seemed gratuitous. Also I thought it odd that he recommends buying brand new Cisco gear (since IOS cannot be legally redistributed to a third party), without mentioning that, for instance, one could instead buy (AFAIK) legally resold Juniper hardware.

[Tarek · Rating 4 out of 5]

Même un peu daté (plus de 10 ans), le livre est un guide structuré pour faire du NSM, avec des conseils, des orientations et des exemples concrets.
Une seule chose qui me paraît inutile est d'avoir inclus dans certains exemples les instructions d'installation de certains outils.

Sans reprendre la structure du livre, ci-après sont des extraits des plus intéressants pour moi :

- Nécessité de loguer les paquets autorisés => By definition, rejected traffic can't hurt you. Only packets allowed through the firewall have any effect.

- No organization can be considered "secure" for any time beyond the last verification of adherence to its security policy.
If your manager asks, "Are we secure?" you should answer, "Let me check."
If he or she asks, "Will we be secure tomorrow?" you should answer, "I don't know."

- The best way for an intruder to conduct truly stealthy reconnaissance is to appear as normal traffic.
Although we'd like to watch everywhere, it's often not possible.
I recommend placing sensors near the locations you believe suffer the greatest risk.
Keep in mind that wherever a telecommuter's VPN terminates determines the extension of that zone.

- One of the principles of proper NSM operations is to never "touch" the source of malicious activity.
This means that under normal circumstances, NSM analysts do not scan intruder IP addresses and they certainly don't "hack back."
By not overtly reacting to an intruder's activity, defenders keep an element of surprise.
The intruder cannot be sure the victim knows of the attack plans if the victim doesn't retaliate.
Along with eliminating the element of surprise, defensive actions help intruders map out the processes followed by the NSM operation

- Send the most severe alerts to the analyst interface and save everything else in a database.
Some may consider it a waste of resources to save data that might never be reviewed.
Remember the NSM principle that intruders are unpredictable.
The indicator that was stored without being seen in January might be a vital clue once a systematic compromise is discovered in February.

[Jon · Rating 5 out of 5]

In the author’s latest book, Extrusion Detection, a claim is made on page 228 in which he says
“The best reference for building an NSM infrastructure is my book, The Tao of Network Security
Monitoring: Beyond Intrusion Detection“. So far that statement is indisputable. This is a whopping
and very detailed 800+ page text on NSM that pushes “on-shelf” technical literature to a new level of
scholarship. The book is heavily foot noted with academic research and includes a history of NSM.

I was fortunate enough to receive this book in a college course on network security. In my opinion
it was the single best book I received out of my 4 year study. I’ve read it 2 times, cover to cover, and
continually use it as a reference. By applying the techniques and principles in the book I was able
to gain an entirely new perspective on network connections; I also increased my knowledge of TCP/IP
substantially by practicing the examples at home. I’ve only been out of college for a little over a year
now and I’ve been able to perform NSM duties in my day job and have spoken on traffic analysis at some
small conferences. This book has been a great benefactor towards my professional development as it has
provided new avenues of interest for me to explore.

Session data, statistical data, and full-content data concepts are each covered thoroughly with many
examples of popular and not-so popular FOSS (Free and Open Source Software) tools. As I mentioned in my
recent review of Extrusion Detection, I really enjoy the fact that the author exposes readers to FreeBSD
by using it as his platform throughout the book.

There’s no need to summarize what’s in the book as you can view its Table of Contents here on
Amazon.

I recommend this book, not just for security folk, but also for network folk who I believe can advance
with a new perspective on network traffic and gain a deeper understanding of their environments.

I came with knowledge of tcpdump, I left knowing how to use it.

[Paul · Rating 4 out of 5]

A fantastic book that should be a must-read for anyone working in network security (or wants to understand more about it). It's written in a way that is suitable for beginner and expert alike with the caveat that beginners may need to sharpen some of their networking skills to understand some concepts. This isn't another tools book but a different way to think about attacks and how to detect them on your network. Fantastic book by Bejtlich and one to keep on the shelves and use to expand your own reference material through experience and knowledge.

[Anthony · Rating 5 out of 5]

This book should be read by anyone involved with network security. Without monitoring, you are blind to what is going on, and have no hope of defending against attackers. It goes over essential principles and tools. While some of the material is starting to show its age, it continues to be comprehensive in its coverage.

I wish I had read this when I first became a SOC analyst; it would have smoothed out a few areas where I had to figure out things the long way around.

[David Jimenez · Rating 5 out of 5]

My first introduction to the NSM concept, very useful for incident responders and network security engineers

[Nechir Van93]

red