Book Review: The Practice of Network Security Monitoring
Earlier this year Richard Bejtlich (@taosecurity) was on PDC http://pauldotcom.com/wiki/index.php/Episode327 Since that time his book as been released. The Practice of Network Security Management from NoStarch (http://nostarch.com/nsm). Richard is an individual who knows what he is talking about when it comes to NSM, having run a CIRT for the Air Force and GE and now resides as the CSO for Mandiant. Richard has also authored The Tao of Network Security Monitoring and Extrusion Detection.
This an excellent resource for beginners to NSM or people starting to do NSM in their environment and it is not intended for experienced NSM practitioners. It begins with a very good overview of what NSM is and what constitutes NSM and the sort of data that needs to be collected. Gives some good examples of how to place sensors and caveats found in large organizations with NAT and the like. Then to tie the types of devices into a tool, Richard introduces a very good set of Open Source tools like, Bro (bro.org), Snort, Squil, Snorby, ELSA etc. that are part of the Security Onion distribution created by Doug Burks (@dougburks).
The first section of the book is dedicated to in the installation of Security Onion and configuration of the tools that go along with it so that the reader could spin up their own instance and learn along with the book. If you are in anyway experienced with Linux installations you can skip most of this section, it was written so folks without much exposure can install SO. Once that is taken care of he builds on the tools contained within SO. When he can he shows multiple ways and tools to achieve the same thing, for example using tshark and the GUI version of Wireshark to analyze packets. He gives real world examples of data that tripped things like Snort to help understand the workings of the tools.
After the basics and tools are introduced it dives into using NSM to monitor a network. Areas like phases of an investigation and what data might help identify success vs attempt in an incident. He discusses incident classification which is one place I think CIRTs miss. The best part in my opinion of the whole book is in chapters 10 and 11. Once everything is introduced and a good understanding of the tools are in place Richard walks through 2 sample breech investigations and takes a step by step approach on the analysis done, data and tools used to identify the extent of a breach.
This is a very well written technical book. This is a very easy and quick read for its size, provides many examples and screen shots to give readers a good understanding of how to use the tools in the book. I would recommend this for anyone getting into the field of incident response who doesn’t have a great understanding of NSM, newcomers or perhaps less technical Managers.
-Greg Hetrick @gchetrick