The Practice of Network Security Monitoring: Understanding Incident Detection and Response

The Practice of Network Security Monitoring: Understanding Incident Detection and Response

Richard Bejtlich

Language: English

Pages: 376

ISBN: 1593275099

Format: PDF / Kindle (mobi) / ePub


Network security is not simply about building impenetrable walls — determined attackers will eventually overcome traditional defenses. The most effective computer security strategies integrate network security monitoring (NSM): the collection and analysis of data to help you detect and respond to intrusions.

In The Practice of Network Security Monitoring, Mandiant CSO Richard Bejtlich shows you how to use NSM to add a robust layer of protection around your networks — no prior experience required. To help you avoid costly and inflexible solutions, he teaches you how to deploy, build, and run an NSM operation using open source software and vendor-neutral tools.

You'll learn how to:

  • Determine where to deploy NSM platforms, and size them for the monitored networks
  • Deploy stand-alone or distributed NSM installations
  • Use command line and graphical packet analysis tools, and NSM consoles
  • Interpret network evidence from server-side and client-side intrusions
  • Integrate threat intelligence into NSM software to identify sophisticated adversaries

There's no foolproof way to keep attackers out of your network. But when they get in, you'll be prepared. The Practice of Network Security Monitoring will show you how to build a security net to detect, contain, and control them. Attacks are inevitable, but losing sensitive data shouldn't be.

Next Generation Wireless LANs: Throughput, Robustness, and Reliability in 802.11n

Learning the vi and Vim Editors (7th Edition)

Microsoft Excel 2010: Comprehensive

Mastering Object-oriented Python

Software for Data Analysis: Programming with R (Statistics and Computing)

Electronic Value Exchange: Origins of the VISA Electronic Payment System (History of Computing)

 

 

 

 

 

 

 

 

 

 

 

“Graphical Packet Analysis Tools,” adds GUI-based software to the mix, describing Wireshark, Xplico, and NetworkMiner. Chapter 8, “NSM Consoles,” shows how NSM suites, like Sguil, Squert, Snorby, and ELSA, enable detection and response workflows. Part IV, “NSM in Action,” discusses how to use NSM processes and data to detect and respond to intrusions. • • • • • Chapter 9, “NSM Operations,” shares my experience building and leading a global computer incident response team (CIRT). Chapter

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Part I Getting Started 1 Network Security Monitoring Rationale 3 . . . . . . . . . . . . . . . . . . . . . . . . 4 . 5 . 8 . 9 10 11 12 13 14 15 16 16 19 21 22 24 26 28 30 31 31 32 32 2 Collecting Network

Filesystem /dev/sda1 udev tmpfs none none Size 456G 1.5G 603M 5.0M 1.5G Used Avail Use% Mounted on 96G 337G 23% / 4.0K 1.5G 1% /dev 876K 602M 1% /run 0 5.0M 0% /run/lock 216K 1.5G 1% /run/shm $ sudo du -csh /nsm 86G /nsm 86G total Listing 5-7: Disk usage commands 108   Chapter 5 As you can see, this sensor has plenty of space available on the hard disk (/dev/sda1), with only 23 percent in use. The /nsm directory occupies 86GB of the 96GB taken up by the whole partition. The example of a

Carnegie Mellon’s Software Engineering Institute (SEI) in 1993, and released the code publicly as Argus 1.5 in early 1996. Today, the code exists as a server component and multiple client components, licensed under the GNU General Public License version 3. You can validate the status of the Argus server by running the nsm_sensor_ ps-status script with the --only-argus switch, as shown in Listing 6-26. 128   Chapter 6 $ sudo nsm_sensor_ps-status --only-argus Status: sademo-eth1 * argus [ OK

13 Proxies and Checksums Proxies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Proxies and Visibility . . . . . . . . . . . . . . . . . . . . . Dealing with Proxies in Production Networks . . . . . Checksums . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A Good Checksum . . . . . . . . . . . . . . . . . . . . . . . A Bad

Download sample

Download