The Practice of Network Security Monitoring: Understanding Incident Detection and Response

Posted on by Ben Rothke

It has been about 8 years since my friend Richard Bejtlich’s (note, that was a full disclosure ‘my friend’) last book Extrusion Detection: Security Monitoring for Internal Intrusions came out.  That and his other 2 books were heavy on technical analysis and real-word solutions.  Some titles only start to cover ground after about 80 pages of introduction.  With this highly informative and actionable book, you are already reviewing tcpdump output at page 16.

In The Practice of Network Security Monitoring: Understanding Incident Detection and Response, Bejtlich takes the approach that your network will be attacked and breached.  He observes that acritical part of your security posture must be that of network security monitoring (NSM), which is the collection and analysis of data to help you detect and respond to intrusions.

In this book, Bejtlich details how to design a NSM program from the initiation state.  Being a big open source proponent, the book lists no proprietary tools and myriad open source solutions.  The book is designed for system and security administrators, CIRT managers and analysts, incident handlers, NSM architects and engineers with a strong background in understanding threats, vulnerabilities and security log interpretation.

The book is about the inevitable, that attackers will get inside your network.  While it’s foreseeable they will get in, it’s not inevitable that you have to be caught off-guard.  For those who are serious about securing their network, this is an invaluable book that provides a unique and very workable model to create a fully-functioning NSM infrastructure.

The book is a hands-on guide to installing and configuring NSM tools.  The reader who is comfortable using tools such as Wireshark, Nmap and the like will be quite at home here.

This is a book about how not to be surprised and its 13 chapters detail how to create and manage a NSM program, what to look for, and details myriad tools to use in the process.

The focus of the book is not on the planning and defense phases of the security cycle, hopefully, that is already in place in your organization, rather on the actions to take when handling systems that are already compromised or that are on the verge of being compromised.

In chapter 1, the book details the difference between continuous monitoring (CM) and NSM; since their terms are similar and many people confuse the two. CM is big in the federal computing space.  The book notes that CM has almost nothing to do with NSM or even with trying to detect and respond to intrusions.  NSM is threat-centric, meaning adversaries are the discussion of the NSM operation; while CM is vulnerability-centric; focusing on configuration and software weaknesses. 

Also in chapter 1, Bejtlich asks the important question: is NSM legal?  He writes that there is no easy answer to that questions and anyone using or deploying an NSM solution should first consult with their legal counsel; in order not to potentially violate the US Wiretap Act and other laws and regulations.  This is especially true for those who are in European Union (EU) countries, as the EU places a high threshold on information security teams who want to monitor network traffic.  Something as simple as running Wireshark on a corporate network in the US, would require court approval if done on an EU-based network.

One of the main NSM tools the book references and details is Security Onion (SO).  SO is a Linux distro for IDS and NSM.  It's based on Ubuntu and the distro contains Snort, Suricata, Bro, Sguil, Squert, Snorby, ELSA, Xplico, NetworkMiner and many other useful security tools.

The book details and explains how use these tools in an NSM environment.  An important point Bejtlich makes in chapter 9 regarding the tools, is that analysts need tools to find intruders.  But methodology is more important than just software tools.  Tools collect and interpret data, but methodology provides the conceptual model.  He explains that CIRT analysts must understand how to use tools to achieve a particular goal, but it is imperative and important to start with a good operational model first, and then select tools to provide data supporting that model.

The book has a short discussion of how cloud computing effects NSM.  In a nutshell, the cloud throws a monkey wrench into an NSM effort. For example, it is generally not an option for SaaS offerings since customers are limited to the back-end logs.

The book closes with the observation that NSM is not just about all the tools that the author spent over 300 pages discussing, rather it is more about the workflows, metrics and collaboration.  Unfortunately, this title does not detail the necessary workflows for a NSM and it is hoped that the follow-up to this book will.

The only negative in the book is that as CSO of Mandiant, Bejtlich references his firm’s products, mainly their MIR appliance for a CIRT.  In the spirit of objectivity and not trying to have the book come across as marketing PR, if an author is going to mention a product their firm sells, they should also mention alternative solutions.

For those looking for a comprehensive guide on the topic of NSM, written by one of the experts in the field, The Practice of Network Security Monitoring: Understanding Incident Detection and Response is an excellent reference that is certain to make the reader a better information security practitioner, and their network more secure.

ISBN: 978-1593275099

Ben Rothke

Senior Information Security Manager, Tapad

hackers & threats

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community