| The Tao of Network Security Monitoring: Beyond Intrusion Detection | 
| Author: Richard Bejtlich
Publisher: Addison-Wesley Professional
Category: Book
List Price: $64.99
Buy New: $37.60
You Save: $27.39 (42%)
Buy New/Used from $22.50
Avg. Customer Rating:   (20 reviews)
Sales Rank: 37928
Languages: English (Original Language), English (Unknown), English (Published)
Media: Paperback
Edition: 1
Number Of Items: 1
Pages: 832
Shipping Weight (lbs): 2.7
Dimensions (in): 9.2 x 7 x 1.5
ISBN: 0321246772
Dewey Decimal Number: 005.8
UPC: 785342246773
EAN: 9780321246776
ASIN: 0321246772
Publication Date: July 22, 2004
Availability: Usually ships in 1-2 business days
|
| Customer Reviews:
| Showing reviews 16-20 of 20 | | « PREV | | |
Great book for security professionals August 25, 2004
1 out of 1 found this review helpful
This book clearly explain the process and methodology of security process for security professionals. Great writting style and covers topics in security and network monitoring in detail.
This book Rocks! August 24, 2004
2 out of 3 found this review helpful
One of the things I love about information security is the more your learn, the more you realize the less you know. Richard's book is the perfect example. After analyzing a variety of attacks over the years, I felt very knowledgeable in the area of network analysis and forensics. This book opened the door for me, revealing a variety of tools and techniques I never even considered. You can tell the author is highly experienced, and writes in a very straight forward and easy to understand format. If you ever want to go beyond firewalls, this is the book to read. Its a reference I intend on using for years to come.
Superb and exclusive security book! August 5, 2004
23 out of 26 found this review helpful
Here is a really cool security book, that made me lose half a nigh sleep when I first got it. Richard Bejtlich "Tao of Network Security Monitoring" ("Tao of NSM") covers the process, tools and analysis techniques for monitoring your network using intrusion detection, session data, traffic statistical information and other data. Here are some of the book highlights.
The book starts from a really exciting and fun background on security, risk and the need to monitor networks and systems. Topics such as the classic "threat x vulnerability x value = risk" formula to threat modeling and limitation of attack prevention technologies are included. A nice thing on the process side is the "assess -> protect -> detect -> respond" loop, that defines a security process for an organization on a high level. Threat analysis material seems to have military origin, but is enlightening for other types of organizations as well.
NSM is introduced as being 'beyond IDS' with some coverage on why IDS deployments fail and what else is needed (NSM process and tools, that is).
A great and rarely appreciated idea expressed in the book is that the intruders are often smarter than defenders. It presents a stark contrast to all this "staying ahead of the hackers", which makes no sense in many cases as the attackers are in fact far ahead. NSM approach will indeed work against the advanced attackers, albeit a high resource cost to the defending organization. Such 'worst case' scenario preparations are extremely rare in other security books. Detecting such intruder is covered during their five phases of compromise (from reconnaissance to using/abusing the system).
Another gem is an idea of a "defensible network"; not 'secure' or 'protected', but defensible. 'Defensible network' can be watched, is configured to limit possible intruder actions, can be kept up to date and runs only the minimum necessary services, that assures that if bad things happen there, they can be handled effectively.
I also liked how the tools are covered in the book. It is not a tool manual rephrased, but rather the whole tool use context related to the rest of the NSM. While the paradigm 'products perform collection, people perform analysis' might be faulty as the products are getting smarter, having training analysts still is one of the best investments in security. On the process side, the book covers complete analyst training. People are indeed the critical component of NSM, since most of the decision-making relies on trained analysts and their investigation, classification and escalation of alerts.
A chapter on netflow and other types of session/connectivity data presents considerable interest to those monitoring networks. Example case studies show how such data helped identify intrusion action that did not directly product IDS alerts. Same applies to traffic visualization and statistical tools that enrich the IDS data and can sometimes provide early anomaly indications as well.
Of course, NSM event-driven analysis is centered on Sguil - a new GUI frontend to NIDS, session and other context data, facilitating easy and effective event classification and escalation (if needed).
Emergency NSM vs ongoing monitoring NSM procedures are also covered in the book. Even if the organization does not maintain an ongoing security monitoring program, it can still benefit from NSM that is deployed after a suspected intrusion.
Attacks against NSM processes and technologies also fill dedicated section. Such attacks include intruder tools as well as attacks against the human (such overwhelming the analysts) and process components of the NSM.
Overall, the book is a required reading for any security professional and those wishing to become one. It helps to broaden the horizons of seasoned professionals as well as educate the beginners in monitoring techniques. While value of NSM as an approach can be debated in modern organizations where tuned sensors and skilled analysts are an exception rather than the rule, the book is a superb security resource even for those who do not choose to implement NSM at the moment.
Anton Chuvakin, Ph.D., GCIA, GCIH is a Senior Security Analyst with a major security information management company. He is the author of the book "Security Warrior" (O'Reilly, 2004) and a contributor to "Known Your Enemy II (AWL, 2004). His areas of infosec expertise include intrusion detection, UNIX security, forensics, honeypots, etc. In his spare time, he maintains his security portal http://www.info-secure.org
From Security Analyst to CSO this is "the way". July 27, 2004
4 out of 5 found this review helpful
Rich Bejtlich has taken a very common sense approach to Network Security Monitoring as he describes in detail NSM terminology, open source security tools, industry best processes, and provides valuable training suggestions for Security Analysts as well as well thought out case study information for Management.
The real world examples from Rich's extensive Incident Response experience highlight many crucial points throughout the book both from commercial and government perspectives.
Easy to understand network diagrams and detailed technical examples are prevalent throughout the book to illustrate each concept with great attention to detail.
The book wisely focuses in on a plethora of open source security technologies and analytical techniques but also go to great lengths to point out that process, procedure and methodology are equally important when preparing your organization for an eventual compromise.
Whether you are new to network security and need guidance in your career, setting up your own SOC or CSIRC capability, or a seasoned veteran looking for ways to improve your skill set or that of the organization you represent, The Tao of Network Security Monitoring is an essential part of your preparation!
 A coherent approach to Network Security Monitoring July 21, 2004
9 out of 10 found this review helpful
As commercial websites and networks get built out, some companies find that their network becomes the nervous system of the organisation. The ubiquity of email and browsing, and the storage of much corporate information on a network, has led to a vital need to defend it.
The good news, in part, as pointed out by Bejtlich, is that you, the sysadmin, have available a very powerful set of free, open source tools, to scrutinise the network for anomalies. Tcpdump, Tethereal, Ethereal, Snort, Editcap, Mergecop, Tcpslice, etc. All free and supported by communities of developers. But these are not trivial to use. For example, Ethereal and Snort each have entire books devoted to them. Not surprisingly then, a large portion of this book discusses using the many tools. You do not necessarily need to use all of them. But as a sysadmin, you need to be generally aware of the different capabilities of the major tools, and how to best use them. Some explanations also include screen captures from their UIs, to give you a better idea of their operation.
But the book is more than just a collection of tool explanations. Bejtlich also promotes an overarching coherent approach to network security monitoring, that rises above the operational details of any tool. Much more qualitative than the specific details of using a given tool. But ultimately, this approach may be the most enduring value of the book.
|
|
|
