Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Books Media Book Reviews

Tao of Security Monitoring 107

Anton Chuvakin writes "Here is a really cool security book that made me lose half a night's sleep when I first got it. Richard Bejtlich's Tao of Network Security Monitoring (Tao of NSM) covers the process, tools and analysis techniques for monitoring your network using intrusion detection, session data, traffic statistical information and other data." Read on for Chuvakin's review of the book.
Tao of Security Monitoring
author Richard Bejtlich
pages 798
publisher AWL
rating 10
reviewer Anton Chuvakin
ISBN 0321246772
summary Awesome and novel book on monitoring security

The book starts with an fun, exciting background section introducing security, addressing both risks and the need to monitor networks and systems. Topics such as the classic "threat x vulnerability x value = risk" formula to threat modeling and limitation of attack prevention technologies are included. A nice thing on the process side is the "assess -> protect -> detect -> respond" loop, defining at a high level a reasonable security process for an organization. The threat-analysis material seems to have military origins, but is enlightening for other types of organizations as well.

The concept of network security monitoring, as in the book's title, is introduced as being 'beyond IDS' -- with some coverage on why IDS deployments fail and what else is needed (NSM process and tools, that is).

Bejtlich makes the important, rarely appreciated point that intruders are often smarter than defenders. It presents a stark contrast to the "staying ahead of the hackers" theme of many security books, an approach which makes no sense in many cases as the attackers are in fact far ahead to start with. The NSM approach will indeed work against advanced attackers, albeit (as the author admits) at a high resource cost to the defending organization. Such 'worst case' scenario preparations are extremely rare in other security books. Detecting such intruders is covered as part of a breakdown of the compromise process into five phases (from reconnaissance to using/abusing the system).

Another gem is the idea of a "defensible network": not "secure" or "protected," but defensible. A defensible network is one that can be watched, is configured to limit possible intruder actions, can be kept up to date, and runs only the minimum necessary services. A network so configured assures that if bad things happen there, they can be handled effectively.

I liked how the tools are covered in the book. The explanation of each tool is not simply a rephrasing of that tool's manual, but rather presents the tool's best use in the context of the entire system. While the paradigm "products perform collection, people perform analysis" might grow stale as the products get smarter, having training analysts still is one of the best investments in security. On the process side, the book covers complete analyst training. People are indeed the critical component of NSM, since most of the decision-making relies on trained analysts and their investigation, classification and escalation of alerts.

A chapter on netflow and other types of session/connectivity data presents considerable interest to those monitoring networks. Example case studies show how such data helped identify intrusion action that did not directly produce IDS alerts. Same applies to traffic visualization and statistical tools that enrich the IDS data and can sometimes provide early anomaly indications as well.

NSM event-driven analysis in Tao of NSM is centered on Sguil - a new GUI frontend to NIDS, session and other context data, facilitating easy and effective event classification and escalation (if needed).

Emergency NSM vs ongoing monitoring NSM procedures are also covered in the book. Even if an organization does not maintain an ongoing security monitoring program, it can still benefit from NSM that is deployed after a suspected intrusion.

Attacks against NSM processes and technologies also fill a dedicated section. Such attacks include intruder tools as well as attacks against the human (such as simply attempting to overwhelm the analysts) and process components of the NSM.

The book should be required reading for any security professional, and for those wishing to enter the field. It helps to broaden the horizons of seasoned professionals as well as educate the beginners in monitoring techniques. While the value of NSM as an approach can be debated in modern organizations (where tuned sensors and skilled analysts are an exception rather than the rule), the book is a superb security resource even for those who do not choose to implement NSM at the moment.


info-secure.org maintainer Anton Chuvakin, Ph.D., GCIA, GCIH is a security strategist and author of Security Warrior . You can purchase Tao of Security Monitoring from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

This discussion has been archived. No new comments can be posted.

Tao of Security Monitoring

Comments Filter:
  • Common Sense (Score:4, Insightful)

    by MikeMacK ( 788889 ) on Friday August 27, 2004 @02:29PM (#10091050)
    A defensible network is one that can be watched, is configured to limit possible intruder actions, can be kept up to date, and runs only the minimum necessary services.

    This seems like common sense. Shouldn't all network admins be doing this anyway?

    • by Keruo ( 771880 ) on Friday August 27, 2004 @02:31PM (#10091074)
      NO! because Zonealarm is saying you're under ATTACK!!!

      and someone is pinging your host...
      • I was thinking of writing a program to continuously monitor the Zone Alarm logs and play wav sounds. As an option, people could install theme packs with various sounds depending on the port and source IP address. Repeated hits would increase the volume of the sound.

        That ought to make people (and the surrounding cubicals) feel secure!

        • Install a real firewall [kerio.com], ZA is way too flakey for me. Anytime I've been running ZA and have a connection problem 9 times out of 10 it is somehow mangling packets.
          • Neither of them are real firewalls. For light-duty protection, I've never had problems with ZA. Either product is probably better than using the software firewall from the same company that should have made their OS secure in the first place.

            In any event, supporting all their log file formats should be easy. For starters I'll either go with pinball SFX or swipe the ones from Doom 2. (The port 445 sound is going to get used a hell of a lot!)

            • Yeah neither is SPI I suppose, for that I use an old via 600 underclocked to 433 running without a fan and astaro [freshmeat.net] linux firewall. The CPU gets up to 60 degrees but the firewall itself runs stable. I've had uptimes in the 100 day range.
      • Well, MAYBE you should stop broadcasting your IP address to the Internet.
        • by Fred_A ( 10934 )
          I never figured that "you're broadcasting your address to the internet" thing.
          Broadcasting ?

          as in
          # ping -b 255.255.255.255

          Windows does that automatically ? Would that explain why Windows hosts generate so much traffic on Ethernets ?

          Or is every packet rewritten so that the return address is 127.0.0.1 which would explain why quite a few things appear not to work for mysterious reasons when I try Windows networking (I admit to not using Windows much).

          Or has somebody from the sales department been set loose
    • Re:Common Sense (Score:2, Interesting)

      by archen ( 447353 )
      I used to think so, then I hit the real world - where everyone seems scared shitless that patches are going to break their "system". Where I work we must have about 6 to 7 of the aforesaid systems, which involve many more computers. I sometimes wonder if this is just where I work, but I tend to find this in most other places I've seen as well.

      I've seen enough bad patches/upgrades to wonder if they might be right.
      • Re:Common Sense (Score:4, Insightful)

        by Anonymous Coward on Friday August 27, 2004 @02:56PM (#10091265)
        Yes. Despite what the wannabes and poseurs say, many Microsoft patches to break things. We got hit with Blaster because we couldn't patch for it because the patch broke Autodesk applications which are ctitical to our business. One patch killed one of our servers and only upon deep research did I doscover that even MS warned you that the patch would kill any system using a Compaq Smart Array RAID controller. Too late for us though. It is easy for all the computer hobbyists who don't actually work in IT to blame the sysadmin for all the security problems but the day to day reality is way more complex than that.
    • Re:Common Sense (Score:4, Insightful)

      by kelnos ( 564113 ) <bjt23@cornel[ ]du ['l.e' in gap]> on Friday August 27, 2004 @02:39PM (#10091145) Homepage
      This seems like common sense. Shouldn't all network admins be doing this anyway?
      sure. but saying and doing are two very different things. there are lots of different things you can do to monitor your network, all with different costs (both in performance and cash), and all with different levels of required human intervention.

      at the very least, i imagine many networks have an admin budget that is too small to allow as much thoroughness in securing the network as the Tao of NSM would recommend - both in money to buy proprietary products, and in manpower to set up, monitor, and maintain them.
    • This seems like common sense. Shouldn't all network admins be doing this anyway? All network security work is pretty much just common sense, don't you think? It's how much common sense you actually put to work that's important.
    • This seems like common sense. Shouldn't all network admins be doing this anyway?

      Yes of course. You should spend an hour a day in silent contemplation of the "The Spinning Cube of Potential Doom [nersc.gov]".

      BTW, If you think common sense is common, your sample size is to small.
    • This seems like common sense. Shouldn't all network admins be doing this anyway?


      Try "good sense". Common sense is not necessarily a good thing.

      A good definition for should is: "ought to but not necessarily will".

    • Re:Common Sense (Score:2, Insightful)

      by Dabido ( 802599 )
      This seems like common sense. Shouldn't all network admins be doing this anyway?

      As someone who has worked as both a Network Engineer and a System Administrator, I can tell you that Management and common sense do not go together. Many a time we asked for tools and software to help stop the hackers, but management refused under the grounds that they thought "security through obscurity" would work. They figured no one would hack into us. When we did testing and found holes in the security that script kid
  • No need! (Score:4, Funny)

    by StevenHenderson ( 806391 ) <stevehenderson@NOspam.gmail.com> on Friday August 27, 2004 @02:32PM (#10091085)
    Dude, I already downloaded SP2. I'm invincible now. Looks like this guy was just a little late with the book!
  • His Other Book (Score:4, Informative)

    by kjfitz ( 256432 ) on Friday August 27, 2004 @02:35PM (#10091112) Homepage
    His other book Incident Response [amazon.com] covers what to do once you've been attacked.

    Hmm. I wonder if it has a chapter on finger pointing and avoiding blame?

    • "Hmm. I wonder if it has a chapter on finger pointing and avoiding blame?"

      Upon learning that your systems have been penetrated, proper incident response is as follows:

      1. Scream. Hold head between hands and moan.
      2. Check passport, one-way tickets to South American country of choice. Express relief that the emergency escape kit is still operational.
      3. Remember advising boss to recind deparmental policy of secure sticky-note-on-the-monitor storage for passwords. Recall boss' gales of laughter in
    • Incident response is by Mandia, Procise and Pepe. Tao of NSM is by Bejtlich.

      Has someone gotten married in some unknown country where men take their wives' family names? Or are was your comment in response to a parent that has been modded into oblivion?

      At any rate, Incident Response is an excellent book, whoever it's by.

  • by Anonymous Coward on Friday August 27, 2004 @02:48PM (#10091213)

    "If you're serious about security and aren't afraid of the mailing lists, OpenBSD is really the only way to go."
    - Richard Bejtlich
  • by pete-classic ( 75983 ) <hutnick@gmail.com> on Friday August 27, 2004 @02:49PM (#10091217) Homepage Journal
    . . . no longer clever to use the word "Tao" or "Zen" in your book title.

    Thank you for your attention regarding this matter.

    -Peter
  • author's blog (Score:5, Informative)

    by coolguy81 ( 322371 ) on Friday August 27, 2004 @03:01PM (#10091301) Homepage
    I have been reading this authors blog [blogspot.com] for a while now...

    If you are in to BSD/Security, you should really check it out.
  • Finding a trojan (Score:4, Interesting)

    by noerej ( 412423 ) on Friday August 27, 2004 @03:06PM (#10091325)
    I'am also a application maintainer of some web application. During mine holliday the application started to have some random problems. When I returned I begin the investigation to the cause.
    I Couldn't reproduce the errors, so it took some time to get futher with finding the cause. After some time I looked at the eventviewer (Yes it is Win2000 and not linux) and saw that the computer rebooted on average twice a day. The error messages said "Unexpected reboot". The sysadmin could find a cause also. In most cases this error was caused by a hardware error. So what I did is download etherreal and monitor the network traffic from the server. (This shows how nice opensource is. You just download in for free as in bear. If there was not FOSS i couldn't do this). I saw some strange network trafic to port 445 on the computer. I also saw that it uses a specific function. When I googled with this function I saw that there was I bug in the 'lsass' program regarding this bug. Then I checked the network traffic from the source host and saw some strange network traffic to outside the organisation on port 445, what is verry strange. After the investigation of the computer (desktop) they found the pedodo (I think it is called this way) trojan. (It collect passwords and creditcard numbers)
    Now we patched the server (it was only SP4) and every thing was fine. This solved the problem. So I think this solved the problem. Mine conclusion was that this trojan disturbed the server.
    This showes how fucked windows is and how great foss is.
    • I like FOSS too, but be reasonable. There are flaws in FOSS, as well. Do you remember this [linuxreviews.org] from not too long ago?
      • I dit forget to mention that this trojan was spread by a firus wich uses a bug in IE
      • by Dr.Dubious DDQ ( 11968 ) on Friday August 27, 2004 @03:53PM (#10091676) Homepage

        I know I've said this before, but that particular report of a "security problem" (why that's in quotes, I'll get to in a moment) in the Linux kernel is an excellent illustration of the difference between Microsoft's (and presumably other proprietary vendors) attitude to "security" vs. most open source projects.

        This problem can be simplistically summarized thusly: "Someone who can log into a linux system can conceivably run a malicious program that might crash or lock up the Operating System". In Linux, this is characterized as a "Security Problem".

        Now, think about it - if you called Microsoft (picking on them since that's the proprietary vendor we're talking about at the moment) and said "Hey, I have a program that when I run it, it crashes the system"...what kind of response will you get? "Well, don't run that program. It's obviously either defective or a trojan." Which would be the truth. But they have historically not considered that a problem in the OS AT ALL, let alone a security problem. Remember all those years ago when they claimed that most windows crashes are caused by anti-virus software?...)

        Yes, FOSS also has flaws. Sometimes even serious ones. But it usually seems like FOSS projects more readily and more quickly address those flaws than proprietary ones do.

    • he says:
      This showes how fucked windows is and how great foss is.

      Really? Maybe you haven't heard of all of the kernel level rootkits available for cracking linux boxes. Crackers don't really discriminate. They will use ANY exploit on ANY platform.
    • Most up-to-date virus scanners will be easier than monitoring the network traffic to find a trojan.
      • The server wich is used by the web application was never infected with a virus. We scanned the computer and it was clean. The server was disturbed by a virus on a other desktop wich hadn't any up to date virus scanner. I couln't know also because i'm not a sysadmin.
        Btw they changed the virus scanner, such that it is update daily.... better late than never.
    • This shows how nice opensource is. You just download in for free as in bear.

      Free bears? What next, Armed bears? [sourceforge.net]

      • I think i meant 'free beer' . But free bear is also possible. The place i work, is in the middle of a forrest, so a free bear is possible.

        Once we had a herd of 40 mad cows walking on the field near our office. They where broken out some grazing land. One of the cows spoke to me , and said that he was Durl MoeBride. He kept repeating ' I need Scoe Code , I need Scoe Code'. I don't know what he was talking about. Nobody did either.

        Any way ...
    • You and your sysadmin are fools. Ever hear of PATCHING??? Sure Windows has it's problems, but most of them are people who don't pay attention to the fact that you must patch EVERY month. (You do know that Microsoft releases patches every month, right?)

      If you did that, your "bug" would never had surfaced.

      If only people stop running Windows servers the same way they run thier switches and routers. the Internet might be a better place.

      -B

      ---
      I had a sig once... Then I didn't.
    • No, I think it shows that your network design and firewall configuration was really dumb to begin with, not to mention OS hardening.

      Why was it reachable on port 445? Why could the box connect to outside hosts AT ALL?
      • First the desktop was inside the firewall and the desktop only tried to reach an outside host, but failed.
        • Sorry then, but you didn't mention this anywhere in the original post, and "web application" and "server" somehow didn't indicate to me that we were talking about infection on a local network. Even then, there should be some hardening and some degree of separation of the server LAN from the desktop machines, even though this is rarely fully implemented in actual environments.
    • I got many critical comments from this post, and would like response to all this way.
      * Yes there is much wrong with our IT. But i'm not a sysadmin and I'am not part of the IT department so i can't change anything about that.
      * The sysadmin with I needed to deel with is a mcse
      * I even need to explain to them that the need to protected their citrix servers for spyware. The mcse guy didn't even know what spywhare was (even he was a mcse).
      * And yes there is a lot wrong with firewalling. But that is not mine rep
  • Another Great book (Score:4, Informative)

    by chadwbennett ( 808873 ) on Friday August 27, 2004 @03:06PM (#10091327) Homepage
    If you like this one, or are interested in these books, another good read is
    1. Stealing the network: How to Own a Continent [amazon.com]
    This one is co-authored by a bunch of well know hackers/crackers ie ... Fyodor, FX, Joe Grand, Kevin Mitnick, Ryan Russell, Jay Beale, and several others.

    It's for real [wired.com]. I normally don't go for these things but...Free ipods (click here to get yours) [freeipods.com] .

  • SGUIl (Score:4, Interesting)

    by scottder ( 27901 ) on Friday August 27, 2004 @03:16PM (#10091400) Homepage
    Shameless Plug: Check out SGUIl if you have a chance. http://sguil.net/ [sguil.net]
  • I hate when people assume they're smarter than I am. I hate those "For Dummies" and "For Idiots" books, because I am in no way a dummy nor an idiot. I simply don't have the same information.
    Tell me I'm misinformed, tell me I don't know everything, I'll agree with you. Tell me that some hacker is smarter than I am, and I'll tell you that you need to find a new definition of smarter. The only thing that hacker might have on me is knowledge of a few things I don't.
    Anyway, rant over, and this actually soun
    • "The only thing that hacker might have on me is knowledge of a few things I don't."

      Uh, which would make them SMARTER then you, on that particular subject.

      Hell, I know virtually nothing about automotive things, nor really want to, and my friend who is a wiz on cars knows precious little about programming...

      So, we're smarter then each other in our respective fields, but stupid in the field we're not strong in.

      Somehow I also doubt you are the "smartest" person in your field either... actually, I don't thin
      • "The only thing that hacker might have on me is knowledge of a few things I don't."
        Uh, which would make them SMARTER then you, on that particular subject.


        First of all, it's than not then.

        Smart != Knowledge
        My little, silver-dapple dachshund is not very smart (compared to some people...there's a fairly good-sized overlap between the smartest animals and the dumbest people), but she's knowledgeable enough to know that when I put a shirt on at suppertime, I'm getting ready to go pick up food and she's at
  • to the bible of all IDS analysts, Network Intrusion Detection [amazon.com] by Stephen Northcutt & Judy Novak (ISBN# 0735712654)?

    Would you consider this a compliment to, or overlap of aforementioned text? If so, in what ways?
    • by bamm ( 244595 ) on Friday August 27, 2004 @05:38PM (#10092502) Homepage

      How does it compare to the bible of all IDS analysts, Network Intrusion Detection by Stephen Northcutt & Judy Novak

      That's a really good question. To me the bible is Stevens TCP/IP Illustrated Vol I [amazon.com]. While Northcutt's book is a great introduction to IDS and anaylsis for beginners, I think Rich's book goes beyond that (as evident in reviews [amazon.com] from respected members in the community like Lance Spitzner from the Honey Net Project [honeynet.org]). To quote Ron Gula from the foreword [awprofessional.com] of Richard's book.
      If you've learned the basics of TCP/IP protocols and run an open source or commercial intrusion detection system, you may be asking, "What's next" If so, this book is for you.

      You can also read a couple of sample chapters [awprofessional.com] from the book.

      Of course, I am a little bias. Rich is a great friend, but I truly think he did an awesome job of creating something that should be required reading for anyone involved in network secuirty.

      Bammkkkk
  • by lukewarmfusion ( 726141 ) on Friday August 27, 2004 @05:03PM (#10092258) Homepage Journal
    I haven't slept for ten days!
    .
    .
    .
    Because that would be too long.
  • by Paws Across the Keyb ( 761771 ) on Friday August 27, 2004 @05:17PM (#10092352)
    OMFG, this is sooooo important. Infosec is my bread and butter, and has been for about six years, now. You simply would not believe the shannigans you can catch wise to if you monitor your system, A/V, and firewalls on a daily basis.

    Things like fast-spreading infectors that got past your A/V proxies because they got to them before the vendor's new pattern file did.

    Attempts by employees to download things like Back Orifice for use as revenge tools.

    Engineering failures.

    Misconfigurations.

    Vendor screwups.

    Stealthy host sweeps that dribble one TCP/21 packet every 75 minutes into your Internet-facing DMZ. No, that last one totally blew by our worthless network IDS; we ended up blackholing the IP at the border router. No choice, our DMZ ftp server used wu-ftpd.

    Porn download attempts.

    Boxes in your trusted network infected by viruses.

    I spent twenty months doing log monitoring. I caught all these event types and more. There is a whole wide, wacky wonderful World Of Hurt out there that you can duck or mitigate if you just monitor your logfiles. And most shops never really do.

  • This is not OT, but I know it's probably irrelevent for most of you, but what is it with the abuse of people who write "The Tao of Management" and "The Tao of Security MOnitoring" and "The Tao of Funds Management" and "The Tao of trying-to-use-the-word-tao-to-seem-really-cool"?

    As a Taoist, I'm more than a little bugged that the word Tao is used haphazardly by every joe shmoe to title their new instructional book.

    Using the word without understanding it or true reverance is almost sacreligous for me.
    • There has got to be a fanatic somewhere. Why as a Taoist would you ever allow yourself to get worked up over a trivial issue like a book title? So the author uses Tao instead of the saying Way. And you don't even know the guy or why he chose the title. Or maybe he didn't. It could have been the publisher which chose the title.

      Maybe when you have a little less ego and a bit more Tao in you you can come back and do something Lao Tzu would have appreciated.

      Laugh at it.

      • I already considered that I may have been taking it too seriously before posting, but I thought that my opinions were, too a certain extent, justified. After all, I don't say "Jesus Christ!" as an exclamation of surprise out of respect for my Christian friends. A certain respect for the perceived holiness of certain words by others is a good thing. Not everyone who is offended by misuse of his/her holy word is a "fanatic".

        Finally, even if I did become too attached to the word "Tao", it doesn't mean I need

The truth of a proposition has nothing to do with its credibility. And vice versa.

Working...