The Practice of Network Security Monitoring: Understanding Incident Detection and Response
Richard Bejtlich
Language: English
Pages: 376
ISBN: 1593275099
Format: PDF / Kindle (mobi) / ePub
Network security is not simply about building impenetrable walls — determined attackers will eventually overcome traditional defenses. The most effective computer security strategies integrate network security monitoring (NSM): the collection and analysis of data to help you detect and respond to intrusions.
In The Practice of Network Security Monitoring, Mandiant CSO Richard Bejtlich shows you how to use NSM to add a robust layer of protection around your networks — no prior experience required. To help you avoid costly and inflexible solutions, he teaches you how to deploy, build, and run an NSM operation using open source software and vendor-neutral tools.
You'll learn how to:
- Determine where to deploy NSM platforms, and size them for the monitored networks
- Deploy stand-alone or distributed NSM installations
- Use command line and graphical packet analysis tools, and NSM consoles
- Interpret network evidence from server-side and client-side intrusions
- Integrate threat intelligence into NSM software to identify sophisticated adversaries
There's no foolproof way to keep attackers out of your network. But when they get in, you'll be prepared. The Practice of Network Security Monitoring will show you how to build a security net to detect, contain, and control them. Attacks are inevitable, but losing sensitive data shouldn't be.
Web Application Defender's Cookbook: Battling Hackers and Protecting Users
That point is where they will deploy their first NSM sensor. 34 Chapter 2 Other networks with servers, networking gear, etc. Internet Router Laptops, mobile devices, etc. Switch Servers Switch Switch Wireless Network DMZ Network Wireless access point Firewall Switch NSM platform Laptops, workstations, other networks, networking gear, etc. Internal Network Figure 2-2: Vivian’s Pets networking elements Traffic Flow in a Simple Network In order to properly locate monitoring
log in to sensors as the root account. If possible, access the sensor using shared keys, or use a two-factor or two-step authentication system like Google Authenticator. 3. Always administer the sensor over a secure communications channel like OpenSSH. 4. Do not centrally administer the sensor’s accounts using the same system that manages normal IT or user assets. 5. Always equip production sensors with remote-access cards. 6. Assume the sensor is responsible for defending itself. Limit the
XSize,data_length+index_length TSize FROM information_schema.tables -> WHERE table_schema NOT IN ('mysql','information_schema','performance_schema')) AAA -> GROUP BY DB WITH ROLLUP) AA,(SELECT 3 pw) BB ORDER BY (SDSize+SXSize); +------------------+----------------------+----------------------+----------------------+ | DBName | Data Size | Index Size | Total Size | +------------------+----------------------+----------------------+----------------------+ | elsa_web | 0.000 GB | 0.000 GB | 0.000 GB
corresponding hex and ASCII output in the bottom pane. Figure 7-6: Wireshark explains an ARP request message. Omitting Traffic to See Remnants Another particularly useful feature of Wireshark is its ability to filter traffic to show you interesting remnants. Sometimes I hunt for traffic by telling Wireshark what to ignore so that I can examine what’s left behind. I Graphical Packet Analysis Tools 141 start with a simple filter, review the results, add another filter, review the results, and
investigated intrusions as part of Foundstone’s incident response team, and monitored client networks for Ball Corporation. Richard began his digital security career as a military intelligence officer in 1997 at the Air Force Computer Emergency Response Team (AFCERT), Air Force Information Warfare Center (AFIWC), and Air Intelligence Agency (AIA). He is a graduate of Harvard University and the United States Air Force Academy. He is the author of The Tao of Network Security Monitoring and
