How well does your enterprise stand up against today's sophisticated security threats? In this book, security experts from Cisco Systems demonstrate how to detect damaging security incidents on your global network--first by teaching you which assets you need to monitor closely, and then by helping you develop targeted strategies and pragmatic techniques to protect them. Security Monitoring is based on the authors' years of experience conducting incident response to keep Cisco's global network secure. It offers six steps to improve network monitoring. These steps will help you:

• Develop Policies: define rules, regulations, and monitoring criteria

• Know Your Network: build knowledge of your infrastructure with network telemetry

• Select Your Targets: define the subset of infrastructure to be monitored

• Choose Event Sources: identify event types needed to discover policy violations

• Feed and Tune: collect data, generate alerts, and tune systems using contextual information

• Maintain Dependable Event Sources: prevent critical gaps in collecting and monitoring events

Security Monitoring illustrates these steps with detailed examples that will help you learn to select and deploy the best techniques for monitoring your own enterprise network.

Amazon.com® Reader Reviews (Ranked by Helpfulness)

Average Amazon.com® Rating:  Based on 8 Ratings

Introduction to Basic Security Monitoring in 200 pages - 2009-07-11
Reviewer Rating:
I must start this review by noting that the authors of Security Monitoring (SM) cite my blog and books several times, which is appreciated. I must also mention that their boss Gavin Reid, who posted a review below, has offered to sponsor my company's application to the Forum of Incident Response and Security Teams (FIRST). O'Reilly kindly provided a review copy of SM.

I think SM should be positioned as an Introduction to Basic Security Monitoring. At just over 200 pages, it's not written to be much more than that. I'm not sure I will change the mind of the reviewer who considers my first book to be "introductory," but it might help to remember that my first book is just shy of 800 pages and covers every aspect of Network Security Monitoring.

SM is technically correct, but its approach to incident detection will fall far short of what is needed in the real world. SM concentrates on a paradigm it calls "policy-based monitoring," (abbreviated PBM here) with this goal: "to compare events discovered on the network to ensure that they are approved and acceptable... PBM is practical where acceptable conditions can be documented as policies... [Y]ou must codify acceptable behavior as policies, providing a reference point against which to survey" (pp 16-17) This sounds great, but it has several real flaws.

First, PBM is mostly useful against insiders who commit fraud, waste, or abuse. What is the policy supposed to be against external threats -- "don't steal my data"? SM describes "[t]wo types of policies... used for monitoring: regulatory compliance, which involves adherence to externally enforced controls, and employee policies, which govern the security compliance of employees" (p 18).

To demonstrate how this is supposed to work in production, SM outlines the "specific items we will monitor to effect policy monitoring," in their sample company Blanco Wireless (BW), including "monitor[ing]" data center gateways to watch for signs that Social Security numbers are being transmitted over unencrypted links" (p 31). To operationalize this goal, BW implements a Cisco IPS 4255 sensor with a "custom NIDS signature to watch for unencrypted Social Security numbers on the wire" that "will match on regex for the US SSN number format ###-##-#### if it's seen on any TCP ports" (pp 143-145). That's it. Is this serious? We all know that intruders steal SSN data in cleartext while preserving the SSN format, right? Is the reader supposed to believe that the listed IDS signature is sufficient to implement PBM, and if it is, what value is PBM? If you say it's only an example, then you've tacitly agreed this book is an introduction at best.

Second, SM buys into the digital situational awareness paradigm that I call "sufficient knowledge." In other words, if a product fires an alert for "BitTorrent protocol" (example p 95), the analyst is supposed to accept it as truth and be happy with what he or she gets from the security product. In real life this is a recipe for eternal frustration. The reason is that the analyst can't tell if this alert is trustworthy, or what he or she should do about it. On p 91 SM says "In some situations, you may want to know exactly what packet(s) triggered the alert. You may also require the packet contents from the next few packets after the alert as well."

The fact is that real security analysts will want every scrap of network traffic associated with an alert, including knowing exactly how the detection mechanism decided to notify the analyst. It's ironic that the "Keeping It Real" conclusion chapter cites Northrup Grumman's practice of collecting "full packet capture... at network choke points" on p 193. I guarantee a NG analyst who gets an IDS alert and nothing else is going to be unhappy and unproductive.

Third, some parts of the book indicate to me that the authors are fairly new to enterprise monitoring. On pp 112-114 they discuss relying on SPAN ports and say "we wouldn't dare implement this inline at the data center gateways (or distribution layer), due to the high bandwidth requirements and asymmetric paths." Networks engineers do this in ways that are safe and reliable, using taps. Later the authors complain that "occasionally a network engineer will 'steal' the SPAN," and they mention deploying an IDS inline without a tap (!) It sounds to me that the authors need to revisit the reasons why more mature operations rely on taps, even though Cisco doesn't sell them.

Aside from these issues, the book does do a good job of outlining the basic steps needed to go from monitoring nothing to monitoring something. Since something is always better than nothing in security, there is value here. The authors do a good job introducing NetFlow although coverage of v9 would have been nice. The suggestions in ch 7 regarding verifying that gear is working as expected are worthwhile. It is indeed important to "know your network" as ch 3 says. I liked the trick of sending flow-tools data into nfdump via ft2nfdump on p 52.

The bottom line is that if you are completely new to the idea that you have to pay attention to your network, you will find SM to be helpful. The caveat is that you should recognize the book is an introduction to the basics. It would have been fairly easy to recognize this aspect of the book if the authors had deployed their approach on a production network and missed their SSNs being transmitted over a non-TCP, covert, or encrypted session. The essential flaw in PBM is this: if you can define a policy for badness, why aren't you stopping it? In other words, "if you can detect it, why can't you prevent it?" In the real world this has proven to not be possible except for an exceptionally limited number of cases, making other approaches necessary.

great book! - 2009-05-01
Reviewer Rating:
There are many good books that discuss the basics of systems administration. This is not one of those books. This book is much deeper and more specific and fills a niche that I think needed to be filled.

If you are in charge of a group of servers, especially as your company's setup becomes larger and more complex, knowing how to check for problems and intruders is vital. It is also something that can be difficult to learn because of the dearth of materials readily available. This book seeks to remedy that problem.

The authors are experienced security analysts and speakers who refined their materials over many years of giving security related presentations at conferences. They know what they are talking about, and their manner of presenting the material is clear and logical. The book's subtitle is "Proven Methods for Incident Detection on Enterprise Networks." It fits.

When I first noticed the deep ties each of the authors have with Cisco, I was concerned that the book might focus solely on their products, but they discuss software and methods from many vendors, including free and open source options. I found their discussions honest, open, and balanced.

The book begins by answering what security monitoring is, why it would be useful and desirable, and discusses several of the challenges involved in doing it well. We then move to the implementation of policies for monitoring, including a good description of the many types of monitoring that can be done, their strengths and weaknesses.

Next, we are led to know our network. This is foundational, but something that many systems administrators and IT workers don't do, either because of time constraints or they just don't think about it. However, taking the time up front to explore and really know what is in your network and how it is set up gives you a great advantage later when you receive security notices from your monitoring software--it helps you sort important things out from noise far more quickly and easily. The time savings later make this step well worth the time it takes to perform it.

Later, the book helps us select targets for monitoring, choose good sources for event collection and keep them dependable, feed and tune our netword intrusion detection systems and logging, and far more.

Each chapter and topic are demonstrated through an example that persists throughout the book, a fictional company called Blanco Wireless. As the chapters progress, we analyze and create security monitoring for the company. That was a useful thing to include.

One of my favorite features of the book is the final chapter which gives multiple real life examples through case studies and anecdotes to help illustrate moments when implementing the advice in the book would have been incredibly helpful, but when it was not done prior to an incident. The authors are very honest and humble here and own up to their humanity. Like the rest of us, they don't always do what they know should be done. Some of these are their stories of learning the hard way that you don't save time by skipping steps.

I think this book belongs on the shelf of anyone who has any responsibility for the security of systems, whether that responsibility is ultimate or partial. There is a lot in here, and anyone working in the field is sure to benefit in some way from the information.

Real world view... - 2009-04-19
Reviewer Rating:
This book is a quick read "how-to" book to take your company to the next level. This is a real reality check written with an assumption that the reader is already familiar with networks and security. This book attempts to drive the value home with case studies, maintenance recommendations (yes, you do have to maintain the beast) and scripts to get started, and collected best practices. This is one of the books that get dog-eared and notes in the margin quickly.

Network monitoring guide? Absolutely - 2009-08-04
Reviewer Rating:
Martin and Chris do a great job in providing the network security professional with a hands-on guide to incident detection on enterprise networks.

The authors state at the outset - this is not a guide for the novice, but rather a guide for the journeyman who has a good working knowledge of network, server and database administration, as well as security tools and techniques.

The guide is as stated a professional guide, with exemplars which can be used in a sandbox, or to assist you in noodling through specific infrastructure monitoring issues - such as "tuning" so the incident logs tell you the story, and don't drown you in event data.

Their chosen format draws upon the authors' experiences and of course discusses the tools they use on a daily basis. To their credit, they also point out and list other tools which are substantially similar to those they use in their everyday work, and this alone is a benefit to the reader - you've the makings of your list of potential vendors, ready at hand.

I have the privilege of seeing the result of these gentleman's work and impact. That said, I also hear their voices clearly and distinctly in their verbiage - their articulation and emphasis is spot-on.

Worthy of the read, essential for the impact provided - a book of reference and exemplars which should be required in every incident response tool-box.

Christopher Burgess
Author: Secrets Stolen, Fortunes Lost

A pick highly recommended for any programmer's collection - 2009-07-19
Reviewer Rating:
How well does a network stand up against modern security threats? Here two security experts from Cisco Systems show how to detect security incidents on a global network, how to develop regulations and monitoring criteria, and how to discover violations. Examples offer specifics, not generalities, and provide all the keys to monitoring a network system in a pick highly recommended for any programmer's collection.

Browse Similar Topics

Top Level Categories:
Internet/Online
Networking
Operating Systems
Security

Sub-Categories:
Internet/Online > Security
Networking > Security
Operating Systems > Windows .NET Server
Windows .NET Server > Security
Security > Internet/Online