Applied Network Security Monitoring

Applied Network Security Monitoring

Collection, Detection, and Analysis

1st Edition - November 26, 2013

Write a review

  • Authors: Chris Sanders, Jason Smith
  • Paperback ISBN: 9780124172081
  • eBook ISBN: 9780124172166

Purchase options

Purchase options
Available
DRM-free (Mobi, EPub, PDF)
Sales tax will be calculated at check-out

Institutional Subscription

Free Global Shipping
No minimum order

Description

Applied Network Security Monitoring is the essential guide to becoming an NSM analyst from the ground up. This book takes a fundamental approach to NSM, complete with dozens of real-world examples that teach you the key concepts of NSM. Network security monitoring is based on the principle that prevention eventually fails. In the current threat landscape, no matter how much you try, motivated attackers will eventually find their way into your network. At that point, it is your ability to detect and respond to that intrusion that can be the difference between a small incident and a major disaster. The book follows the three stages of the NSM cycle: collection, detection, and analysis. As you progress through each section, you will have access to insights from seasoned NSM professionals while being introduced to relevant, practical scenarios complete with sample data. If you've never performed NSM analysis, Applied Network Security Monitoring will give you an adequate grasp on the core concepts needed to become an effective analyst. If you are already a practicing analyst, this book will allow you to grow your analytic technique to make you more effective at your job.

Key Features

  • Discusses the proper methods for data collection, and teaches you how to become a skilled NSM analyst
  • Provides thorough hands-on coverage of Snort, Suricata, Bro-IDS, SiLK, and Argus
  • Loaded with practical examples containing real PCAP files you can replay, and uses Security Onion for all its lab examples
  • Companion website includes up-to-date blogs from the authors about the latest developments in NSM

Readership

Information security practitioners, network administrators, computer system administrators, IT professionals, NSM analysts, forensic analysts, incident responders, and an academic audience among information security majors.

Table of Contents

  • Dedication

    Acknowledgements

    About the Authors

    Chris Sanders, Lead Author

    Jason Smith, Co-Author

    David J. Bianco, Contributing Author

    Liam Randall, Contributing Author

    Foreword

    Preface

    Audience

    Prerequisites

    Concepts and Approach

    IP Address Disclaimer

    Companion Website

    Charitable Support

    Contacting Us

    Chapter 1. The Practice of Applied Network Security Monitoring

    Abstract

    Key NSM Terms

    Intrusion Detection

    Network Security Monitoring

    Vulnerability-Centric vs. Threat-Centric Defense

    The NSM Cycle: Collection, Detection, and Analysis

    Challenges to NSM

    Defining the Analyst

    Security Onion

    Conclusion

    Section 1: Collection

    Chapter 2. Planning Data Collection

    Abstract

    The Applied Collection Framework (ACF)

    Case Scenario: Online Retailer

    Conclusion

    Chapter 3. The Sensor Platform

    Abstract

    NSM Data Types

    Sensor Type

    Sensor Hardware

    Sensor Operating System

    Sensor Placement

    Securing the Sensor

    Conclusion

    Chapter 4. Session Data

    Abstract

    Flow Records

    Collecting Session Data

    Collecting and Analyzing Flow Data with SiLK

    Collecting and Analyzing Flow Data with Argus

    Session Data Storage Considerations

    Conclusion

    Chapter 5. Full Packet Capture Data

    Abstract

    Dumpcap

    Daemonlogger

    Netsniff-NG

    Choosing the Right FPC Collection Tool

    Planning for FPC Collection

    Decreasing the FPC Data Storage Burden

    Managing FPC Data Retention

    Conclusion

    Chapter 6. Packet String Data

    Abstract

    Defining Packet String Data

    PSTR Data Collection

    Viewing PSTR Data

    Conclusion

    Section 2: Detection

    Chapter 7. Detection Mechanisms, Indicators of Compromise, and Signatures

    Abstract

    Detection Mechanisms

    Indicators of Compromise and Signatures

    Managing Indicators and Signatures

    Indicator and Signature Frameworks

    Conclusion

    Chapter 8. Reputation-Based Detection

    Abstract

    Public Reputation Lists

    Automating Reputation-Based Detection

    Conclusion

    Chapter 9. Signature-Based Detection with Snort and Suricata

    Abstract

    Snort

    Suricata

    Changing IDS Engines in Security Onion

    Initializing Snort and Suricata for Intrusion Detection

    Configuring Snort and Suricata

    IDS Rules

    Viewing Snort and Suricata Alerts

    Conclusion

    Chapter 10. The Bro Platform

    Abstract

    Basic Bro Concepts

    Running Bro

    Bro Logs

    Creating Custom Detection Tools with Bro

    Conclusion

    Chapter 11. Anomaly-Based Detection with Statistical Data

    Abstract

    Top Talkers with SiLK

    Service Discovery with SiLK

    Furthering Detection with Statistics

    Visualizing Statistics with Gnuplot

    Visualizing Statistics with Google Charts

    Visualizing Statistics with Afterglow

    Conclusion

    Chapter 12. Using Canary Honeypots for Detection

    Abstract

    Canary Honeypots

    Types of Honeypots

    Canary Honeypot Architecture

    Honeypot Platforms

    Conclusion

    Section 3: Analysis

    Chapter 13. Packet Analysis

    Abstract

    Enter the Packet

    Packet Math

    Dissecting Packets

    Tcpdump for NSM Analysis

    TShark for Packet Analysis

    Wireshark for NSM Analysis

    Packet Filtering

    Conclusion

    Chapter 14. Friendly and Threat Intelligence

    Abstract

    The Intelligence Cycle for NSM

    Generating Friendly Intelligence

    Generating Threat Intelligence

    Conclusion

    Chapter 15. The Analysis Process

    Abstract

    Analysis Methods

    Analysis Best Practices

    Incident Morbidity and Mortality

    Conclusion

    Appendix 1. Security Onion Control Scripts

    High Level Commands

    Server Control Commands

    Sensor Control Commands

    Appendix 2. Important Security Onion Files and Directories

    Application Directories and Configuration Files

    Sensor Data Directories

    Appendix 3. Packet Headers

    Appendix 4. Decimal / Hex / ASCII Conversion Chart

    Index

Product details

  • No. of pages: 496
  • Language: English
  • Copyright: © Syngress 2013
  • Published: November 26, 2013
  • Imprint: Syngress
  • Paperback ISBN: 9780124172081
  • eBook ISBN: 9780124172166

About the Authors

Chris Sanders

Jason Smith

Ratings and Reviews

Write a review

Latest reviews

(Total rating for all reviews)

  • SantiagoGimenez O. Sat Oct 27 2018

    Great book on important subject

    This book covers the most important topics within network security monitoring. It’s concepts are easy to understand and relevant to the field.