Applied Network Security Monitoring

Collection, Detection, and Analysis

1st Edition - November 26, 2013

Write a review

Authors: Chris Sanders, Jason Smith
Paperback ISBN: 9780124172081
eBook ISBN: 9780124172166

Purchase options

Select country/region

Institutional Subscription

Support Center Returns & Refunds

Free Global Shipping

No minimum order

Description

Applied Network Security Monitoring is the essential guide to becoming an NSM analyst from the ground up. This book takes a fundamental approach to NSM, complete with dozens of real-world examples that teach you the key concepts of NSM. Network security monitoring is based on the principle that prevention eventually fails. In the current threat landscape, no matter how much you try, motivated attackers will eventually find their way into your network. At that point, it is your ability to detect and respond to that intrusion that can be the difference between a small incident and a major disaster. The book follows the three stages of the NSM cycle: collection, detection, and analysis. As you progress through each section, you will have access to insights from seasoned NSM professionals while being introduced to relevant, practical scenarios complete with sample data. If you've never performed NSM analysis, Applied Network Security Monitoring will give you an adequate grasp on the core concepts needed to become an effective analyst. If you are already a practicing analyst, this book will allow you to grow your analytic technique to make you more effective at your job.

Key Features

Discusses the proper methods for data collection, and teaches you how to become a skilled NSM analyst
Provides thorough hands-on coverage of Snort, Suricata, Bro-IDS, SiLK, and Argus
Loaded with practical examples containing real PCAP files you can replay, and uses Security Onion for all its lab examples
Companion website includes up-to-date blogs from the authors about the latest developments in NSM

Readership

Information security practitioners, network administrators, computer system administrators, IT professionals, NSM analysts, forensic analysts, incident responders, and an academic audience among information security majors.

Dedication

Acknowledgements

About the Authors

Chris Sanders, Lead Author

Jason Smith, Co-Author

David J. Bianco, Contributing Author

Liam Randall, Contributing Author

Foreword

Preface

Audience

Prerequisites

Concepts and Approach

IP Address Disclaimer

Companion Website

Charitable Support

Contacting Us

Chapter 1. The Practice of Applied Network Security Monitoring

Abstract

Key NSM Terms

Intrusion Detection

Network Security Monitoring

Vulnerability-Centric vs. Threat-Centric Defense

The NSM Cycle: Collection, Detection, and Analysis

Challenges to NSM

Defining the Analyst

Security Onion

Conclusion

Section 1: Collection

Chapter 2. Planning Data Collection

Abstract

The Applied Collection Framework (ACF)

Case Scenario: Online Retailer

Conclusion

Chapter 3. The Sensor Platform

Abstract

NSM Data Types

Sensor Type

Sensor Hardware

Sensor Operating System

Sensor Placement

Securing the Sensor

Conclusion

Chapter 4. Session Data

Abstract

Flow Records

Collecting Session Data

Collecting and Analyzing Flow Data with SiLK

Collecting and Analyzing Flow Data with Argus

Session Data Storage Considerations

Conclusion

Chapter 5. Full Packet Capture Data

Abstract

Dumpcap

Daemonlogger

Netsniff-NG

Choosing the Right FPC Collection Tool

Planning for FPC Collection

Decreasing the FPC Data Storage Burden

Managing FPC Data Retention

Conclusion

Chapter 6. Packet String Data

Abstract

Defining Packet String Data

PSTR Data Collection

Viewing PSTR Data

Conclusion

Section 2: Detection

Chapter 7. Detection Mechanisms, Indicators of Compromise, and Signatures

Abstract

Detection Mechanisms

Indicators of Compromise and Signatures

Managing Indicators and Signatures

Indicator and Signature Frameworks

Conclusion

Chapter 8. Reputation-Based Detection

Abstract

Public Reputation Lists

Automating Reputation-Based Detection

Conclusion

Chapter 9. Signature-Based Detection with Snort and Suricata

Abstract

Snort

Suricata

Changing IDS Engines in Security Onion

Initializing Snort and Suricata for Intrusion Detection

Configuring Snort and Suricata

IDS Rules

Viewing Snort and Suricata Alerts

Conclusion

Chapter 10. The Bro Platform

Abstract

Basic Bro Concepts

Running Bro

Bro Logs

Creating Custom Detection Tools with Bro

Conclusion

Chapter 11. Anomaly-Based Detection with Statistical Data

Abstract

Top Talkers with SiLK

Service Discovery with SiLK

Furthering Detection with Statistics

Visualizing Statistics with Gnuplot

Visualizing Statistics with Google Charts

Visualizing Statistics with Afterglow

Conclusion

Chapter 12. Using Canary Honeypots for Detection

Abstract

Canary Honeypots

Types of Honeypots

Canary Honeypot Architecture

Honeypot Platforms

Conclusion

Section 3: Analysis

Chapter 13. Packet Analysis

Abstract

Enter the Packet

Packet Math

Dissecting Packets

Tcpdump for NSM Analysis

TShark for Packet Analysis

Wireshark for NSM Analysis

Packet Filtering

Conclusion

Chapter 14. Friendly and Threat Intelligence

Abstract

The Intelligence Cycle for NSM

Generating Friendly Intelligence

Generating Threat Intelligence

Conclusion

Chapter 15. The Analysis Process

Abstract

Analysis Methods

Analysis Best Practices

Incident Morbidity and Mortality

Conclusion

Appendix 1. Security Onion Control Scripts

High Level Commands

Server Control Commands

Sensor Control Commands

Appendix 2. Important Security Onion Files and Directories

Application Directories and Configuration Files

Sensor Data Directories

Appendix 3. Packet Headers

Appendix 4. Decimal / Hex / ASCII Conversion Chart

Index

Product details

No. of pages: 496
Language: English
Copyright: © Syngress 2013
Published: November 26, 2013
Imprint: Syngress
Paperback ISBN: 9780124172081
eBook ISBN: 9780124172166

About the Authors

Chris Sanders

Chris Sanders is a technology consultant, author, and trainer. Chris serves as senior information security analyst for the Department of Defense as contracted through EWA Government Systems, Inc. In this role Chris is responsible for the management of a team of intrusion detection system analysts examining public and classified networks. His book Practical Packet Analysis is widely respected as one of the best practical use books on its topic and has sold several thousand copies internationally. Along with this, Chris has written and co-written hundreds of articles on the topics centered on network security, packet analysis, intrusion detection, and general network administration. Chris also serves as a SANS mentor training students on intrusion detection in-depth and incident handling.

In 2008, Chris founded the Rural Technology Fund. The RTF is a 501(c)(3) non-profit organization designed to provide scholarship opportunities to students from rural areas pursuing careers in computer technology. The organization also promotes technology advocacy in rural areas through various support programs.

You can read more about Chris on his personal blog located at http://www.chrissanders.org where he posts information regarding his latest projects as well as various technical articles and product reviews

Affiliations and Expertise

Senior Information Security Analyst at the DoD, Trainer, and Author

Jason Smith

Ratings and Reviews

Write a review

Latest reviews

(Total rating for all reviews)

SantiagoGimenez O. Sat Oct 27 2018
Great book on important subject
This book covers the most important topics within network security monitoring. It’s concepts are easy to understand and relevant to the field.

Preview - Applied Network Security Monitoring