The Practice of Network Security Monitoring: Understanding Incident Detection and Response

The Practice of Network Security Monitoring: Understanding Incident Detection and Response

Richard Bejtlich

Language: English

Pages: 376

ISBN: 1593275099

Format: PDF / Kindle (mobi) / ePub

Network security is not simply about building impenetrable walls — determined attackers will eventually overcome traditional defenses. The most effective computer security strategies integrate network security monitoring (NSM): the collection and analysis of data to help you detect and respond to intrusions.

In The Practice of Network Security Monitoring, Mandiant CSO Richard Bejtlich shows you how to use NSM to add a robust layer of protection around your networks — no prior experience required. To help you avoid costly and inflexible solutions, he teaches you how to deploy, build, and run an NSM operation using open source software and vendor-neutral tools.

You'll learn how to:

  • Determine where to deploy NSM platforms, and size them for the monitored networks
  • Deploy stand-alone or distributed NSM installations
  • Use command line and graphical packet analysis tools, and NSM consoles
  • Interpret network evidence from server-side and client-side intrusions
  • Integrate threat intelligence into NSM software to identify sophisticated adversaries

There's no foolproof way to keep attackers out of your network. But when they get in, you'll be prepared. The Practice of Network Security Monitoring will show you how to build a security net to detect, contain, and control them. Attacks are inevitable, but losing sensitive data shouldn't be.





















Coulson, and Scott Runnels—kudos for your devotion, professionalism, and outstanding work ethic. Special thanks go to Doug Burks and Scott Runnels for their work on the Security Onion project, which puts powerful NSM tools in the hands of anyone who wishes to try them. I also appreciate the work of all the open source software developers whose tools appear in Security Onion: You help make all our networks more secure. I appreciate those of you who have challenged my understanding of NSM through

reconnaissance for other targets, but thus far has not stolen any data. The timeline continues: September 12, 2012  The attacker copies database backup files to a staging directory. September 13 and 14, 2012  The attacker compresses the database backup files into 14 (of the 15 total) encrypted 7-Zip archives. The attacker then moves the 7-Zip archives from the database server to another server and sends the data to a system on the Internet. Finally, the attacker deletes the backup files and

form of translation to allow a company’s computers to talk to the Internet, and vice versa. The Internet was designed as an end-to-end network, populated by computers and networking devices with universally unique, publicly allocated IP addresses. However, the modern Internet doesn’t look that way at all. In order to cope with growth, modern networks use private addresses like those seen in Vivian’s Pets. Translation allows private IP addresses to “pretend” to be public addresses for the purpose

it may require a system reboot. Follow any additional instructions. As you can see, updates via the GUI are easy. However, you can find yourself accepting updates that might not be compatible with the recommendations of the SO project. For example, MySQL database updates can be tricky. For this reason, I suggest following the SO project’s suggestion: update via the command line. Updating via the Command Line The SO project blog posts usually tell users to conduct updates via the command line,

not reachable remotely. SO Platform Housekeeping   103 Figure 5-3: Configuring PuTTY for SSH port forwarding Figure 5-4: Configuring proxy settings in Firefox 104   Chapter 5 If your remote client is a Linux system, you can achieve the same goal using the integrated SSH client. On your Linux desktop, run the following command: ssh -L 9876:localhost:9876 username@SO server IP With your tunnel established, follow steps 4 and 5 in the preceding procedure for configuring the Firefox web

Download sample