LIMITED OFFER
Save 50% on book bundles
Immediately download your ebook while waiting for your print delivery. No promo code needed.
Applied Network Security Monitoring
Collection, Detection, and Analysis
- 1st Edition - November 26, 2013
- Authors: Chris Sanders, Jason Smith
- Language: English
- Paperback ISBN:9 7 8 - 0 - 1 2 - 4 1 7 2 0 8 - 1
- eBook ISBN:9 7 8 - 0 - 1 2 - 4 1 7 2 1 6 - 6
Applied Network Security Monitoring is the essential guide to becoming an NSM analyst from the ground up. This book takes a fundamental approach to NSM, complete with dozens of… Read more
Purchase options
Institutional subscription on ScienceDirect
Request a sales quoteApplied Network Security Monitoring is the essential guide to becoming an NSM analyst from the ground up. This book takes a fundamental approach to NSM, complete with dozens of real-world examples that teach you the key concepts of NSM.
Network security monitoring is based on the principle that prevention eventually fails. In the current threat landscape, no matter how much you try, motivated attackers will eventually find their way into your network. At that point, it is your ability to detect and respond to that intrusion that can be the difference between a small incident and a major disaster.
The book follows the three stages of the NSM cycle: collection, detection, and analysis. As you progress through each section, you will have access to insights from seasoned NSM professionals while being introduced to relevant, practical scenarios complete with sample data.
If you've never performed NSM analysis, Applied Network Security Monitoring will give you an adequate grasp on the core concepts needed to become an effective analyst. If you are already a practicing analyst, this book will allow you to grow your analytic technique to make you more effective at your job.
- Discusses the proper methods for data collection, and teaches you how to become a skilled NSM analyst
- Provides thorough hands-on coverage of Snort, Suricata, Bro-IDS, SiLK, and Argus
- Loaded with practical examples containing real PCAP files you can replay, and uses Security Onion for all its lab examples
- Companion website includes up-to-date blogs from the authors about the latest developments in NSM
Information security practitioners, network administrators, computer system administrators, IT professionals, NSM analysts, forensic analysts, incident responders, and an academic audience among information security majors.
Dedication
Acknowledgements
About the Authors
Chris Sanders, Lead Author
Jason Smith, Co-Author
David J. Bianco, Contributing Author
Liam Randall, Contributing Author
Foreword
Preface
Audience
Prerequisites
Concepts and Approach
IP Address Disclaimer
Companion Website
Charitable Support
Contacting Us
Chapter 1. The Practice of Applied Network Security Monitoring
Abstract
Key NSM Terms
Intrusion Detection
Network Security Monitoring
Vulnerability-Centric vs. Threat-Centric Defense
The NSM Cycle: Collection, Detection, and Analysis
Challenges to NSM
Defining the Analyst
Security Onion
Conclusion
Section 1: Collection
Chapter 2. Planning Data Collection
Abstract
The Applied Collection Framework (ACF)
Case Scenario: Online Retailer
Conclusion
Chapter 3. The Sensor Platform
Abstract
NSM Data Types
Sensor Type
Sensor Hardware
Sensor Operating System
Sensor Placement
Securing the Sensor
Conclusion
Chapter 4. Session Data
Abstract
Flow Records
Collecting Session Data
Collecting and Analyzing Flow Data with SiLK
Collecting and Analyzing Flow Data with Argus
Session Data Storage Considerations
Conclusion
Chapter 5. Full Packet Capture Data
Abstract
Dumpcap
Daemonlogger
Netsniff-NG
Choosing the Right FPC Collection Tool
Planning for FPC Collection
Decreasing the FPC Data Storage Burden
Managing FPC Data Retention
Conclusion
Chapter 6. Packet String Data
Abstract
Defining Packet String Data
PSTR Data Collection
Viewing PSTR Data
Conclusion
Section 2: Detection
Chapter 7. Detection Mechanisms, Indicators of Compromise, and Signatures
Abstract
Detection Mechanisms
Indicators of Compromise and Signatures
Managing Indicators and Signatures
Indicator and Signature Frameworks
Conclusion
Chapter 8. Reputation-Based Detection
Abstract
Public Reputation Lists
Automating Reputation-Based Detection
Conclusion
Chapter 9. Signature-Based Detection with Snort and Suricata
Abstract
Snort
Suricata
Changing IDS Engines in Security Onion
Initializing Snort and Suricata for Intrusion Detection
Configuring Snort and Suricata
IDS Rules
Viewing Snort and Suricata Alerts
Conclusion
Chapter 10. The Bro Platform
Abstract
Basic Bro Concepts
Running Bro
Bro Logs
Creating Custom Detection Tools with Bro
Conclusion
Chapter 11. Anomaly-Based Detection with Statistical Data
Abstract
Top Talkers with SiLK
Service Discovery with SiLK
Furthering Detection with Statistics
Visualizing Statistics with Gnuplot
Visualizing Statistics with Google Charts
Visualizing Statistics with Afterglow
Conclusion
Chapter 12. Using Canary Honeypots for Detection
Abstract
Canary Honeypots
Types of Honeypots
Canary Honeypot Architecture
Honeypot Platforms
Conclusion
Section 3: Analysis
Chapter 13. Packet Analysis
Abstract
Enter the Packet
Packet Math
Dissecting Packets
Tcpdump for NSM Analysis
TShark for Packet Analysis
Wireshark for NSM Analysis
Packet Filtering
Conclusion
Chapter 14. Friendly and Threat Intelligence
Abstract
The Intelligence Cycle for NSM
Generating Friendly Intelligence
Generating Threat Intelligence
Conclusion
Chapter 15. The Analysis Process
Abstract
Analysis Methods
Analysis Best Practices
Incident Morbidity and Mortality
Conclusion
Appendix 1. Security Onion Control Scripts
High Level Commands
Server Control Commands
Sensor Control Commands
Appendix 2. Important Security Onion Files and Directories
Application Directories and Configuration Files
Sensor Data Directories
Appendix 3. Packet Headers
Appendix 4. Decimal / Hex / ASCII Conversion Chart
Index
- No. of pages: 496
- Language: English
- Edition: 1
- Published: November 26, 2013
- Imprint: Syngress
- Paperback ISBN: 9780124172081
- eBook ISBN: 9780124172166
CS
Chris Sanders
Chris Sanders is a technology consultant, author, and trainer. Chris serves as senior information security analyst for the Department of Defense as contracted through EWA Government Systems, Inc. In this role Chris is responsible for the management of a team of intrusion detection system analysts examining public and classified networks. His book Practical Packet Analysis is widely respected as one of the best practical use books on its topic and has sold several thousand copies internationally. Along with this, Chris has written and co-written hundreds of articles on the topics centered on network security, packet analysis, intrusion detection, and general network administration. Chris also serves as a SANS mentor training students on intrusion detection in-depth and incident handling.
In 2008, Chris founded the Rural Technology Fund. The RTF is a 501(c)(3) non-profit organization designed to provide scholarship opportunities to students from rural areas pursuing careers in computer technology. The organization also promotes technology advocacy in rural areas through various support programs.
You can read more about Chris on his personal blog located at http://www.chrissanders.org where he posts information regarding his latest projects as well as various technical articles and product reviews
Affiliations and expertise
Senior Information Security Analyst at the DoD, Trainer, and AuthorRead Applied Network Security Monitoring on ScienceDirect