Security Monitoring: Proven Methods for Incident Detection on Enterprise Networks

There is a lot of very practical information packed into this little book, no fluff or filler anywhere to be found. It will defiantly add value to any Network Security Monitoring implementation. This is a perfect book for a Network or System Engineer crossing over into Security. The only complaint is that it is way to pricey for such a small book printed on what feels like cheap newsprint.
Rating: 5 / 5

This book is not an introduction to network, server, or database administration. Neither is it an introduction to security tools or techniques. You need to have a foundational understanding of these areas and seek to build on them through specialization of your base skills. If you need a more introductory book I highly recommend The Tao of Network Security Monitoring: Beyond Intrusion Detection. This book attempts to take you deeper into your network, guiding you to identify the more sensitive, important parts of the network for focused monitoring. The first chapter is just an overview chapter and introduces the fictitious company used throughout the book, Blanco Wireless. Like most tech books, the good stuff starts in chapter two.

The second chapter discusses the wide variety of approaches for selecting the policies to monitor. It then discusses the the environment in which these policies are to be applied. Chapter three explores two primary methods of learning about a network: network taxonomy and network telemetry. Chapter four provides a third and final foundation, guiding you to select broad targets on which to focus your monitoring. Deep, proactive security monitoring is overwhelming and unproductive if it isn’t targeted to specific systems. By selecting monitoring targets, you can narrow your focus to the most critical systems, making the most of your security monitoring equipment and staff.

Once you’ve worked through the steps of defining security policies, you know your network, and you’ve selected your targets, you can build on that foundation by choosing your event sources. Chapter 5 provides an overview of the various device types and their event sources, how you can collect them, and how you can inspect them for security policy violations. The various choices available are collected into a subset of the best event sources to help you choose the appropriate sources quickly, without becoming overwhelmed in the sea of possibilities. Chapter 6 provides guidance on how you can carefully configure systems that fit your infrastructure, and then tune them so you can detect the real security events.Chapter 7 aims to professionalize your monitoring, preventing gaps that could allow an intrusion to succeed without notice. With these finishing touches in place, you should be able to monitor your systems with confidence.

Chapter 8 is a concluding chapter. It gives examples where monitoring ideals haven’t always aligned with practical experience, including the consequences of those deviations from standard rules. It gives the results of two case studies, including how the organizations deployed targeted monitoring. It concludes by stripping down the advice of the book to bare-minimum tasks for each step, leaving you with a checklist to start your own targeted monitoring.

Appendix A gives detailed information on setting up and running a NetFlow collector based on OSU flow-tools, followed by some simple commands to enable NetFlow generation from a Cisco IOS router. OSU flow-tools is a set of open source NetFlow collection utilities.

This book is a good combination of tools, calculations, and advice on organizing your thoughts and strategy for the more advanced user who is familiar with networks and network security. I highly recommend it for that type of reader.
Rating: 5 / 5

Martin and Chris do a great job in providing the network security professional with a hands-on guide to incident detection on enterprise networks.

The authors state at the outset – this is not a guide for the novice, but rather a guide for the journeyman who has a good working knowledge of network, server and database administration, as well as security tools and techniques.

The guide is as stated a professional guide, with exemplars which can be used in a sandbox, or to assist you in noodling through specific infrastructure monitoring issues – such as “tuning” so the incident logs tell you the story, and don’t drown you in event data.

Their chosen format draws upon the authors’ experiences and of course discusses the tools they use on a daily basis. To their credit, they also point out and list other tools which are substantially similar to those they use in their everyday work, and this alone is a benefit to the reader – you’ve the makings of your list of potential vendors, ready at hand.

I have the privilege of seeing the result of these gentleman’s work and impact. That said, I also hear their voices clearly and distinctly in their verbiage – their articulation and emphasis is spot-on.

Worthy of the read, essential for the impact provided – a book of reference and exemplars which should be required in every incident response tool-box.

Christopher Burgess

Author: Secrets Stolen, Fortunes Lost
Rating: 5 / 5

This book is a quick read “how-to” book to take your company to the next level. This is a real reality check written with an assumption that the reader is already familiar with networks and security. This book attempts to drive the value home with case studies, maintenance recommendations (yes, you do have to maintain the beast) and scripts to get started, and collected best practices. This is one of the books that get dog-eared and notes in the margin quickly.
Rating: 5 / 5

Besides hardware, home security alarm companies also sell peace of mind, assuring clients that their homes are monitored 24-hours-a-day, 7-days-a-week. Today’s corporate networks need similar monitoring systems to ensure the underlying security, confidentiality, and availability of the systems and data. Security Monitoring provides the reader a comprehensive overview of this important topic.

The book emphasizes the need to monitor your network given the myriad security risks faced by organizations no matter what their size or their industry. The authors note that there are numerous challenges to monitoring, and the reader is also warned about vendor promises of how easily their monitoring software and hardware solutions will work.

The book is worth purchasing just for Chapter 3: “Know Your Network.” The authors note that knowing your network is akin to understanding your military capabilities, both strengths and weaknesses, when preparing for an enemy attack. Anyone planning a security monitoring endeavor should take such advice to heart.

This is not an introductory work on the subject; the reader should have an understanding of the topic before opening this text. For those looking for an across-the-board overview, Security Monitoring provides a very practical and real-world detailed perspective of how to create a security monitoring program that can deal with today’s exceedingly complex and sophisticated security threats.

Rating: 4 / 5