Skip to main content
Elsevier
View Cart

Applied Network Security Monitoring

Collection, Detection, and Analysis

  • 1st Edition - November 26, 2013
  • Latest edition
  • Authors: Chris Sanders, Jason Smith
  • Language: English

Applied Network Security Monitoring is the essential guide to becoming an NSM analyst from the ground up. This book takes a fundamental approach to NSM, complete with dozens of… Read more

World Book Day celebration

Where learning shapes lives

Up to 25% off trusted resources that support research, study, and discovery.

Explore resources

Description

Applied Network Security Monitoring is the essential guide to becoming an NSM analyst from the ground up. This book takes a fundamental approach to NSM, complete with dozens of real-world examples that teach you the key concepts of NSM.

Network security monitoring is based on the principle that prevention eventually fails. In the current threat landscape, no matter how much you try, motivated attackers will eventually find their way into your network. At that point, it is your ability to detect and respond to that intrusion that can be the difference between a small incident and a major disaster.

The book follows the three stages of the NSM cycle: collection, detection, and analysis. As you progress through each section, you will have access to insights from seasoned NSM professionals while being introduced to relevant, practical scenarios complete with sample data.

If you've never performed NSM analysis, Applied Network Security Monitoring will give you an adequate grasp on the core concepts needed to become an effective analyst. If you are already a practicing analyst, this book will allow you to grow your analytic technique to make you more effective at your job.

Key features

  • Discusses the proper methods for data collection, and teaches you how to become a skilled NSM analyst
  • Provides thorough hands-on coverage of Snort, Suricata, Bro-IDS, SiLK, and Argus
  • Loaded with practical examples containing real PCAP files you can replay, and uses Security Onion for all its lab examples
  • Companion website includes up-to-date blogs from the authors about the latest developments in NSM

Readership

Information security practitioners, network administrators, computer system administrators, IT professionals, NSM analysts, forensic analysts, incident responders, and an academic audience among information security majors.

Table of contents

Dedication

Acknowledgements

About the Authors

Chris Sanders, Lead Author

Jason Smith, Co-Author

David J. Bianco, Contributing Author

Liam Randall, Contributing Author

Foreword

Preface

Audience

Prerequisites

Concepts and Approach

IP Address Disclaimer

Companion Website

Charitable Support

Contacting Us

Chapter 1. The Practice of Applied Network Security Monitoring

Abstract

Key NSM Terms

Intrusion Detection

Network Security Monitoring

Vulnerability-Centric vs. Threat-Centric Defense

The NSM Cycle: Collection, Detection, and Analysis

Challenges to NSM

Defining the Analyst

Security Onion

Conclusion

Section 1: Collection

Chapter 2. Planning Data Collection

Abstract

The Applied Collection Framework (ACF)

Case Scenario: Online Retailer

Conclusion

Chapter 3. The Sensor Platform

Abstract

NSM Data Types

Sensor Type

Sensor Hardware

Sensor Operating System

Sensor Placement

Securing the Sensor

Conclusion

Chapter 4. Session Data

Abstract

Flow Records

Collecting Session Data

Collecting and Analyzing Flow Data with SiLK

Collecting and Analyzing Flow Data with Argus

Session Data Storage Considerations

Conclusion

Chapter 5. Full Packet Capture Data

Abstract

Dumpcap

Daemonlogger

Netsniff-NG

Choosing the Right FPC Collection Tool

Planning for FPC Collection

Decreasing the FPC Data Storage Burden

Managing FPC Data Retention

Conclusion

Chapter 6. Packet String Data

Abstract

Defining Packet String Data

PSTR Data Collection

Viewing PSTR Data

Conclusion

Section 2: Detection

Chapter 7. Detection Mechanisms, Indicators of Compromise, and Signatures

Abstract

Detection Mechanisms

Indicators of Compromise and Signatures

Managing Indicators and Signatures

Indicator and Signature Frameworks

Conclusion

Chapter 8. Reputation-Based Detection

Abstract

Public Reputation Lists

Automating Reputation-Based Detection

Conclusion

Chapter 9. Signature-Based Detection with Snort and Suricata

Abstract

Snort

Suricata

Changing IDS Engines in Security Onion

Initializing Snort and Suricata for Intrusion Detection

Configuring Snort and Suricata

IDS Rules

Viewing Snort and Suricata Alerts

Conclusion

Chapter 10. The Bro Platform

Abstract

Basic Bro Concepts

Running Bro

Bro Logs

Creating Custom Detection Tools with Bro

Conclusion

Chapter 11. Anomaly-Based Detection with Statistical Data

Abstract

Top Talkers with SiLK

Service Discovery with SiLK

Furthering Detection with Statistics

Visualizing Statistics with Gnuplot

Visualizing Statistics with Google Charts

Visualizing Statistics with Afterglow

Conclusion

Chapter 12. Using Canary Honeypots for Detection

Abstract

Canary Honeypots

Types of Honeypots

Canary Honeypot Architecture

Honeypot Platforms

Conclusion

Section 3: Analysis

Chapter 13. Packet Analysis

Abstract

Enter the Packet

Packet Math

Dissecting Packets

Tcpdump for NSM Analysis

TShark for Packet Analysis

Wireshark for NSM Analysis

Packet Filtering

Conclusion

Chapter 14. Friendly and Threat Intelligence

Abstract

The Intelligence Cycle for NSM

Generating Friendly Intelligence

Generating Threat Intelligence

Conclusion

Chapter 15. The Analysis Process

Abstract

Analysis Methods

Analysis Best Practices

Incident Morbidity and Mortality

Conclusion

Appendix 1. Security Onion Control Scripts

High Level Commands

Server Control Commands

Sensor Control Commands

Appendix 2. Important Security Onion Files and Directories

Application Directories and Configuration Files

Sensor Data Directories

Appendix 3. Packet Headers

Appendix 4. Decimal / Hex / ASCII Conversion Chart

Index

Review quotes

"...an extremely informative dive into the realm of network security data collection and analysis...well organized and thought through...I have only positive comments from my study."—The Ethical Hacker Network, Oct 31, 2014

Product details

  • Edition: 1
  • Latest edition
  • Published: December 5, 2013
  • Language: English

About the author

CS

Chris Sanders

Chris Sanders is a technology consultant, author, and trainer. Chris serves as senior information security analyst for the Department of Defense as contracted through EWA Government Systems, Inc. In this role Chris is responsible for the management of a team of intrusion detection system analysts examining public and classified networks. His book Practical Packet Analysis is widely respected as one of the best practical use books on its topic and has sold several thousand copies internationally. Along with this, Chris has written and co-written hundreds of articles on the topics centered on network security, packet analysis, intrusion detection, and general network administration. Chris also serves as a SANS mentor training students on intrusion detection in-depth and incident handling.

In 2008, Chris founded the Rural Technology Fund. The RTF is a 501(c)(3) non-profit organization designed to provide scholarship opportunities to students from rural areas pursuing careers in computer technology. The organization also promotes technology advocacy in rural areas through various support programs.

You can read more about Chris on his personal blog located at http://www.chrissanders.org where he posts information regarding his latest projects as well as various technical articles and product reviews

Affiliations and expertise
Senior Information Security Analyst at the DoD, Trainer, and Author

View book on ScienceDirect

Read Applied Network Security Monitoring on ScienceDirect