Review: The Practice of Network Security Monitoring

When I saw this book on the coming soon list I was definitely excited.  Richard Bejtlich, Chief Security Office of Mandiant, has delivered a book surrounding the venerable Security Onion distribution entitled “The Practice of Network Security Monitoring.. After the runaway success of “The Tao of Network Security Monitoring” and the pedigree set by Richard’s other novels I would say I was lying if I didn’t have a high expectation for this book.

From the outset reading this book was going to be no snooze. The first chapters identified key components of how the perspective of incident response has shifted. No longer are threats hit and run efforts but sustained campaigns build on subterfuge, gaining purchase, and almost always with strong financial motivation. The theatre of war these days cannot discount electronic warfare through cyber terrorism. The framework discussion on dealing with monitoring and response empowers the user to proactively develop a usable practice within their enterprise. The emphasis on detect, contain, and respond addresses three major components of a NSM framework.

Something that I always have thought and Richard covered was the reward. The value of the target versus the time it takes to break. Look at the state sponsored attacks on Iran recently surrounding their nuclear weapons program. The US and Israel crated a highly targeted and elaborate system to isolate one type of system. The cost of investment and development was worth the weight against the targets value and the potential payoff. The old time versus reward paradigm. A sustained advanced persistent threat against a home user may not yield anything of financial value to an attacker. Against a bank however it is an entirely different story.

Security Onion becomes the focus after establishing a framework. Security Onion is a distribution of Linux that pre packages an array of network security tools neatly with a focus on ease of use. It incorporates favourites such as xplico, snort, Bro , and sguil, with some unique applications to aid and assist in NSM management. The deployment chapters provide insight into the best method of deployments, placement considerations, and the pros and cons of your actions.

Maintaining a sensor network is just as important as installing them. Invaluable tips and hints are provided that an administrator may not be aware of on first deployment. Previously I had been a fan of LogStash and  elastic search, a technique which Kurt Bales explained to me, for my log management, storage, and search functions. I learnt a lot when it came to log management with Security Onion centralising the log management process and how to optimise messaging to ensure timely responses.

After listening to the Bro podcast over at Healthy Paranoia, I was instantly a fan. The idea of a well written, scalable at the heart, IDS platform made me smile. I know IDS isn’t everyone’s cup of tea but after listening to the show I was excited. Security Onion has an option for Snort or Bro IDS. Having used snort for a while I shifted a few sensors in the lab to Bro and got my Bro workers running. The fact the environment happily supports multiple engines is great – allows choice based on a variety of reasons and enables the right tool for the job.

Expanding Security Onion beyond the vanilla install is covered towards the end. It is well known that Richard’s parent company, Mandiant, perform write ups, deliver white papers, and explore attack vectors. Richard covers off integration with intelligence from Mandiant so Security Onion can generate report based on Mandiant’s APT1 reports. Great reading there. Bro can also be configured to extract binaries from network traffic which can be exported to third-party systems.

A factor in books is the ability to consume and digest information in a pleasurable manner. The typeset chosen is extremely appealing to the eye and uses the fonts New Baskerville, The SansMono Consdensed, Futura, and Dogma. These fonts form a great style and enhance the flow of reading.  Italicized headings with bold break sections nearly and code snippets, in which there are a plethora of, are crisp and pop off the page. Graphic images also help with nice sized clear images and a great icon, a grasshopper ninja denoting chapter breaks.

Overall the content of this book is sound and empowers the reader to establish firstly a NSM presence. Once up and running the reader has the tools and the ideas to go forth and establish a security methodology that provides value add for the business. If you’re interested in deploying Security Onion, understanding the benefits of a IDS sensors, or simply looking to develop a holistic approach to security, The Practice of Network Security Monitoring is a great place to start.

ASA Snippets and Sublime Text 2

A recent post by Greg Ferro over at Etherealmind exposed me to Sublime Text 2. This multiple format text manipulation software has seen some some great plugins. As pointed out by Greg, there is a Github hosted plugin for Cisco ASA snippets and Cisco syntax highlighting.

After getting excited over Gregs post I went and investigated. I spend a lot of time inside the ASA world and use the 5585x platform in my day job. GNS3 also provides me with a lot of CLI time now I can run it on Linux, Windows, or OSX. Something that allowed me to speed up my configuration with dynamic templates is great.

My old templates consisted of copy, paste, replace. Now, it is a keyword tabbed out then the relevant sections are populated. Take the example below.

Screen Shot 2013-08-14 at 9.45.05 AM
This example I enter the keyword static and tabbed it out. I am provided with a default INSIDE to OUTSIDE NAT mapping.

object network OBJ-REAL_IP
host REAL_IP
object network OBJ-MAPPED_IP

If I tab again, I am updated all instances of the REAL_IP – the address. Tabbing again updates the MAPPED_IP – the address. This includes the object names. In 4 tabs and some simple IP address inputs I have made a static NAT configuration.

There are also snippets for /24 subnet, objects, access-lists and routes.

 Screen Shot 2013-08-14 at 10.23.33 AM

Thanks to Richee for making these and to Greg for pointing them out. My ability to create objects and NAT rules this fast has aided my productivity. I plan to attempt to create FQDN objects and others I use from the base code.

Download the snippets here.