Applied Network Security Monitoring: Collection, Detection, and Analysis

Book Preface

Learning how to build and operate a network security monitoring infrastructure is a daunting task. Chris Sanders and his team of authors have crafted a framework for NSM, and provide the reader with a codified plan to put network security monitoring into practice.

Medium and large organizations are being crushed by the amount of data they are collecting. With event counts exceeding 100 million events in some instances, having a monitoring infrastructure and standard operating procedures that can scale is critical.

Seek and ye shall find: the inverse is also true. It makes no sense to collect data, and potentially even do the detection, but skip on the analysis. This book you hold in your hands gives you the keys to each of the steps in the NSM cycle: collection, detection and analysis.

In the late 1930’s, many civilian pilots argued for the right to use their skills in defense of their country. The time has come again for civilians to take a more active role in the defense of our nation. We are under attack; make no mistake. Manufacturing, chemical, oil and gas, energy, and many critical sectors of our civilian society are bearing the brunt of a coordinated and systematic series of attacks. While pundits ponder on the future possibility of cyber war, the practitioners on the front line are neck deep in it.

My call is not one to arms, but one to analysis. Got root? Then you must analyze your logs. Most cyber attacks leave traces, and it is up to each and every system operator to review their logs for signs of compromise. That said, the operator should be reviewing logs for the purpose of improving system performance and business analytics. Improving system performance alone can help provide a return on investment to the business, not to mention what business analytics can do in the right hands.

At InGuardians, we get called in to do incident response in cases of large data breaches. Most organizations currently log relevant data from core network devices, proxies, firewalls, systems and applications. That data is stored for an extended period of time, with no apparent ROI. In many cases we are able to identify current and previous breaches through log analysis alone.

The next time you are at your console, review some logs. You might think… “I don’t know what to look for”. Start with what you know, understand, and don’t care about. Discard those. Everything else is of interest.

Mike Poor, Semper Vigilans