Preface
Our security team found a new way to make money. In 2006, after perfecting our enterprise malware monitoring, we began to deploy tools for monitoring Cisco’s infrastructure more deeply. In doing so, we found our team positioned to monitor applications in new ways. Weary of ignoring the risk presented by new ventures, we offered a solution: fund staff to monitor targeted risk areas, and handle the infrastructure ourselves. The solution paid off—our monitoring team has grown, and we’ve developed new techniques for finding and addressing the necessary risks of a growing enterprise.
In 2007, we shared this experience with our Forum for Incident Response and Security Teams (FIRST) buddies at the annual conference. Some say we chose that conference because it was being held in Seville, Spain, but we were just doing our part for the security community. We wanted a crowd, so we titled our presentation “Inside the Perimeter: 6 Steps to Improve Your Security Monitoring.” We received enough encouragement to repeat the presentation at the annual Cisco Networkers conference later that year, where we expanded the talk to two hours and packed the house with an enthusiastic audience. Feedback was positive, and we were asked to repeat it in Brisbane, Australia; Orlando, Florida; and Barcelona, Spain over the next several months. In the meantime, we felt we had enough ideas to fill a book, and the editors at O’Reilly agreed.
Our audiences told us they liked the presentations because they craved honest experience from security practitioners. We share the challenges you face; we’re on the hook for security, and have to prioritize resources to make it happen. We like reading authentic books—the ones that don’t try to sell us gear or consulting services—and we’ve endeavored to write this book with that angle. This book aims to share our experience, successes, and failures to improve security monitoring with targeted techniques.
What This Book Is Not
This book is not an introduction to network, server, or database administration. It’s not an introduction to security tools or techniques, either. We assume that you have a foundational understanding of these areas and seek to build on them via specialized application of them. If we lose you along the way, put a bookmark where you left off, and reference the following excellent books:
The Tao of Network Security Monitoring, by Richard Bejtlich (Addison-Wesley Professional)
Essential System Administration, by Æleen Frisch (O’Reilly)
Counter Hack Reloaded, by Ed Skoudis and Tom Liston (Prentice Hall PTR)
Computer Viruses and Malware, by John Aycock (Springer)
Writing Secure Code, by Michael Howard and David LeBlanc (Microsoft Press)
What This Book Is
Hopefully, you’ve already read books on security. This one aims to take you deeper into your network, guiding you to carve out the more sensitive, important parts of the network for focused monitoring. We haven’t coined a term for this, but if we did, it would be targeted monitoring or policy-based monitoring or targeted reality-based policy monitoring for detecting extrusions.
Here is a short summary of the chapters in this book and what you’ll find inside:
- Chapter 1, Getting Started
Provides rationale for monitoring and challenges, and introduces our monitoring philosophy
Following Chapter 1 are the six core chapters of the book, each successively building on topics discussed in previous chapters:
- Chapter 2, Implement Policies for Monitoring
Defines rules, regulations, and criteria to monitor
- Chapter 3, Know Your Network
Builds knowledge of your infrastructure with network telemetry
- Chapter 4, Select Targets for Monitoring
Defines the subset of infrastructure to monitor
- Chapter 5, Choose Event Sources
Identifies the event types needed to discover policy violations
- Chapter 6, Feed and Tune
Collects data and generates alerts, and tunes systems using context
- Chapter 7, Maintain Dependable Event Sources
Prevents critical gaps in your event collection and monitoring
Following the core chapters are the closing chapter and a trio of appendixes:
- Chapter 8, Conclusion: Keeping It Real
Provides case studies and real examples to illustrate the concepts presented in the six core chapters
- Appendix A
Provides detailed instructions for implementing NetFlow collection based on Cisco’s deployment
- Appendix B
Provides a sample service level agreement (SLA) for maintaining security event feeds from network devices
- Appendix C
Offers statistical proofs for calculating and calibrating uptime for security monitoring configurations
Conventions Used in This Book
The following typographical conventions are used in this book:
- Italic
Indicates new terms, URLs, email addresses, filenames, file extensions, pathnames, directories, and Unix utilities
Constant widthIndicates commands, options, switches, variables, attributes, keys, functions, types, classes, namespaces, methods, modules, properties, parameters, values, objects, events, event handlers, XML tags, HTML tags, macros, the contents of files, and the output from commands
Constant width boldShows commands and other text that should be typed literally by the user
Constant width italicShows text that should be replaced with user-supplied values
Using Code Examples
This book is here to help you get your job done. In general, you may use the code in this book in your programs and documentation. You do not need to contact us for permission unless you’re reproducing a significant portion of the code. For example, writing a program that uses several chunks of code from this book does not require permission. Selling or distributing a CD-ROM of examples from O’Reilly books does require permission. Answering a question by citing this book and quoting example code does not require permission. Incorporating a significant amount of example code from this book into your product’s documentation does require permission.
We appreciate, but do not require, attribution. An attribution usually includes the title, author, publisher, and ISBN. For example: “Security Monitoring, by Chris Fry and Martin Nystrom. Copyright 2009 Chris Fry and Martin Nystrom, 978-0-596-51816-5.”
If you feel your use of code examples falls outside fair use or the permission given here, feel free to contact us at [email protected].
Safari® Books Online
Note
When you see a Safari® Enabled icon on the cover of your favorite technology book, that means the book is available online through the O’Reilly Network Safari Bookshelf.
Safari offers a solution that’s better than e-books. It’s a virtual library that lets you easily search thousands of top tech books, cut and paste code samples, download chapters, and find quick answers when you need the most accurate, current information. Try it for free at http://safari.oreilly.com.
Comments and Questions
Please address comments and questions concerning this book to the publisher:
| O’Reilly Media, Inc. |
| 1005 Gravenstein Highway North |
| Sebastopol, CA 95472 |
| 800-998-9938 (in the United States or Canada) |
| 707-829-0515 (international or local) |
| 707-829-0104 (fax) |
We have a web page for this book, where we list errata, examples, and any additional information. You can access this page at:
| http://www.oreilly.com/catalog/9780596518165/ |
To comment or ask technical questions about this book, send email to:
| [email protected] |
For more information about our books, conferences, Resource Centers, and the O’Reilly Network, see our website at:
| http://www.oreilly.com/ |
Acknowledgments
We’re kind of shy about putting our names on this book. Chris and I did all the writing, but the ideas we’re describing didn’t originate with us. They represent the work started by Gavin Reid, Cisco CSIRT’s boss and FIRST rep, back in 2003. Gavin built the CSIRT team, assembled from proven network engineers, system administrators, and application developers. You’ll find examples of scripts written by Dustin, Mike, and Dave, tuning developed by Jeff, Jayson, and Nitin, investigations led by Chip and Kevin, and procedures written by Lawrence. In many ways, the whole team wrote this book. They’re the ones who deployed the gear, wrote the tools, hired the staff, built the processes, and investigated the incidents that form the basis for the ideas presented here.
The book seemed fine until Jeff Bollinger looked at it. He discovered all kinds of inconsistencies and technical gaps, and was kind enough to tell us about them before we published the book. Jeff gave room for Devin Hilldale to school us on style and grammar. Devin pointed out the inconsistencies that derive from multiple authors, and helped smooth out the writing style. He told me to stop leaving two spaces after periods, but my eighth grade typing teacher still controls my fingers. Mark Lucking gave input throughout the book, drawing from his experience in information security for banking.
Good security requires good community. Cisco CSIRT participates in security organizations of our peers in industry and government. We share intelligence, track emerging threats, and assist one another with incident response and investigations. Membership in trusted security organizations such as FIRST and NSTAC NSIE provides access to information in a currency of trust. FIRST requires all prospective members be nominated by at least two existing members. Candidates must host an investigative site visit by a FIRST member, and be approved by a two-thirds steering committee vote.
In Chapter 8, we shared valuable insights from two case studies. Thanks to Scott McIntyre of KPN-CERT, and to the security management at Northrop Grumman: Georgia Newhall, George Bakos, Grant Jewell, and Rob Renew. (Rob and Scott: hope to see you in Kyoto for FIRST 2009!)
This book will help you justify money to spend on security monitoring. Read the whole thing, and apply all six steps from the core chapters to use those resources efficiently.