Security Monitoring

Security Monitoring

by Chris Fry, Martin Nystrom
Released February 2009
Publisher(s): O'Reilly Media, Inc.
ISBN: 9780596555450

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

How well does your enterprise stand up against today's sophisticated security threats? In this book, security experts from Cisco Systems demonstrate how to detect damaging security incidents on your global network--first by teaching you which assets you need to monitor closely, and then by helping you develop targeted strategies and pragmatic techniques to protect them.

Security Monitoring is based on the authors' years of experience conducting incident response to keep Cisco's global network secure. It offers six steps to improve network monitoring. These steps will help you:

  • Develop Policies: define rules, regulations, and monitoring criteria
  • Know Your Network: build knowledge of your infrastructure with network telemetry
  • Select Your Targets: define the subset of infrastructure to be monitored
  • Choose Event Sources: identify event types needed to discover policy violations
  • Feed and Tune: collect data, generate alerts, and tune systems using contextual information
  • Maintain Dependable Event Sources: prevent critical gaps in collecting and monitoring events

Security Monitoring illustrates these steps with detailed examples that will help you learn to select and deploy the best techniques for monitoring your own enterprise network.

Publisher resources

View/Submit Errata

Table of contents

  1. Security Monitoring
    1. SPECIAL OFFER: Upgrade this ebook with O’Reilly
    2. Preface
      1. What This Book Is Not
      2. What This Book Is
      3. Conventions Used in This Book
      4. Using Code Examples
      5. Safari® Books Online
      6. Comments and Questions
      7. Acknowledgments
    3. 1. Getting Started
      1. A Rapidly Changing Threat Landscape
        1. Failure of Antivirus Software
      2. Why Monitor?
        1. The Miscreant Economy and Organized Crime
        2. Insider Threats
      3. Challenges to Monitoring
        1. Vendor Promises
        2. Operational Realities
        3. Volume
        4. Privacy Concerns
      4. Outsourcing Your Security Monitoring
      5. Monitoring to Minimize Risk
      6. Policy-Based Monitoring
      7. Why Should This Work for You?
      8. Open Source Versus Commercial Products
      9. Introducing Blanco Wireless
    4. 2. Implement Policies for Monitoring
      1. Blacklist Monitoring
      2. Anomaly Monitoring
      3. Policy Monitoring
      4. Monitoring Against Defined Policies
        1. Management Enforcement
      5. Types of Policies
        1. Regulatory Compliance Policies
          1. Example: COBIT configuration control monitoring
          2. Example: SOX monitoring for financial apps and databases
          3. Example: Monitoring HIPAA applications for unauthorized activity
          4. Example: ISO 17799 monitoring
          5. Example: Payment Card Industry Data Security Standard (PCI DSS) monitoring
        2. Employee Policies
          1. Example: Unique login for privileged operations
          2. Example: Rogue wireless devices
          3. Example: Direct Internet connection from production servers
          4. Example: Tunneled traffic
      6. Policies for Blanco Wireless
        1. Policies
          1. Data Protection Policy
          2. Server Security Policy
        2. Implementing Monitoring Based on Policies
      7. Conclusion
    5. 3. Know Your Network
      1. Network Taxonomy
        1. Network Type Classification
          1. External networks
          2. Internal networks
        2. IP Address Management Data
      2. Network Telemetry
        1. NetFlow
          1. Exporting NetFlow for collection
          2. Performance considerations for NetFlow collection
          3. Where to collect NetFlow
          4. OSU flow-tools
            1. Identifying infected hosts participating in botnets
            2. Flow aggregation
            3. Repudiation and nonrepudiation
          5. Choosing a NetFlow collector
        2. SNMP
          1. MRTG
            1. MRTG example
        3. Routing and Network Topologies
      3. The Blanco Wireless Network
        1. IP Address Assignment
        2. NetFlow Collection
        3. Routing Information
      4. Conclusion
    6. 4. Select Targets for Monitoring
      1. Methods for Selecting Targets
        1. Business Impact Analysis
        2. Revenue Impact Analysis
        3. Expense Impact Analysis
        4. Legal Requirements
          1. Regulatory compliance
          2. Example: Gramm-Leach Blilely Act
          3. Example: Payment Card Industry Data Security Standard
          4. Example: Standards for critical infrastructure protection
          5. Contractual obligation
        5. Sensitivity Profile
          1. Systems that access personally identifiable information (PII)
          2. Systems that access confidential information
          3. Systems that access classified information
        6. Risk Profile
          1. Risk assessments
        7. Visibility Profile
      2. Practical Considerations for Selecting Targets
      3. Recommended Monitoring Targets
      4. Choosing Components Within Monitoring Targets
        1. Example: ERP System
        2. Gathering Component Details for Event Feeds
          1. Server IP addresses and hostnames
          2. “Generic” user IDs
          3. Administrator user IDs
          4. Database details
          5. Access controls
      5. Blanco Wireless: Selecting Targets for Monitoring
        1. Components to Monitor
          1. Data Protection Policy
          2. Server Security Policy
      6. Conclusion
    7. 5. Choose Event Sources
      1. Event Source Purpose
        1. Event Collection Methods
        2. Event Collection Impact
          1. Host logs
          2. Network IDS
          3. NetFlow
          4. Application logs
          5. Database logs
          6. Network ACL logs
      2. Choosing Event Sources for Blanco Wireless
      3. Conclusion
    8. 6. Feed and Tune
      1. Network Intrusion Detection Systems
        1. Packet Analysis and Alerting
        2. Network Intrusion Prevention Systems
        3. Intrusion Detection or Intrusion Prevention?
          1. Availability
            1. Nonhardware sources of downtime
            2. NIPS and network bandwidth
          2. Span of control
      2. NIDS Deployment Framework
        1. Analyze
        2. Design
          1. DMZ design
          2. Data center design
          3. Extranet design
        3. Deploy
        4. Tune and Manage
          1. Tune at the sensor
          2. Tune at the SIM
          3. Network variables
          4. Tuning with host variables
          5. Custom signatures
      3. System Logging
        1. Key Syslog Events
          1. Authentication events
          2. Authorization events
          3. Daemon status events
          4. Security application events
        2. Syslog Templates
        3. Key Windows Log Events
          1. Windows authentication
          2. Windows authorization
          3. Windows process status events
          4. Windows domain controller events
          5. Windows security application events
        4. Application Logging
        5. Database Logging
        6. Collecting Syslog
      4. NetFlow
        1. OSU flow-tools NetFlow Capture Filtering
        2. OSU flow-tools flow-fanout
      5. Blanco’s Security Alert Sources
        1. NIDS
        2. Syslog
        3. Apache Logs
        4. Database Logs
        5. Antivirus and HIDS Logs
        6. Network Device Logs
        7. NetFlow
      6. Conclusion
    9. 7. Maintain Dependable Event Sources
      1. Maintain Device Configurations
        1. Create Service Level Agreements
        2. Back It Up with Policy
        3. SLA Sections
        4. Automated Configuration Management
      2. Monitor the Monitors
        1. Monitor System Health
          1. Monitor system load
          2. Monitor memory
          3. Monitor disk space
          4. Monitor network performance
        2. Monitor the NIDS
          1. Monitor traffic feeds (uplinks)
          2. Monitor sensor processes
          3. Monitor alerts
        3. Monitor Network Flow Collection
          1. Monitor system health
          2. Monitor traffic feeds from routers
          3. Monitor collector network configuration
          4. Monitor collection directories
          5. Monitor collection processes
          6. Maintain flow retention
        4. Monitor Event Log Collectors
          1. Monitor system health
          2. Monitor collection processes
          3. Monitor collection directories (logs)
          4. Monitor network traffic
          5. Audit configurations
          6. Maintain log retention
      3. Monitor Databases
        1. Monitor Oracle
          1. Maintain Oracle systemwide audit settings
          2. Monitor Oracle audit events
          3. Maintain Oracle audit settings on objects
          4. Monitor administrative privileges
        2. Monitor MySQL Servers
      4. Automated System Monitoring
        1. Traditional Network Monitoring and Management Systems
          1. How system monitoring works
        2. How to Monitor the Monitors
        3. Monitoring with Nagios
      5. System Monitoring for Blanco Wireless
        1. Monitor NetFlow Collection
        2. Monitor Collector Health
          1. Disk space
          2. Permissions
          3. Load
          4. Memory
          5. Swap space
        3. Monitor Collection Processes
          1. Continuous flows
          2. Processes
        4. Monitor Flows from Gateway Routers
        5. Monitor Event Log Collection
          1. Monitor collector health
          2. Verify disk space
          3. Ensure permissions
          4. Monitor collection processes
          5. Maintain continuous logs
          6. Monitor collection from servers
        6. Monitor NIDS
          1. Monitor device health
          2. Monitor traffic feeds
          3. Check sensor processes
          4. Monitor alert generation
        7. Monitor Oracle Logging
        8. Monitor Antivirus/HIDS Logging
      6. Conclusion
    10. 8. Conclusion: Keeping It Real
      1. What Can Go Wrong
        1. Create Policy
          1. Ryan monitors the risky venture
          2. Pam discovers network abuse by an extranet partner
        2. Know Your Network
          1. Michael monitors an acquisition
          2. Helen adds context to the NIDS
        3. Choose Targets for Security Monitoring
          1. Pam and the failed pilot
        4. Choose Event Sources
          1. Donald monitors high-risk employees
        5. Feed and Tune
          1. Janet and the career-limiting false positive
          2. Dwight overwhelms the event collectors
        6. Maintain Dependable Event Sources
          1. Lyle and the broken NetFlow collectors
          2. Marian and the threatening note
      2. Case Studies
        1. KPN-CERT
          1. Policies
          2. Network
          3. Monitoring targets
          4. Event sources
          5. Maintenance
          6. An approach to protect customer data
        2. Northrop Grumman
          1. Policies
          2. Network topology, metadata, and monitoring targets
          3. Event sources
          4. Maintenance
          5. A dynamic-threat-oriented security team
      3. Real Stories of the CSIRT
        1. Stolen Intellectual Property
        2. Targeted Attack Against Employees
      4. Bare Minimum Requirements
        1. Policy
          1. Policy 1: Allowed network activity
          2. Policy 2: Allowed access
          3. Policy 3: Minimum access standards
        2. Know the Network
          1. Step 1: Set up an IPAM solution
          2. Step 2: Document basic IP demarcations
        3. Select Targets for Effective Monitoring
        4. Choose Event Sources
          1. NIDS alerts
          2. Network flows
          3. Server logs
        5. Feed and Tune
          1. Set up a Security Information Manager (SIM)
          2. Deploy the NIDS
          3. Point NetFlow at the SIM
          4. Configure server logs
        6. Maintain Dependable Event Sources
      5. Conclusion
    11. A. Detailed OSU flow-tools Collector Setup
      1. Set Up the Server
      2. Configuring NetFlow Export from the Router
    12. B. SLA Template
      1. Service Level Agreement: Information Security and Network Engineering
        1. Overview
        2. Service Description
        3. Scope
        4. Roles and Responsibilities
          1. NetEng responsibilities
          2. InfoSec responsibilities
        5. Service Operations
          1. Requesting service
          2. Hours of operation
          3. Response times
          4. Escalations
          5. Maintenance and service changes
        6. Agreement Dates and Changes
        7. Supporting Policies and Templates
        8. Approvals, Terminations, and Reviews
          1. Approvals
          2. Terminations
          3. Reviewers
    13. C. Calculating Availability
    14. Index
    15. About the Authors
    16. Colophon
    17. SPECIAL OFFER: Upgrade this ebook with O’Reilly

Product information

  • Title: Security Monitoring
  • Author(s): Chris Fry, Martin Nystrom
  • Release date: February 2009
  • Publisher(s): O'Reilly Media, Inc.
  • ISBN: 9780596555450