Note: Supplemental materials are not guaranteed with Rental or Used book purchases.
Purchase Benefits
What is included with this book?
Chris Fry has been a member of the Computer Security Incident Response Team (CSIRT) at Cisco Systems, Inc for 5 years, focusing on deployment of intrusion detection, network monitoring tools, and incident investigation. He began his career at Cisco in 1997 as an IT analyst, supporting Cisco's production services. His four years as a Network Engineer in Cisco IT's internal network support organization give him valuable knowledge about and unique insight into monitoring production enterprise networks. Chris holds a BA in Corporate Financial Analysis and an MS in Information and Communication Sciences from Ball State University.
Martin Nystrom is a senior security analyst with Cisco's Computer Security Incident Response Team (CSIRT), where he leads initiatives to improve monitoring and response in information security. Prior to joining Cisco's CSIRT, Martin was responsible for designing secure architectures for IT projects. Martin worked as an IT architect and a Java programmer for 12 years prior to becoming a security architect, with experience in the pharmaceutical and computer industries. Martin received a bachelor's degree from Iowa State University in 1990, a master's degree from NC State University in 2003, and his CISSP certification in 2004.
Preface | p. xi |
Getting Started | p. 1 |
A Rapidly Changing Threat Landscape | p. 3 |
Failure of Antivirus Software | p. 4 |
Why Monitor? | p. 5 |
The Miscreant Economy and Organized Crime | p. 6 |
Insider Threats | p. 6 |
Challenges to Monitoring | p. 7 |
Vendor Promises | p. 7 |
Operational Realities | p. 7 |
Volume | p. 8 |
Privacy Concerns | p. 8 |
Outsourcing Your Security Monitoring | p. 8 |
Monitoring to Minimize Risk | p. 9 |
Policy-Based Monitoring | p. 9 |
Why Should This Work for You? | p. 9 |
Open Source Versus Commercial Products | p. 9 |
Introducing Blanco Wireless | p. 10 |
Implement Policies for Monitoring | p. 11 |
Blacklist Monitoring | p. 12 |
Anomaly Monitoring | p. 16 |
Policy Monitoring | p. 16 |
Monitoring Against Defined Policies | p. 17 |
Management Enforcement | p. 18 |
Types of Policies | p. 18 |
Regulatory Compliance Policies | p. 19 |
Employee Policies | p. 24 |
Policies for Blanco Wireless | p. 28 |
Policies | p. 29 |
Implementing Monitoring Based on Policies | p. 30 |
Conclusion | p. 31 |
Know Your Network | p. 33 |
Network Taxonomy | p. 33 |
Network Type Classification | p. 34 |
IP Address Management Data | p. 37 |
Network Telemetry | p. 40 |
NetFlow | p. 40 |
SNMP | p. 55 |
Routing and Network Topologies | p. 56 |
The Blanco Wireless Network | p. 57 |
IP Address Assignment | p. 57 |
NetFlow Collection | p. 57 |
Routing Information | p. 58 |
Conclusion | p. 58 |
Select Targets for Monitoring | p. 61 |
Methods for Selecting Targets | p. 62 |
Business Impact Analysis | p. 63 |
Revenue Impact Analysis | p. 64 |
Expense Impact Analysis | p. 64 |
Legal Requirements | p. 65 |
Sensitivity Profile | p. 67 |
Risk Profile | p. 69 |
Visibility Profile | p. 74 |
Practical Considerations for Selecting Targets | p. 75 |
Recommended Monitoring Targets | p. 77 |
Choosing Components Within Monitoring Targets | p. 78 |
Example: ERP System | p. 78 |
Gathering Component Details for Event Feeds | p. 79 |
Blanco Wireless: Selecting Targets for Monitoring | p. 81 |
Components to Monitor | p. 82 |
Conclusion | p. 83 |
Choose Event Sources | p. 85 |
Event Source Purpose | p. 85 |
Event Collection Methods | p. 87 |
Event Collection Impact | p. 89 |
Choosing Event Sources for Blanco Wireless | p. 99 |
Conclusion | p. 100 |
Feed and Tune | p. 101 |
Network Intrusion Detection Systems | p. 101 |
Packet Analysis and Alerting | p. 102 |
Network Intrusion Prevention Systems | p. 102 |
Intrusion Detection or Intrusion Prevention? | p. 103 |
NIDS Deployment Framework | p. 108 |
Analyze | p. 108 |
Design | p. 110 |
Deploy | p. 114 |
Tune and Manage | p. 116 |
System Logging | p. 121 |
Key Syslog Events | p. 124 |
Syslog Templates | p. 126 |
Key Windows Log Events | p. 127 |
Application Logging | p. 132 |
Database Logging | p. 133 |
Collecting Syslog | p. 136 |
NetFlow | p. 139 |
OSU flow-tools NetFlow Capture Filtering | p. 141 |
OSU flow-tools flow-fanout | p. 142 |
Blanco's Security Alert Sources | p. 143 |
NIDS | p. 143 |
Syslog | p. 145 |
Apache Logs | p. 145 |
Database Logs | p. 146 |
Antivirus and HIDS Logs | p. 146 |
Network Device Logs | p. 146 |
NetFlow | p. 146 |
Conclusion | p. 146 |
Maintain Dependable Event Sources | p. 147 |
Maintain Device Configurations | p. 149 |
Create Service Level Agreements | p. 149 |
Back It Up with Policy | p. 150 |
SLA Sections | p. 151 |
Automated Configuration Management | p. 152 |
Monitor the Monitors | p. 153 |
Monitor System Health | p. 154 |
Monitor the NIDS | p. 155 |
Monitor Network Flow Collection | p. 157 |
Monitor Event Log Collectors | p. 161 |
Monitor Databases | p. 164 |
Monitor Oracle | p. 164 |
Monitor MySQL Servers | p. 166 |
Automated System Monitoring | p. 167 |
Traditional Network Monitoring and Management Systems | p. 167 |
How to Monitor the Monitors | p. 169 |
Monitoring with Nagios | p. 170 |
System Monitoring for Blanco Wireless | p. 172 |
Monitor NetFlow Collection | p. 172 |
Monitor Collector Health | p. 172 |
Monitor Collection Processes | p. 174 |
Monitor Flows from Gateway Routers | p. 174 |
Monitor Event Log Collection | p. 175 |
Monitor NIDS | p. 176 |
Monitor Oracle Logging | p. 179 |
Monitor Antivirus/HIDS Logging | p. 179 |
Conclusion | p. 179 |
Conclusion: Keeping it Real | p. 181 |
What Can Go Wrong | p. 182 |
Create Policy | p. 182 |
Know Your Network | p. 184 |
Choose Targets for Security Monitoring | p. 185 |
Choose Event Sources | p. 186 |
Feed and Tune | p. 186 |
Maintain Dependable Event Sources | p. 188 |
Case Studies | p. 189 |
KPN-CERT | p. 189 |
Northrop Grumman | p. 192 |
Real Stories of the CSIRT | p. 194 |
Stolen Intellectual Property | p. 194 |
Targeted Attack Against Employees | p. 195 |
Bare Minimum Requirements | p. 196 |
Policy | p. 196 |
Know the Network | p. 197 |
Select Targets for Effective Monitoring | p. 198 |
Choose Event Sources | p. 198 |
Feed and Tune | p. 199 |
Maintain Dependable Event Sources | p. 200 |
Conclusion | p. 201 |
Detailed OSU flow-tools Collector Setup | p. 203 |
SLA Template | p. 207 |
Calculating Availability | p. 211 |
Index | p. 215 |
Table of Contents provided by Ingram. All Rights Reserved. |
The New copy of this book will include any supplemental materials advertised. Please check the title of the book to determine if it should include any access cards, study guides, lab manuals, CDs, etc.
The Used, Rental and eBook copies of this book are not guaranteed to include any supplemental materials. Typically, only the book itself is included. This is true even if the title states it includes any access cards, study guides, lab manuals, CDs, etc.