Book Review: ‘Applied Network Security Monitoring’ by Chris Sanders & Jason Smith

Applied Network Security Monitoring by Chris Sanders and Jason Smith is intended to be a guide on how to become a practicing network security monitoring(NSM) analyst. This book provides an education text for the masses as well as the supportive text for that training process. The authors have the broad objective that someone can read this book from cover to cover and have an introductory level grasp on the core concepts that make a good NSM analyst.

The authors have devoted individual chapters to the discussion of tools, techniques, and procedures related to the three core areas of NSM – Collection, Detection, and Analysis. There is a companion website for this book.

The book begins with discussion of the terminology of this practice. These include terms such as asset, threat, vulnerability, exploit.

To quote the book baseline skills in NSM include  the following:

• Threat-Centric Security, NSM, and the NSM Cycle
• TCP/IP Protocols
• Common Application Layer Protocols
• Packet Analysis
• Windows Architecture
• Linux Architecture
• Basic Data Parsing (BASH, Grep, SED, AWK, etc)
• IDS Usage (Snort, Suricata, etc.)
• Indicators of Compromise and IDS Signature Tuning
• Open Source Intelligence Gathering
• Basic Analytic Diagnostic Methods
• Basic Malware Analysis

The authors discuss each of the above skills in detail. The emphasis of the book is on a structured approach to network security monitoring in terms of identifying who, what, where and why of the monitoring, implementing triggers based on previous identification and analyzing the captured data for usable actions. Other approach to NSM is a vulnerability centric monitoring based on regularly updated well known sources of new vulnerability.

The tools suggested in this book such as Snort, Bro, Argus and more are part of a specialized linux distribution called security onion. The authors walk through the installation and deployment of NSM services setup in security onion distribution of linux.

The case study discussed in this book is of an online retailer. Organisational threat for this case could be three fears: stealing of saved credit card information, inaccessible website for long duration and website processing orders without receiving payment due to a bug or hack. Each of them are further broken down into possible sources of compromise and hence ideal candidates for network security monitoring sensor. Included within network security monitoring architecture for this case study is also sniffing into web and application server logs.

For this case study, further various types of sensors are discussed and their possible implementation strategy. One of the important concerns is securing and hardening the sensor itself.

Full packet capture requires use of tools such as dumpcap, daemonlogger and netsniff-ng. The book suggests the selection criterion for the tool based on scenario and the implementation best practice for the same.

Indicator and signature frameworks such as OpenIOC and STIX are discussed in detail and recommendations given for their successful management.

The authors discuss topics such as monitoring sources of file server compromise, ensuring integrity of network device sensors, indicators of compromise and signatures in great detail.

The book describes the topics related to applied network security monitoring from basic to a case study implementation. As the authors walk through a specialized linux distribution – spring onion – which has inbuilt tools for this specialized task, the reader will be able to grasp the technicalities, complexities and pros and cons of the individual tools with assured accuracy,expertise and competence. By utilising spring onion linux distribution, the authors have found a great way to explain and walk readers through this difficult topic.