The Tao of Network Security Monitoring: Beyond Intrusion Detection was my first Information Security book that I read. The author, Richard Bejtlich , has authored a few other books that I hope to read soon. As for Tao, I have found it to be an absolutely fascinating book on InfoSec.
The author starts out by laying the groundwork of Risk Management, and how risk, threats, vulnerabilities and exploits are defined and used in the real world.
The author then makes this statement:
“Security is the process of maintaining an acceptable level of perceived risk. A former director of education for the International Computer Security Association, Dr. Mitch Kabay, wrote in 1998 that “security is a process, not an end state.” No organization can be considered “secure” for any time beyond the last verification of adherence to its security policy. If your manager asks, “Are we secure?” you should answer, “Let me check.” If he or she asks, “Will we be secure tomorrow?” you should answer, “I don’t know.” Such honesty will not be popular, but this mind-set will produce greater success for the organization in the long run.”
With this kind of outlook on security, the author puts forth the concept of a “defensible” network: a network that can easily watched (monitored); a network that limits an intruder’s freedom to maneuver; a network that offers a minimum of services; and finally, a network that can be kept current.
With this foundation laid, the author delves into “Network Security Monitoring” which is defined as “the collection, analysis, and escalation of indications and warnings to detect and respond to intrusions.” The rest of the book deals with the practical aspects of NSM: how to setup and use programs to collect NSM data; Best Practices; Case Studies; managing a NSM program; and finally, tactics on attacking NSM, and ways to mitigate these risks.
I have found this book to be very helpful in bringing balance to my understanding of how Intrusion Detection fits into an InfoSec program. I will follow up on this thought in my next post.
I would highly recommend this book to anyone interested in going deeper into InfoSec, especially dealing with Intrusion Detection Systems. It does have quite a bit of BSD-centric material, of which I skipped over alot of, but still very useful principles.
I hate to give my first book review a 10 out of 10, but any less would not do it justice.
Josh
Defensive Depth 