#342 in Computers & technology books
Use arrows to jump to the previous/next product
Reddit mentions of The Practice of Network Security Monitoring: Understanding Incident Detection and Response
Sentiment score: 7
Reddit mentions: 9
We found 9 Reddit mentions of The Practice of Network Security Monitoring: Understanding Incident Detection and Response. Here are the top ones.
Buying options
View on Amazon.comor
- Used Book in Good Condition
Features:
Specs:
Color | Cream |
Height | 9.15 Inches |
Length | 7 Inches |
Number of items | 1 |
Release date | July 2013 |
Weight | 1.8 Pounds |
Width | 1.5 Inches |
Here are a few books I recommend:
Blue Team Handbook
Defensive Security Handbook
The Practice of Network Security Monitoring
Crafting the Infosec Playbook
And don't forget the NIST Cyber Security Framework
This is your curriculum:
1 & 2 below are basically required reading in my CSIRT; 3 is optional, but advisable.
Next get yourself and/or your organization to participate in FIRST
Practice of Network Security Monitoring is the best place to start.
Tl;dr Python works, it's super popular and you'll be able to transfer most things you learn there to other languages.
Some examples you might run into:Caprica - ACL descriptive language (https://github.com/google/capirca)
You should understand caprica as a tool, and why you might want to use it (not deeply, just enough to see why you might use things like rule/subnet minimization etc.)
Rancid - Backup automation (uses *cringe* Expect http://www.shrubbery.net/rancid/) look at oxidize instead but rancid was the standard for years (over a decade?)Nmap - Lua scripting (you may need to write custom scanners https://nmap.org/book/man-nse.html)
Network Security Monitoring - This is more a discipline you'll probably need to understand, and even while it's a little dated I would suggest the no starch press book on the practice. Understanding where you should use a simple beam splitter or an active tap etc is important too, but you've probably had plenty of experience there. I wouldn't focus on too many different tools but you can certainly test things like Bro/Surricata out on your personal network with pretty minimal modifications to understand the concept.--
Scripting will help you do really basic things like be able to take a single SNMP walk command for a single OID and run it against a csv/txt file list of assets. It helps give you the fundamentals to fix/change the tools you'll have to use as a network security engineer.
Understanding Certs is super important, so knowing some basic things: how to extract a certificate/private key in any format you need it. How to verify a certificate is valid with a copy of the Certificate Authority, how to verify a certificate is still valid. What's the minimum required process to renew a certificate etc.
Also, you'll probably have to deal with break/inspect (*transparent* tls proxies) so learning and understanding how certificate (x.509) based systems work even lends itself there. Unfortunately scripting tools for that kinda thing suck/are missing pieces so basically I would say learn how to use openssl really well/make yourself some good bookmarks for references.
the tao of network security monitoring explains a framework for stitching together different pieces of network security data into a process for investigation (the follow-up is also good).
yes, the thing you want is called 'full packet', and yes, it usually involves just sniffing, saving, and indexing all traffic at your network ingress/egress. there's some good open source frameworks like moloch for doing that, or if you've got money kicking around, something like solera or netwitness will do the trick nicely.
I'd like to preface this by saying that I am certainly not the world's greatest security expert and that there are many people who are more qualified to speak to this matter. Hopefully some of them will see your post and chime in.
In my experience the less complex the product is, the easier it is to both maintain and secure. Therefore, knowing what you're building and how to build it gives you much better control over the security of it. Unless you're apart of an extremely tight-knit team that includes your SysOps and DevOps people or you're developing the product and the product's host environment by yourself, then there will always be aspects of security outside of your control. However, putting time and effort into the security of the product itself is typically a rewarding investment.
Books:
This book is focused on introducing security considerations into the phases of the SDLC. The information in this book is a bit more advanced than Security Software (included below) but not inaccessible to a beginner. Understanding architectural risk analysis is a valuable skill in any tech environment.
I would say this book is a must-have if you develop any sort of Java web app or API. The authors manage to cover a lot of territory in a very understandable format.
Another book that is primarily aimed at introducing security into each phase of the SDLC. When I first started working in software development I found it extremely helpful at convincing some "old guard" types why red teaming products is extremely valuable. You may want to read this before reading Threat Modeling.
Networking is definitely not my strongest skill but this book breaks down some concepts of network monitoring and threat detection in ways that are easy to understand.
Security onion is amazing, I use it myself as a VM in a home esxi server with a cheap 5 port smart switch.
A few quick notes:
My suggestion is to get a cheap switch with port mirror capabilities, like the Mikrotik Routerboard 260gs. Get a wireless AP (or an old router which has AP only mode), and plug this into your switch. Plug your actual router (the one doing the NAT) into the switch, and mirror these to a port that is connected to the security onion box.
That way will get you both ethernet and WiFi traffic. If you have any questions about running security onion in a home setting, feel free to send me a PM.
https://smile.amazon.com/gp/product/1593275099/
I am not sure about the size of your environment. If it's small, Splunk may be way outside your budget.
Take a look at that link above if you really want to build an open source solution for security monitoring. It'll take a lot of elbow grease and knowledge of your business to be effective. Pick up the book and build yourself a POC to see what you can see.
On network security monitoring (network ids/ips) you might want to have a look at that book http://www.amazon.co.uk/Practice-Network-Security-Monitoring-Understanding/dp/1593275099/ref=pd_bxgy_b_img_y