Reddit mentions of The Practice of Network Security Monitoring: Understanding Incident Detection and Response

Here are a few books I recommend:

Blue Team Handbook


Defensive Security Handbook


The Practice of Network Security Monitoring


Crafting the Infosec Playbook


And don't forget the NIST Cyber Security Framework

This is your curriculum:

1 & 2 below are basically required reading in my CSIRT; 3 is optional, but advisable.

1. The Practice of Network Security Monitoring: Understanding Incident Detection and Response by Richard Bejtlich
   
   
2. Crafting the InfoSec Playbook: Security Monitoring and Incident Response Master Plan by Jeff Bollinger, Matthew Valites, and Brandon Enright
   
   
3. Incident Response & Computer Forensics, Third Edition by Jason Luttgens, Matthew Pepe, & Kevin Mandia will shore up any other gaps.
   
   Next get yourself and/or your organization to participate in FIRST

Practice of Network Security Monitoring is the best place to start.

Tl;dr Python works, it's super popular and you'll be able to transfer most things you learn there to other languages.


Some examples you might run into:Caprica - ACL descriptive language (https://github.com/google/capirca)

You should understand caprica as a tool, and why you might want to use it (not deeply, just enough to see why you might use things like rule/subnet minimization etc.)

Rancid - Backup automation (uses *cringe* Expect http://www.shrubbery.net/rancid/) look at oxidize instead but rancid was the standard for years (over a decade?)Nmap - Lua scripting (you may need to write custom scanners https://nmap.org/book/man-nse.html)

Network Security Monitoring - This is more a discipline you'll probably need to understand, and even while it's a little dated I would suggest the no starch press book on the practice. Understanding where you should use a simple beam splitter or an active tap etc is important too, but you've probably had plenty of experience there. I wouldn't focus on too many different tools but you can certainly test things like Bro/Surricata out on your personal network with pretty minimal modifications to understand the concept.--

Scripting will help you do really basic things like be able to take a single SNMP walk command for a single OID and run it against a csv/txt file list of assets. It helps give you the fundamentals to fix/change the tools you'll have to use as a network security engineer.

Understanding Certs is super important, so knowing some basic things: how to extract a certificate/private key in any format you need it. How to verify a certificate is valid with a copy of the Certificate Authority, how to verify a certificate is still valid. What's the minimum required process to renew a certificate etc.

Also, you'll probably have to deal with break/inspect (*transparent* tls proxies) so learning and understanding how certificate (x.509) based systems work even lends itself there. Unfortunately scripting tools for that kinda thing suck/are missing pieces so basically I would say learn how to use openssl really well/make yourself some good bookmarks for references.

the tao of network security monitoring explains a framework for stitching together different pieces of network security data into a process for investigation (the follow-up is also good).

yes, the thing you want is called 'full packet', and yes, it usually involves just sniffing, saving, and indexing all traffic at your network ingress/egress. there's some good open source frameworks like moloch for doing that, or if you've got money kicking around, something like solera or netwitness will do the trick nicely.

I'd like to preface this by saying that I am certainly not the world's greatest security expert and that there are many people who are more qualified to speak to this matter. Hopefully some of them will see your post and chime in.

In my experience the less complex the product is, the easier it is to both maintain and secure. Therefore, knowing what you're building and how to build it gives you much better control over the security of it. Unless you're apart of an extremely tight-knit team that includes your SysOps and DevOps people or you're developing the product and the product's host environment by yourself, then there will always be aspects of security outside of your control. However, putting time and effort into the security of the product itself is typically a rewarding investment.

Books:

• Threat Modeling: Designing for Security by Adam Shostack
  This book is focused on introducing security considerations into the phases of the SDLC. The information in this book is a bit more advanced than Security Software (included below) but not inaccessible to a beginner. Understanding architectural risk analysis is a valuable skill in any tech environment.
  
• Iron-Clas Java: Building Secure Web Applications by Jim Manico & August Detlefsen
  I would say this book is a must-have if you develop any sort of Java web app or API. The authors manage to cover a lot of territory in a very understandable format.
  
• Software Security: Building Security In by Gary McGraw
  Another book that is primarily aimed at introducing security into each phase of the SDLC. When I first started working in software development I found it extremely helpful at convincing some "old guard" types why red teaming products is extremely valuable. You may want to read this before reading Threat Modeling.
  
• The Practice of Network Security Monitoring: Understanding Incident Detection and Response by Richard Bejtlich
  Networking is definitely not my strongest skill but this book breaks down some concepts of network monitoring and threat detection in ways that are easy to understand.

Security onion is amazing, I use it myself as a VM in a home esxi server with a cheap 5 port smart switch.

A few quick notes:

• The Practice of Network Security Monitoring by Richard Bejtlich is a great resource for this sort of thing.
  
  
• You will need something with more power than a rasberryPi for this, unless you make the pi just a sensor and you have a server running the snort analytics.
  
  
• Keep in mind that if you have this behind your router, and your router is also your WiFi access point, you will not pick up any WiFi traffic. If you put it in front of your router, you will get all traffic, but it will all show the same IP (your public IP).
  
  My suggestion is to get a cheap switch with port mirror capabilities, like the Mikrotik Routerboard 260gs. Get a wireless AP (or an old router which has AP only mode), and plug this into your switch. Plug your actual router (the one doing the NAT) into the switch, and mirror these to a port that is connected to the security onion box.
  
  That way will get you both ethernet and WiFi traffic. If you have any questions about running security onion in a home setting, feel free to send me a PM.

https://smile.amazon.com/gp/product/1593275099/

I am not sure about the size of your environment. If it's small, Splunk may be way outside your budget.

Take a look at that link above if you really want to build an open source solution for security monitoring. It'll take a lot of elbow grease and knowledge of your business to be effective. Pick up the book and build yourself a POC to see what you can see.

On network security monitoring (network ids/ips) you might want to have a look at that book http://www.amazon.co.uk/Practice-Network-Security-Monitoring-Understanding/dp/1593275099/ref=pd_bxgy_b_img_y