“The Tao of Network Security Monitoring, Beyond Intrusion Detection” – By Richard Bejtlich
I don’t normally do this, but I am making an exception for this book. This is not a full review, but just a preview. I have not finished reading this book, but thought it to be good enough to give you a heads up.
The author, Richard Bejtlich, is the Director of Incident Response at GE, author of the TaoSecurity Blog, and the instructor of the TCP/IP Weapons School. He is also a Harvard graduate and was an Air Force Captain responsible for supervising the Air Force Computer Emergency Response Team (AFCERT).
Okay, first off, if you are new to the computer security field, you may want to skip this book for now. This is not an entry level book. But if you are familiar with Linux, Intrusion Detection Systems and the TCP/IP protocol, this book is for you.
The book starts out with a scenario; you are the head of network security for a large corporation. Strange pop ups are showing up on workstations. Trouble tickets are coming in reporting an abnormal amount of traffic through your border router. Your intrusion detection sensors are all going off and you are notified that an ecommerce site is being attacked by your network.
Bejtlich then asks the 64 Million dollar question, “Now What?”
Bejtlich’s philosophy on network security is that it is not a matter of if you will be attacked, and compromised, but to already have network system monitoring practices in place to deal with these intrusions. He bases this philosophy on Dorothy Denning and Peter Neumann’s report “Requirements and Model for IDES – A Real-Time Intrusion-Detection Expert System”:
- Most existing systems have security flaws that render them susceptible to intrusions, penetrations, and other forms of abuse. Finding and fixing all these deficiencies is not feasible for technical and economic reasons.
- Existing systems with known flaws are not easily replaced by systems that are more secure – mainly because the systems have attractive features that are missing in the more secure systems, or else they cannot be replaced for economic reasons.
- Developing systems that are absolutely secure is extremely difficult, if not generally impossible.
- Even the most secure systems are vulnerable to abuses by insiders who misuse their privileges.
Wow, how true that is, and the amazing thing about this report is that it was written in 1985!
Excellent book, as I mentioned before, I have not finished it yet (It’s about 800 Pages!), but so far it has been very good. I have to admit early on that I almost put the book down and walked away, sometimes it seemed a little heady and philosophical (did I mention he was a Harvard grad?), but as I progressed and saw how Bejtlich pulled the information together, I saw the method in the madness and could see the writing for what it truly is, brilliant.
“The Tao of Network Security Monitoring, Beyond Intrusion Detection” available at Amazon.com.