Security Monitoring Proven Methods for Incident Detection on Enterprise Networks 1st edition by Chris Fry, Martin Nystrom ISBN 0596518161 9780596518165

Security Monitoring Proven Methods for Incident Detection on Enterprise Networks 1st edition by Chris Fry, Martin Nystrom ISBN 0596518161 9780596518165

Security Monitoring: Proven Methods for Incident Detection on Enterprise Networks 1st edition by Chris Fry, Martin Nystrom - Ebook PDF Instant Download/Delivery: 0596518161, 9780596518165
Full download Security Monitoring: Proven Methods for Incident Detection on Enterprise Networks 1st edition after payment

Product details:

ISBN 10: 0596518161
ISBN 13: 9780596518165
Author: Chris Fry, Martin Nystrom

How well does your enterprise stand up against today's sophisticated security threats? In this book, security experts from Cisco Systems demonstrate how to detect damaging security incidents on your global network--first by teaching you which assets you need to monitor closely, and then by helping you develop targeted strategies and pragmatic techniques to protect them.

Security Monitoring is based on the authors' years of experience conducting incident response to keep Cisco's global network secure. It offers six steps to improve network monitoring. These steps will help you:

• Develop Policies: define rules, regulations, and monitoring criteria
• Know Your Network: build knowledge of your infrastructure with network telemetry
• Select Your Targets: define the subset of infrastructure to be monitored
• Choose Event Sources: identify event types needed to discover policy violations
• Feed and Tune: collect data, generate alerts, and tune systems using contextual information
• Maintain Dependable Event Sources: prevent critical gaps in collecting and monitoring events

Security Monitoring illustrates these steps with detailed examples that will help you learn to select and deploy the best techniques for monitoring your own enterprise network.

Security Monitoring: Proven Methods for Incident Detection on Enterprise Networks 1st Table of contents:

1. Getting Started

A Rapidly Changing Threat Landscape

Failure of Antivirus Software

Why Monitor?

The Miscreant Economy and Organized Crime

Insider Threats

Challenges to Monitoring

Vendor Promises

Operational Realities

Volume

Privacy Concerns

Outsourcing Your Security Monitoring

Monitoring to Minimize Risk

Policy-Based Monitoring

Why Should This Work for You?

Open Source Versus Commercial Products

Introducing Blanco Wireless

2. Implement Policies for Monitoring

Blacklist Monitoring

Anomaly Monitoring

Policy Monitoring

Monitoring Against Defined Policies

Management Enforcement

Types of Policies

Regulatory Compliance Policies

Example: COBIT configuration control monitoring

Example: SOX monitoring for financial apps and databases

Example: Monitoring HIPAA applications for unauthorized activity

Example: ISO 17799 monitoring

Example: Payment Card Industry Data Security Standard (PCI DSS) monitoring

Employee Policies

Example: Unique login for privileged operations

Example: Rogue wireless devices

Example: Direct Internet connection from production servers

Example: Tunneled traffic

Policies for Blanco Wireless

Policies

Data Protection Policy

Server Security Policy

Implementing Monitoring Based on Policies

Conclusion

3. Know Your Network

Network Taxonomy

Network Type Classification

External networks

Internal networks

IP Address Management Data

Network Telemetry

NetFlow

Exporting NetFlow for collection

Performance considerations for NetFlow collection

Where to collect NetFlow

OSU flow-tools

Identifying infected hosts participating in botnets

Flow aggregation

Repudiation and nonrepudiation

Choosing a NetFlow collector

SNMP

MRTG

MRTG example

Routing and Network Topologies

The Blanco Wireless Network

IP Address Assignment

NetFlow Collection

Routing Information

Conclusion

4. Select Targets for Monitoring

Methods for Selecting Targets

Business Impact Analysis

Revenue Impact Analysis

Expense Impact Analysis

Legal Requirements

Regulatory compliance

Example: Gramm-Leach Blilely Act

Example: Payment Card Industry Data Security Standard

Example: Standards for critical infrastructure protection

Contractual obligation

Sensitivity Profile

Systems that access personally identifiable information (PII)

Systems that access confidential information

Systems that access classified information

Risk Profile

Risk assessments

Visibility Profile

Practical Considerations for Selecting Targets

Recommended Monitoring Targets

Choosing Components Within Monitoring Targets

Example: ERP System

Gathering Component Details for Event Feeds

Server IP addresses and hostnames

“Generic” user IDs

Administrator user IDs

Database details

Access controls

Blanco Wireless: Selecting Targets for Monitoring

Components to Monitor

Data Protection Policy

Server Security Policy

Conclusion

5. Choose Event Sources

Event Source Purpose

Event Collection Methods

Event Collection Impact

Host logs

Network IDS

NetFlow

Application logs

Database logs

Network ACL logs

Choosing Event Sources for Blanco Wireless

Conclusion

6. Feed and Tune

Network Intrusion Detection Systems

Packet Analysis and Alerting

Network Intrusion Prevention Systems

Intrusion Detection or Intrusion Prevention?

Availability

Nonhardware sources of downtime

NIPS and network bandwidth

Span of control

NIDS Deployment Framework

Analyze

Design

DMZ design

Data center design

Extranet design

Deploy

Tune and Manage

Tune at the sensor

Tune at the SIM

Network variables

Tuning with host variables

Custom signatures

System Logging

Key Syslog Events

Authentication events

Authorization events

Daemon status events

Security application events

Syslog Templates

Key Windows Log Events

Windows authentication

Windows authorization

Windows process status events

Windows domain controller events

Windows security application events

Application Logging

Database Logging

Collecting Syslog

NetFlow

OSU flow-tools NetFlow Capture Filtering

OSU flow-tools flow-fanout

Blanco’s Security Alert Sources

NIDS

Syslog

Apache Logs

Database Logs

Antivirus and HIDS Logs

Network Device Logs

NetFlow

Conclusion

7. Maintain Dependable Event Sources

Maintain Device Configurations

Create Service Level Agreements

Back It Up with Policy

SLA Sections

Automated Configuration Management

Monitor the Monitors

Monitor System Health

Monitor system load

Monitor memory

Monitor disk space

Monitor network performance

Monitor the NIDS

Monitor traffic feeds (uplinks)

Monitor sensor processes

Monitor alerts

Monitor Network Flow Collection

Monitor system health

Monitor traffic feeds from routers

Monitor collector network configuration

Monitor collection directories

Monitor collection processes

Maintain flow retention

Monitor Event Log Collectors

Monitor system health

Monitor collection processes

Monitor collection directories (logs)

Monitor network traffic

Audit configurations

Maintain log retention

Monitor Databases

Monitor Oracle

Maintain Oracle systemwide audit settings

Monitor Oracle audit events

Maintain Oracle audit settings on objects

Monitor administrative privileges

Monitor MySQL Servers

Automated System Monitoring

Traditional Network Monitoring and Management Systems

How system monitoring works

How to Monitor the Monitors

Monitoring with Nagios

System Monitoring for Blanco Wireless

Monitor NetFlow Collection

Monitor Collector Health

Disk space

Permissions

Load

Memory

Swap space

Monitor Collection Processes

Continuous flows

Processes

Monitor Flows from Gateway Routers

Monitor Event Log Collection

Monitor collector health

Verify disk space

Ensure permissions

Monitor collection processes

Maintain continuous logs

Monitor collection from servers

Monitor NIDS

Monitor device health

Monitor traffic feeds

Check sensor processes

Monitor alert generation

Monitor Oracle Logging

Monitor Antivirus/HIDS Logging

Conclusion

8. Conclusion: Keeping It Real

What Can Go Wrong

Create Policy

Ryan monitors the risky venture

Pam discovers network abuse by an extranet partner

Know Your Network

Michael monitors an acquisition

Helen adds context to the NIDS

Choose Targets for Security Monitoring

Pam and the failed pilot

Choose Event Sources

Donald monitors high-risk employees

Feed and Tune

Janet and the career-limiting false positive

Dwight overwhelms the event collectors

Maintain Dependable Event Sources

Lyle and the broken NetFlow collectors

Marian and the threatening note

Case Studies

KPN-CERT

Policies

Network

Monitoring targets

Event sources

Maintenance

An approach to protect customer data

Northrop Grumman

Policies

Network topology, metadata, and monitoring targets

Event sources

Maintenance

 
People also search for Security Monitoring: Proven Methods for Incident Detection on Enterprise Networks 1st :

security monitoring procedures

a security monitor

a security measure

security monitoring best practices

a security monitoring system is used to

Tags: Chris Fry, Martin Nystrom, Security Monitoring, Incident Detection