How well does your enterprise stand up against today's sophisticated security threats? In this book, security experts from Cisco Systems demonstrate how to detect damaging security incidents on your global network--first by teaching you which assets you need to monitor closely, and then by helping you develop targeted strategies and pragmatic techniques to protect them.
Security Monitoring is based on the authors' years of experience conducting incident response to keep Cisco's global network secure. It offers six steps to improve network monitoring. These steps will help you:
Develop Policies: define rules, regulations, and monitoring criteria
Know Your Network: build knowledge of your infrastructure with network telemetry
Select Your Targets: define the subset of infrastructure to be monitored
Chris Fry has been a member of the Computer Security Incident Response Team (CSIRT) at Cisco Systems, Inc for 5 years, focusing on deployment of intrusion detection, network monitoring tools, and incident investigation. He began his career at Cisco in 1997 as an IT analyst, supporting Cisco's production services. His four years as a Network Engineer in Cisco IT's internal network support organization give him valuable knowledge about and unique insight into monitoring production enterprise networks. Chris holds a BA in Corporate Financial Analysis and an MS in Information and Communication Sciences from Ball State University.
Martin Nystrom is an InfoSec Investigations Manager for the Computer Security Incident Response Team (CSIRT) at Cisco Systems. He leads the global security monitoring team and provides guidance for incident response and security initiatives. Prior to joining Cisco's CSIRT, he was responsible for designing and consulting on secure architectures for IT projects. Martin worked as an IT architect and a Java programmer for 12 years prior, where he built his experience in the pharmaceutical and computer industries. He received a bachelor's degree from Iowa State University in 1990, a master's degree from NC State University in 2003, and his CISSP certification in 2004.
The image on the cover of Security Monitoring is a man using a telescope. While the telescope is primarily used for the viewing of distant objects, a host of earlier, cruder telescopes were used simply for the purposes of magnification.
Euclid wrote about the reflection and refraction of light, and Aristophanes later showed that a globe filled with water could enlarge objects. Yet the invention of a proper telescope was delayed in part because its effects were thought to be so astonishing that the instrument and its creator were deemed evil. In the 13th century, Roger Bacon documented the effects of magnification and wrote about the use of lenses to study the sky: "The Sun, Moon, and Stars may be made to descend hither in appearance which persons unacquainted with such things would refuse to believe." Subsequent to his observations, Bacon was labeled a magician and imprisoned.
The use of the lens for magnification only became acceptable with the invention and general usage of eyeglasses. Then, in the late 16th and early 17th centuries, eyeglass maker Hans Lippershey of Holland reportedly noticed a church tower jump to the front doorway of his shop when he stared at the tower through two differently shaped lenses at once. Lippershey then succeeded in making the telescope known more widely, and it was he who piqued Galileo Galilei's interest in the instrument sometimes dubbed the "far looker."
Galileo and Lippershey each independently thought he could profit from the distribution of telescopes, and both men also foresaw the military advantages of the instrument. Galileo famously went a step further with his use of the telescope and sought out sun spots, moons of Jupiter, and new "lands" in the sky above. Although Galileo was eventually persecuted for saying that the sun was at the center of the solar system, his and Lippershey's military application of smaller telescopes later became useful to strategists during the U.S. Civil War, when military personnel often used telescopes designed like the one on the cover of this book to spy on their enemies.
The cover image is from the Dover Pictorial Archive. The cover font is Adobe ITC Garamond. The text font is Linotype Birka; the heading font is Adobe Myriad Condensed; and the code font is LucasFont's TheSansMonoCondensed.
In my opinion one of the best parts of this book was the methodology presented on creating well defined security and access policies that were written and agreed upon by the business. The author did a nice job of using realistic business cases to demonstrate how to craft policies and the steps needed to build the policies. Also, compromises were mentioned such as that the business will not always accept the strongest security posture so it may be necessary to reach an acceptable medium and get the business owners signoff that they accept the risk.
The author goes into detail about how to select the likely weak points in the network so they can be targeted for analysis.
Additionally the author covers various tools, methods, and best practices to monitor those weak links once they have been properly identified and once policies about what to monitor have been decided upon.
The latter parts of the book cover how to decipher and report on the data collected during the monitoring plus how to protect the monitoring tools and equipment itself.
One criticism I have would be that a fair amount of network engineering knowledge is needed in order to understand the examples and terminology. To that end the author will naturally be preaching to the choir in many cases as networking gurus that can get the full benefit of the book probably already have an appreciation for network security. That being said, networking professionals will get a better understanding of the process required to secure a network. Since the process is often what is missing from network security; this is where the books benefits will shine.
The author does occasionally use acronyms without explaining what they mean. I would have liked to have always seen the initial use of an acronym spelled out then referred to by acronym from that point forward. If an acronym is to be used in a different chapter, I would like to see the acronym spelled out again to avoid having to flip back for review.