The Practice of Network Security Monitoring

I have been finally working through The Practice of Network Security Monitoring by Richard Bejtlich and will review some of the things I have learned thus far. This NSM book was just want I needed to get a grasp on the basic (and some more intermediate) steps in implementation of NSM in an organization. One benefit to me was the fact I had a network without NSM to play with and I would strongly recommend that (non-business critical to start with!).

1 ) Understanding how your network is set up will really help your understanding of the data aggregated during the assessments. Furthermore, network diagrams is something you should already have for your organization and if not is something that should be worked on and updated at a regular basis. This holds true for IP address assignments as well. You should know what are your DHCP scopes and what are static addresses. This may seem normal to some of you, but in several organizations I have been involved with, getting this standardized is a pain.

The test network I used was a not a business critical network at my employer (after obtaining permissions from management) and at the start I was unaware of the network and traffic flows associated with this specific section. Beware, if you do not have network diagrams and show them to your manager, he may ask you to start working on diagrams for all of them.

2 ) Security Onion is an awesome and easy starting point. I chose to install security onion on my development lab on VMware ESXi (which has access to the network I chose to start monitoring). The setup was very easy. That being said, I did choose a standalone system for the sake of learning that only monitored the one subnet. Security Onion does offer a distributed deployment option which I have not had an experience with thus far.

3 ) If you have experience with wireshark and winpcap, tcpdump is easy to pick up. If you have an understanding of how networking packets are assembled, you should be all set. There are several other tools explained in the book that are all basic components of a network administrators toolsbox (or should be).


I am only about halfway through the book as of now but would recommend it for anyone looking to get a grasp of NSM. Understand that this is an introduction to the field and more work will be required.