Best security monitoring

We modeled it after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have 20 books on the initial candidate list but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite.

The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!

Book Review:, I said that kill chain analysis is one of the three great innovations that have come down the pipe from the security community this past decade. Bejtlich says that Lockheed Martin’s paper on kill chain analysis is unique because followers of the philosophy align their security program along the same lines that adversaries must use to penetrate their victim’s network.

He confirms the notion that I have had for a few years now that the very old “defense-in-depth” model—which we all adopted in the early 1990s to keep the adversary out of our networks—is dead. It is simply not possible. On the other hand, it does not necessarily mean that you have a disaster on your hands just because one or more adversaries manage to work their way down a couple of links of your kill chain. The idea is to detect these adversaries before they can accomplish their ultimate goal: crime, espionage, hacktivism, warfare, mischief, or whatever.

Bejtlich says,

“Prevention eventually fails … Rather than just trying to stop intruders, mature organizations now seek to rapidly detect attackers, efficiently respond by scoping the extent of incidents, and thoroughly contain intruders to limit the damage they might cause.”

My own personal goal is early detection, quick eradication, and automatic prevention of those observed attacks going forward before these adversaries can claim victory. With the old defense-in-depth model, we were trying to prevent all penetrations into the network.

It’s become smarter to operate as though your enterprise is always compromised.”

Journalist Kelly Jackson Higgins interviewed Steve Adegbite, the director of cyber security for Lockheed Martin (LM), in 2013 regarding how LM used kill chain analysis to discover that the company’s RSA token deployment had been compromised. Adegbite said that,

“The goal of the Kill Chain is to make sure [the adversaries] don’t get to step 7 [of the Kill Chain] and exfiltrate.”

In other words, it is acceptable for adversaries to penetrate your networks as long as you have installed the processes to contain the damage they might cause.

Network Security Monitoring as a Decision Tool, Not a Reaction Process

Bejtlich’s take on network security monitoring is subtly different than what I would expect from most other security practitioners who have not had a lot of experience actually doing it. According to Bejtlich, these practitioners use network security monitoring for forensics and troubleshooting. His take is to use the discipline as a decision tool for how to contain the detected adversary. He also believes you have to measure your team’s effectiveness by measuring things like:

• How long it takes to detect adversaries once they have entered your network
• How long it takes to contain adversaries once you have detected them

In the 2014 Verizon Data Breach Investigations Report, researchers show that of the 1, 367 known data breaches in 2013, security teams discovered less than 25 percent of them (341) within days of the initial compromise. Security teams discovered the rest (1, 026) many days and weeks later. Bejtlich says that for a network security-monitoring program do be effective, teams must measure how they reduce that time.

Incident Response and Threat Intelligence Go Together

Bejtlich talks about the various approaches to handle a breach within your organization. Some incident response teams elect to identify the compromised asset, take it offline, maybe do some forensics on it, re-image it, and then put it back online so that they can wait for the next breach to happen. I call this the whack-a-mole approach to incident response. This process provides you no context about what the adversaries did and why. Other organizations engage their threat intelligence group and are able to understand the impact of what these adversaries are trying to accomplish. Bejtlich explains that incident response teams can frame the attacks from different perspectives: a threat-centric approach and an asset-centric approach. He says that threat intelligence teams track adversaries by campaigns but that incident response teams respond to the adversary’s actions in waves. He provides practical guidance about what kind of skills and capabilities an incident response team and intelligence team require.

So that’s the story: build a network security monitoring program by deploying the right tool, training your people how to use the tool properly, and developing the processes necessary to incorporate the tool into the overall program. Assume that your network is already compromised, and aggressively track adversaries down the kill chain. Remember, the network security monitoring team’s goal is to prevent adversaries from accomplishing their goals. Use the program to make decisions about how to contain the adversary quickly and efficiently, and use your intelligence team to understand the context of how and why the adversary is attacking your network.

Let’s talk about the tech.

The Network Security Monitoring Tech

This is where it gets really good. The theory is one thing—and I like the theory part—but the actual doing is what really matters. Bejtlich provides a hands-on tutorial on how to deploy the best open-source tools to do network security monitoring. If you are a young person thinking that you want to be a cybersecurity professional or if you are transitioning careers and you think cybersecurity is something you can handle, get this book and work through the examples. If you can do them, then I want to talk to you about a job. If you can’t, then maybe consider a less technically demanding career.