| Preface | p. xi |
| Getting Started | p. 1 |
| A Rapidly Changing Threat Landscape | p. 3 |
| Failure of Antivirus Software | p. 4 |
| Why Monitor? | p. 5 |
| The Miscreant Economy and Organized Crime | p. 6 |
| Insider Threats | p. 6 |
| Challenges to Monitoring | p. 7 |
| Vendor Promises | p. 7 |
| Operational Realities | p. 7 |
| Volume | p. 8 |
| Privacy Concerns | p. 8 |
| Outsourcing Your Security Monitoring | p. 8 |
| Monitoring to Minimize Risk | p. 9 |
| Policy-Based Monitoring | p. 9 |
| Why Should This Work for You? | p. 9 |
| Open Source Versus Commercial Products | p. 9 |
| Introducing Blanco Wireless | p. 10 |
| Implement Policies for Monitoring | p. 11 |
| Blacklist Monitoring | p. 12 |
| Anomaly Monitoring | p. 16 |
| Policy Monitoring | p. 16 |
| Monitoring Against Defined Policies | p. 17 |
| Management Enforcement | p. 18 |
| Types of Policies | p. 18 |
| Regulatory Compliance Policies | p. 19 |
| Employee Policies | p. 24 |
| Policies for Blanco Wireless | p. 28 |
| Policies | p. 29 |
| Implementing Monitoring Based on Policies | p. 30 |
| Conclusion | p. 31 |
| Know Your Network | p. 33 |
| Network Taxonomy | p. 33 |
| Network Type Classification | p. 34 |
| IP Address Management Data | p. 37 |
| Network Telemetry | p. 40 |
| NetFlow | p. 40 |
| SNMP | p. 55 |
| Routing and Network Topologies | p. 56 |
| The Blanco Wireless Network | p. 57 |
| IP Address Assignment | p. 57 |
| NetFlow Collection | p. 57 |
| Routing Information | p. 58 |
| Conclusion | p. 58 |
| Select Targets for Monitoring | p. 61 |
| Methods for Selecting Targets | p. 62 |
| Business Impact Analysis | p. 63 |
| Revenue Impact Analysis | p. 64 |
| Expense Impact Analysis | p. 64 |
| Legal Requirements | p. 65 |
| Sensitivity Profile | p. 67 |
| Risk Profile | p. 69 |
| Visibility Profile | p. 74 |
| Practical Considerations for Selecting Targets | p. 75 |
| Recommended Monitoring Targets | p. 77 |
| Choosing Components Within Monitoring Targets | p. 78 |
| Example: ERP System | p. 78 |
| Gathering Component Details for Event Feeds | p. 79 |
| Blanco Wireless: Selecting Targets for Monitoring | p. 81 |
| Components to Monitor | p. 82 |
| Conclusion | p. 83 |
| Choose Event Sources | p. 85 |
| Event Source Purpose | p. 85 |
| Event Collection Methods | p. 87 |
| Event Collection Impact | p. 89 |
| Choosing Event Sources for Blanco Wireless | p. 99 |
| Conclusion | p. 100 |
| Feed and Tune | p. 101 |
| Network Intrusion Detection Systems | p. 101 |
| Packet Analysis and Alerting | p. 102 |
| Network Intrusion Prevention Systems | p. 102 |
| Intrusion Detection or Intrusion Prevention? | p. 103 |
| NIDS Deployment Framework | p. 108 |
| Analyze | p. 108 |
| Design | p. 110 |
| Deploy | p. 114 |
| Tune and Manage | p. 116 |
| System Logging | p. 121 |
| Key Syslog Events | p. 124 |
| Syslog Templates | p. 126 |
| Key Windows Log Events | p. 127 |
| Application Logging | p. 132 |
| Database Logging | p. 133 |
| Collecting Syslog | p. 136 |
| NetFlow | p. 139 |
| OSU flow-tools NetFlow Capture Filtering | p. 141 |
| OSU flow-tools flow-fanout | p. 142 |
| Blanco's Security Alert Sources | p. 143 |
| NIDS | p. 143 |
| Syslog | p. 145 |
| Apache Logs | p. 145 |
| Database Logs | p. 146 |
| Antivirus and HIDS Logs | p. 146 |
| Network Device Logs | p. 146 |
| NetFlow | p. 146 |
| Conclusion | p. 146 |
| Maintain Dependable Event Sources | p. 147 |
| Maintain Device Configurations | p. 149 |
| Create Service Level Agreements | p. 149 |
| Back It Up with Policy | p. 150 |
| SLA Sections | p. 151 |
| Automated Configuration Management | p. 152 |
| Monitor the Monitors | p. 153 |
| Monitor System Health | p. 154 |
| Monitor the NIDS | p. 155 |
| Monitor Network Flow Collection | p. 157 |
| Monitor Event Log Collectors | p. 161 |
| Monitor Databases | p. 164 |
| Monitor Oracle | p. 164 |
| Monitor MySQL Servers | p. 166 |
| Automated System Monitoring | p. 167 |
| Traditional Network Monitoring and Management Systems | p. 167 |
| How to Monitor the Monitors | p. 169 |
| Monitoring with Nagios | p. 170 |
| System Monitoring for Blanco Wireless | p. 172 |
| Monitor NetFlow Collection | p. 172 |
| Monitor Collector Health | p. 172 |
| Monitor Collection Processes | p. 174 |
| Monitor Flows from Gateway Routers | p. 174 |
| Monitor Event Log Collection | p. 175 |
| Monitor NIDS | p. 176 |
| Monitor Oracle Logging | p. 179 |
| Monitor Antivirus/HIDS Logging | p. 179 |
| Conclusion | p. 179 |
| Conclusion: Keeping it Real | p. 181 |
| What Can Go Wrong | p. 182 |
| Create Policy | p. 182 |
| Know Your Network | p. 184 |
| Choose Targets for Security Monitoring | p. 185 |
| Choose Event Sources | p. 186 |
| Feed and Tune | p. 186 |
| Maintain Dependable Event Sources | p. 188 |
| Case Studies | p. 189 |
| KPN-CERT | p. 189 |
| Northrop Grumman | p. 192 |
| Real Stories of the CSIRT | p. 194 |
| Stolen Intellectual Property | p. 194 |
| Targeted Attack Against Employees | p. 195 |
| Bare Minimum Requirements | p. 196 |
| Policy | p. 196 |
| Know the Network | p. 197 |
| Select Targets for Effective Monitoring | p. 198 |
| Choose Event Sources | p. 198 |
| Feed and Tune | p. 199 |
| Maintain Dependable Event Sources | p. 200 |
| Conclusion | p. 201 |
| Detailed OSU flow-tools Collector Setup | p. 203 |
| SLA Template | p. 207 |
| Calculating Availability | p. 211 |
| Index | p. 215 |
| Table of Contents provided by Ingram. All Rights Reserved. |
