Table of Contents

Preface;
What This Book Is Not;
What This Book Is;
Conventions Used in This Book;
Using Code Examples;
Safari® Books Online;
Comments and Questions;
Acknowledgments;
Chapter 1: Getting Started;
1.1 A Rapidly Changing Threat Landscape;
1.2 Why Monitor?;
1.3 Challenges to Monitoring;
1.4 Outsourcing Your Security Monitoring;
1.5 Monitoring to Minimize Risk;
1.6 Policy-Based Monitoring;
1.7 Why Should This Work for You?;
1.8 Open Source Versus Commercial Products;
1.9 Introducing Blanco Wireless;
Chapter 2: Implement Policies for Monitoring;
2.1 Blacklist Monitoring;
2.2 Anomaly Monitoring;
2.3 Policy Monitoring;
2.4 Monitoring Against Defined Policies;
2.5 Types of Policies;
2.6 Policies for Blanco Wireless;
2.7 Conclusion;
Chapter 3: Know Your Network;
3.1 Network Taxonomy;
3.2 Network Telemetry;
3.3 The Blanco Wireless Network;
3.4 Conclusion;
Chapter 4: Select Targets for Monitoring;
4.1 Methods for Selecting Targets;
4.2 Practical Considerations for Selecting Targets;
4.3 Recommended Monitoring Targets;
4.4 Choosing Components Within Monitoring Targets;
4.5 Blanco Wireless: Selecting Targets for Monitoring;
4.6 Conclusion;
Chapter 5: Choose Event Sources;
5.1 Event Source Purpose;
5.2 Choosing Event Sources for Blanco Wireless;
5.3 Conclusion;
Chapter 6: Feed and Tune;
6.1 Network Intrusion Detection Systems;
6.2 NIDS Deployment Framework;
6.3 System Logging;
6.4 NetFlow;
6.5 Blanco’s Security Alert Sources;
6.6 Conclusion;
Chapter 7: Maintain Dependable Event Sources;
7.1 Maintain Device Configurations;
7.2 Monitor the Monitors;
7.3 Monitor Databases;
7.4 Automated System Monitoring;
7.5 System Monitoring for Blanco Wireless;
7.6 Conclusion;
Chapter 8: Conclusion: Keeping It Real;
8.1 What Can Go Wrong;
8.2 Case Studies;
8.3 Real Stories of the CSIRT;
8.4 Bare Minimum Requirements;
8.5 Conclusion;
Detailed OSU flow-tools Collector Setup;
Set Up the Server;
Configuring NetFlow Export from the Router;
SLA Template;
Service Level Agreement: Information Security and Network Engineering;
Calculating Availability;
Colophon;

Chris Fry has been a member of the Computer Security Incident Response Team (CSIRT) at Cisco Systems, Inc for 5 years, focusing on deployment of intrusion detection, network monitoring tools, and incident investigation. He began his career at Cisco in 1997 as an IT analyst, supporting Cisco's production services. His four years as a Network Engineer in Cisco IT's internal network support organization give him valuable knowledge about and unique insight into monitoring production enterprise networks. Chris holds a BA in Corporate Financial Analysis and an MS in Information and Communication Sciences from Ball State University.

Martin Nystrom is an InfoSec Investigations Manager for the Computer Security Incident Response Team (CSIRT) at Cisco Systems. He leads the global security monitoring team and provides guidance for incident response and security initiatives. Prior to joining Cisco's CSIRT, he was responsible for designing and consulting on secure architectures for IT projects. Martin worked as an IT architect and a Java programmer for 12 years prior, where he built his experience in the pharmaceutical and computer industries. He received a bachelor's degree from Iowa State University in 1990, a master's degree from NC State University in 2003, and his CISSP certification in 2004.