Loading ...
Sorry, an error occurred while loading the content.

REVIEW: "Extrusion Detection", Richard Bejtlich

Expand Messages
  • Rob, grandpa of Ryan, Trevor, Devon & Han
    BKEXTDET.RVW 20101023 Extrusion Detection , Richard Bejtlich, 2006, 0-321-34996-2, U$49.99/C$69.99 %A Richard Bejtlich www.taosecurity.com
    Message 1 of 1 , Feb 14, 2011
      BKEXTDET.RVW 20101023

      "Extrusion Detection", Richard Bejtlich, 2006, 0-321-34996-2,
      %A Richard Bejtlich www.taosecurity.com taosecurity.blogspot.com
      %C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8
      %D 2006
      %G 0-321-34996-2
      %I Addison-Wesley Publishing Co.
      %O U$49.99/C$69.99 416-447-5101 800-822-6339 bkexpress@...
      %O http://www.amazon.com/exec/obidos/ASIN/0321349962/robsladesinterne
      %O http://www.amazon.ca/exec/obidos/ASIN/0321349962/robsladesin03-20
      %O Audience a+ Tech 3 Writing 2 (see revfaq.htm for explanation)
      %P 385 p.
      %T "Extrusion Detection:Security Monitoring for Internal Intrusions"

      According to the preface, this book explains the use of extrusion
      detection (related to egress scanning), to detect intruders who are
      using client-side attacks to enter or work within your network. The
      audience is intended to be architects, engineers, analysts, operators
      and managers with an intermediate to advanced knowledge of network
      security. Background for readers should include knowledge of
      scripting, network attack tools and controls, basic system
      administration, TCP/IP, as well as management and policy. (It should
      also be understood that those who will get the most out of the text
      should know not only the concepts of TCP/IP, but advanced level
      details of packet and log structures.) Bejtlich notes that he is not
      explicitly addressing malware or phishing, and provides references for
      those areas. (It appears that the work is not directed at information
      which might detect insider attacks.)

      Part one is about detecting and controlling intrusions. Chapter one
      reviews network security monitoring, with a basic introduction to
      security (brief but clear), and then gives an overview of monitoring
      and listing of some tools. Defensible network architecture, in
      chapter two, provides lucid explanations of the basics, but the later
      sections delve deeply into packets, scripts and configurations.
      Managers will understand the fundmental points being made, but pages
      of the material will be impenetrable unless you have serious hands-on
      experience with traffic analysis. Extrusion detection itself is
      illustrated with intelligible concepts and examples (and a useful
      survey of the literature) in chapter three. Chapter four examines
      both hardware and software instruments for viewing enterprise network
      traffic. Useful but limited instances of layer three network access
      controls are reviewed in chapter five.

      Part two addresses network security operations. Chapter six delves
      into traffic threat assessment, and, oddly, at this point explains the
      details of logs, packets, and sessions clearly and in more detail. A
      decent outline of the advance planning and basic concepts necessary
      for network incident response is detailed in chapter seven (although
      the material is generic and has limited relation to the rest of the
      content of the book). Network forensics gets an excellent overview in
      chapter eight: not just technical points, but stressing the importance
      of documentation and transparent procedures.

      Part three turns to internal intrusions. Chapter nine is a case study
      of a traffic threat assessment. It is, somewhat of necessity,
      dependent upon detailed examination of logs, but the material demands
      an advanced background in packet analysis. The (somewhat outdated)
      use of IRC channels in botnet command and control is reviewed in
      chapter ten.

      Bejtlich's prose is clear, informative, and even has touches of
      humour. The content is well-organized. (There is a tendency to use
      idiosyncratic acronyms, sometimes before they've been expanded or
      defined.) This work is demanding, particularly for those still at the
      intermediate level, but does examine an area of security which does
      not get sufficient attention.

      copyright, Robert M. Slade 2010 BKEXTDET.RVW 20101023

      ====================== (quote inserted randomly by Pegasus Mailer)
      rslade@... slade@... rslade@...
      You're always a little disappointing in person because you can't
      be the edited essence of yourself. - Mel Brooks
      victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links
    Your message has been successfully submitted and would be delivered to recipients shortly.