Welcome to Network Security Monitoring in the Cloud

I just watched an incredible technical video. If you have about 10 minutes to spare, and want to be amazed, take a look at Snorby Cloud.

I think the video and Web site does an excellent job explaining this new offering, but let me provide a little background.

Many of the readers of this blog are security pros. You're out there trying to defend your organization, not necessarily design, build, and run infrastructure. You still need tools and workflows that accelerate your incident detection and response process though. So, you work as a security admin, system admin, storage admin, database admin… you get the picture. You manage to keep up, but you probably wish you could focus on finding bad guys, as quickly as possible, without taking care of all the *stuff* that you need to do your job.

While many of you are security experts, some are just beginning your journeys. The responsibilities of being an admin of four or more different shades is overwhelming. Furthermore, you don't have the experience, or budget, or support to get the security data and escalation paths needed to defend your network. How can you improve your skills when you're constantly overwhelmed?

Both kinds of users — senior and junior alike — are going to find something intriguing about Snorby Cloud. Maybe you've heard of Snorby before, as a Web-based interface to Network Security Monitoring data. Doug Burks packages it with Security Onion (SO), and you can try it via live CD or .iso in a VM. It looks great on my iPad! There's even a mobile version on iTunes.

Snorby Cloud would be cool if it just put the Snorby Web application in the cloud, and managed the administrative side of security infrastructure for you. For example, you'd log into the cloud interface and be greeted by the graphs you remember from traditional Snorby.

However, you have to think of this as a new, better version of Snorby, collecting far more useful data, and making it rapidly available to the analyst. For example, the following shows SMTP logs available in the interface:

You can just as easily access host-based logs for the same victim computer:

As you investigate the incident, you can see who else on your team is working and what they did. You can also chat with them in real time.

I could say a lot more about this new tool, but I think watching the video will convey some of what it can do. My next step is to get the agents running on a test network so I can drive the console myself and become more familiar with it.

Snorby Cloud is a product from Packet Stash. Follow them at @packetstash for updates.

Disclaimer: I'm friends with this team; I hired two of the co-founders into GE-CIRT, and later worked with all three co-founders at Mandiant.

Security Onion + (ELSA or Snorby) + CapMe = Awesome

Happy New Year everyone, and with some new open source software, what a year it will be.

Monday Doug Burks released Security Onion 12.04. Please read Doug's post to learn how great this new 64 bit release is. I wanted to highlight a few features of the new release which takes Network Security Monitoring with open source tools to a new level for security analysts.

12.04 ships with Martin Holste's Enterprise Log and Search Archive (ELSA) working out of the box. Thanks to close integration with the latest version of Bro, analysts have Web-based, indexed access to Bro logs.

If that weren't enough, 12.04 also ships with a late addition — Paul Halliday's CapMe. What this means is that you can now access full TCP transcripts from any alert in Dustin Webber's Snorby or Martin's ELSA.

You might not appreciate that right away, but it's a step in the right direction. Thus far, Bamm Visscher's Sguil has been the de facto open source NSM reference tool, allowing analysts to easily pivot from alert or session data to full pcap data. Now, with ELSA + CapMe, analysts can pivot from any log entry of TCP traffic with timestamps, IP addresses, protocols, and ports to a Web-based rendering of a transcript.

This is key: this transcript was not saved because of the log or alert. It was saved simply because the traffic was seen on the wire and netsniff-ng recorded it. This is one way to better handle threats who know how to evade signature-based systems.

This new workflow/feature is what I chose to depict in the screen shot at left. The upper window shows ELSA with a query for a BRO_HTTP log for www.testmyids.com. I then invoke CapMe and generate the transcript in the window at bottom. You can do the same from alert data in Snorby.

This is only the first step in giving analysts more data via open source software. Great work Security Onion team!

Best Book Bejtlich Read in 2012

It's time to name the winner of the Best Book Bejtlich Read award for 2012!

I started seriously reading and reviewing digital security books in 2000. This is the 7th time I've formally announced a winner; see my bestbook label for previous winners.

I posted yesterday that 2012 was the year I changed what I read. For example, in 2011 I read and reviewed 22 technical books. In 2012, which a change in my interests, I only read and reviewed one technical book. Thankfully, it was a five star book, which means it is my BBBR 2012 winner!

As you might have figured out yesterday, this year's winner is SSH Mastery by Michael W Lucas. Feel free to read my Amazon.com review for details. Note that I bought a Kindle version from Amazon.com, and later MWL mailed me a print copy.

Besides the excellent style and content, one of the reasons I read the book was to experience MWL's first release of a self-published technical book. I think it was a successful endeavor, although I'm not prepared to try that route myself anytime soon.

If I were to name my favorite non-technical book I read in 2012, it would be For the President's Eyes Only: Secret Intelligence and the American Presidency from Washington to Bush by Christopher Andrew. I enjoyed learning more about American history through the eyes of the intel world, but I was shocked by how poorly most presidents understood and (mis)used intelligence.

I'm probably done reading and reviewing technical books, so I consider this to be the final BBBR post. I have over 100 possible (mainly nontechnical) books to read on my Kindle now (in Sample form), but I doubt I will review them when done.

Good luck reading in 2013!

2012: The Year I Changed What I Read

If you've been reading this blog for a while, you probably know that reading and reviewing technical books has been a key aspect since the blog's beginning in January 2003. In fact, my first blog post announced a review of a book on Border Gateway Protocol (BGP).
Looking at my previous reviews, it's clear that my interest in reading and reviewing technical books expired in the summer of 2011. Since then, the only technical book I wanted to read and review was Michael W. Lucas' excellent SSH Mastery. MWL is such a great author that I read just about anything he writes, and I was interested in his first self-published technical work.
So what happened? Becoming CSO at Mandiant in April 2011 contributed to my changing interests. Since that time I've spoken to almost a hundred reporters and industry analysts, and hundreds of customers and prospects, answering their questions about digital threats and how best to live in a world of constant compromise. (I listed some of the results of talking to the reporters on my press page.)
For me, the most interesting questions involved history, political science, and public policy. Probably not be accident, these are the three subjects in which I have degrees.
Accordingly, I bought and read books to add the historical, political, and policy content I needed to balance my technical understanding of the threat landscape. I also read a few books based purely on personal interest, without a work connection.
I thought you might want to know what these books were, despite my lack of interest in reviewing them at Amazon.com.

The books on Chinese topics included:

Of these five, the first was probably the most interesting. The way Chinese intelligence agencies work today appears very much the same way that the author described them almost twenty years ago.
I read three books on intelligence and Russia:

Of these three, the first was exceptional. It combined a history of the US with a history of intelligence through the end of Bush 41's term.
Finally, I read two other books; one related to security, and one completely unrelated:

The first was Bruce Schneier's latest, which I found largely interesting. I recommend reading it, because it may convince you that all the technical safeguards our industry pursues contribute probably less than 10% of the risk mitigation we need in the real world.
The second was another biography of my favorite historical figure, US Grant.
I'm trying to finish Tim Thomas' latest book, Three Faces of the Cyber Dragon, by the end of tomorrow, as well.
In my last post of 2012 I'll announce my Best Book Bejtlich Read in 2012 winner.

Five No Starch Books for Kids, Reviewed by Kids

No Starch was kind enough to send me five books for kids, which I asked my 6- and 8-year-old daughters to read. (I didn't need to “ask,” really — like my wife and I, our daughters think reading is something you have to be told “not” to do, e.g., “put the book down; we don't read at the dinner table.”)

I did have to encourage my daughters to review the books. Although the older one writes book reports for school, she's not accustomed to writing reviews for books sent by publishers.

The five books, with links to the Amazon.com reviews, are:

I agree with my daughters: all five of these books are excellent. However, for readers of this blog who have kids, I would most strongly recommend the Python book. I would start with the book we previously reviewed, Super Scratch Programming Adventure!, and then see what your kid can do with Python.

Kudos to No Starch for publishing high quality books that teach kids skills they can use in the work place (programming), or for fun!