book

Defensive Security Handbook

by Lee Brotherston, Amanda Berlin

April 2017

Intermediate to advanced

284 pages

7h 6m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Our GoalWho This Book Is ForNavigating the BookConventions Used in This BookO’Reilly SafariHow to Contact UsAcknowledgmentsAmandaLee
Lay the GroundworkEstablish TeamsBaseline Security PostureAssess Threats and RisksIdentifyAssessMitigateMonitorPrioritizeCreate MilestonesUse Cases, Tabletops, and DrillsExpanding Your Team and SkillsetsConclusion
Information ClassificationAsset Management Implementation StepsDefining the LifecycleInformation GatheringChange TrackingMonitoring and ReportingAsset Management GuidelinesAutomationOne Source of TruthOrganize a Company-Wide TeamExecutive ChampionsSoftware LicensingDefine AssetsDocumentationNetworking EquipmentNetworkServersDesktopsUsersApplicationsOtherConclusion
LanguageDocument ContentsTopicsStorage and CommunicationConclusion
StandardsLanguageProceduresLanguageDocument ContentsConclusion
Broken ProcessesBridging the GapBuilding Your Own ProgramEstablish ObjectivesEstablish BaselinesScope and Create Program Rules and GuidelinesImplement and Document Program InfrastructurePositive ReinforcementGamificationDefine Incident Response ProcessesGaining Meaningful MetricsMeasurementsTracking Success Rate and ProgressImportant MetricsConclusion
ProcessesPre-Incident ProcessesIncident ProcessesPost-Incident ProcessesTools and TechnologyLog AnalysisDisk and File AnalysisMemory AnalysisPCAP AnalysisAll in OneConclusion
Setting ObjectivesRecovery Point ObjectiveRecovery Time ObjectiveRecovery StrategiesBackupsWarm StandbyHigh AvailabilityAlternate SystemSystem Function ReassignmentDependenciesScenariosInvoking a Fail Over...and BackTestingSecurity ConsiderationsConclusion
Industry Compliance StandardsPayment Card Industry Data Security Standard (PCI DSS)Health Insurance Portability & Accountability ActGramm-Leach Bliley ActFamily Educational Rights and Privacy ActSarbanes-Oxley ActFrameworksCloud Control MatrixCenter for Internet SecurityControl Objectives for Information and Related TechnologiesThe Committee of Sponsoring Organizations of the Treadway CommissionISO-27000 SeriesNIST CyberSecurity FrameworkRegulated IndustriesFinancialGovernmentHealthcareConclusion

PhysicalRestrict AccessVideo SurveillanceAuthentication MaintenanceSecure MediaDatacentersOperationalIdentify Visitors and ContractorsVisitor ActionsContractor ActionsBadgesInclude Physical Security TrainingConclusion
Quick WinsUpgradeThird-Party PatchesOpen SharesActive Directory Domain ServicesForestDomainDomain ControllersOUsGroupsAccountsGroup Policy ObjectsEMETBasic ConfigurationCustom ConfigurationEnterprise Deployment StrategiesMS-SQL ServerWhen Third-Party Vendors Have AccessMS SQL AuthenticationSA User SecurityConclusion
Keeping Up-to-DateThird-Party Software UpdatesCore Operating System UpdatesHardening a Unix Application ServerConclusion
Keeping Up-to-DateMicrosoft WindowsmacOSUnix DesktopsThird-Party UpdatesHardening EndpointsDisable ServicesDesktop FirewallsFull-Disk EncryptionEndpoint Protection ToolsMobile Device ManagementEndpoint VisibilityCentralizationConclusion
Basic Password PracticesPassword Management SoftwarePassword ResetsPassword BreachesEncryption, Hashing, and SaltingEncryptionHashingSaltingPassword Storage Locations and MethodsPassword Security ObjectsSetting a Fine-Grained Password PolicyMultifactor AuthenticationWhy 2FA?2FA MethodsHow It WorksThreatsWhere It Should Be ImplementedConclusion
Firmware/Software PatchingDevice HardeningServicesSNMPEncrypted ProtocolsManagement NetworkRoutersSwitchesEgress FilteringIPv6: A Cautionary NoteTACACS+Conclusion
Network SegmentationPhysicalLogicalPhysical and Logical Network ExampleSoftware-Defined NetworkingApplicationRoles and ResponsibilitiesConclusion
How Vulnerability Scanning WorksAuthenticated versus Unauthenticated ScansVulnerability Assessment ToolsVulnerability Management ProgramProgram InitializationBusiness as UsualRemediation PrioritizationRisk AcceptanceConclusion
Language Selection0xAssembly/* C and C++ */GO func()#!/Python/Ruby/Perl<? PHP ?>Secure Coding GuidelinesTestingAutomated Static TestingAutomated Dynamic TestingPeer ReviewSystem Development LifecycleConclusion
Open Source IntelligenceTypes of Information and AccessOSINT ToolsRed TeamingConclusion
Types of IDS and IPSNetwork-Based IDSHost-Based IDSIPSCutting Out the NoiseWriting Your Own SignaturesNIDS and IPS LocationsEncrypted ProtocolsConclusion
What to LogWhere to LogSecurity Information and Event ManagementDesigning the SIEMLog AnalysisLogging and Alerting ExamplesAuthentication SystemsApplication LogsProxy and Firewall LogsLog AggregationUse Case AnalysisConclusion
Email ServersDNS ServersSecurity through ObscurityUseful ResourcesBooksBlogsPodcastsToolsWebsites
Live Phishing Education SlidesYou’ve Been Hacked!What Just Happened, and Why?Social Engineering 101(0101)So It’s OK That You Were Exploited (This Time)No Blame, No Shames, Just...A Few Strategies for Next TimeBecause There Will Be a Next TimeIf Something Feels FunnyIf Something Looks FunnyIf Something Sounds FunnyFeels, Looks, or Sounds Funny—Call the IS HelpdeskWhat If I Already Clicked the Link, or Opened the Attachment?What If I Didn’t Click the Link or Attachment?Your IT Team Is Here for You!Phishing Program Rules

Content preview from Defensive Security Handbook

Chapter 20. Logging and Monitoring

Most operating systems and applications produce some kind of log. Many people consider logs to be a historical record that can be used to retrospectively debug issues such as why an email wasn’t delivered, why a web server isn’t running, or how long a server had been complaining about a failing disk before it exploded and somebody actually looked at the logs. Logs can, however, be used much more proactively from a security perspective, and they can be used to provide not only retrospective insights, but much more proactive views into the environment.

The same can be said of other types of monitoring, too. Companies generally have a better handle on monitoring than logging. Telemetry data such as disk, memory, CPU, and network interface usage can be used for capacity planning and to provide pre-emptive information regarding potential issues. This sort of data can be used to provide additional insight into potential events that are happening within the environment.

In this chapter, you will learn what to log, where to log it, and what to do with those logs to gain the best advantage you can from the information that you already have.

What to Log

What to log can be a contentious issue. There are often perceived to be two schools of thought on this:

Everything: This generally stems from the point of view that what is required is not known until it is needed, thus storing everything and searching and filtering later is adopted. This does indeed ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Start your free trial

Defensive Security Handbook, 2nd Edition

Publisher Resources

ISBN: 9781491960370Errata Page

Defensive Security Handbook

by Lee Brotherston, Amanda Berlin

Chapter 20. Logging and Monitoring

What to Log

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

You might also like