The Practice of Network Security Monitoring – You’re compromised, so deal with it. #security #bookreview

The Practice of Network Security Monitoring

Understanding Incident Detection and Response
Richard Bejtlich
(No Starch Press – paperback, Kindle)

Security expert Richard Bejtlich’s focus in his new book is not on “the planning and defense phases of the security cycle.” Instead, he emphasizes how to handle “systems that are already compromised or that are on the verge of being compromised.”

His well-organized, well-written, 341-page book aims to help you “start detecting and responding to digital intrusions using network-centric operations, tools, and techniques.”

Bejtlich has long emphasized a “detection-centered philosophy” built around a straightforward central tenet: “Prevention eventually fails.” No matter how many digital walls and moats you build around your network, someone will find a way to tunnel in, parachute in, or sneak in via an unsuspecting employee’s $9.95 thumb drive.

“It’s becoming smarter,” he writes, “to operate as though your enterprise is always compromised. Incident response is no longer an infrequent, ad-hoc affair. Rather, incident response should be a continuous business process with defined metrics and objectives.”

You may recognize some of Bejtlich’s previous books on network security monitoring (NSM): The Tao of Network Security Monitoring; Extrusion Detection; and Real Digital Forensics.

The Practice of Network Security Monitoring is tailored toward two key audiences: (1) security professionals who have little or no experience with NSM; and (2) “more senior incident handlers, architects, and engineers who need to teach NSM to managers, junior analysts, or others who may be technically less adept.”

Readers, he add, should understand “the basic use of the Linux and Windows operating systems, TCP/IP networking, and the essentials of network attack and defense.”

The examples in Bejtlich’s book rely on open source and vendor-neutral tools, primarily from Doug Burks’ Security Onion (SO) distribution.

The 13-chapter book is organized into four parts:

  • Part I: Getting Started – Introduces NSM and sensor placement issues.
  • Part II: Security Onion Deployment – Shows how to install and configure SO.
  • Part III: Tools – Examines the “key software shipped with SO and how to use these applications.”
  • Part IV: NSM in Action – Looks at “how to use NSM processes and data to detect and respond to intrusions.”

Following the technical chapters, Bejtlich offers some concluding thoughts on network security management, cloud computing, and establishing an effective workflow for NSM. “NSM isn’t just about tools,” he writes. “NSM is an operation, and that concept implies workflow, metrics, and collaboration. A workflow establishes  a series of steps that an analyst follows to perform the detection and response mission. Metrics, like the classification and count of incidents and time elapsed from incident detection to containment, measure the effectiveness of the workflow. Collaboration enables analysts to work smarter and faster.”

He also observes: “It is possible to defeat adversaries if we stop them before they accomplish their mission. As it has been since the early 1990s, NSM will continue to be a powerful, cost-effective way to counter intruders.”

Si Dunn

The Healthy Programmer – Better coding through better living – #programming #bookreview

The Healthy Programmer

Get Fit, Feel Better, and Keep Coding

Joe Kutner

(Pragmatic Bookshelf – paperback)

Yes, you know it is unhealthy to spend all day and much of the night hunched at keyboard, staring at a computer screen, gripping a mouse and nervously clawing at bags of vending-machine snacks because you haven’t had time to eat proper meals.

Yet that is exactly how many of us earn a living: spending long hours writing code, fixing code, or writing about the processes of writing and fixing code.

The work of a programmer can be devilishly complex and tiring. Often, it can be highly stressful, too. And, it can, over the long run, damage your health or even help shorten your life, if you aren’t careful.

Joe Kutner’s The Healthy Programmer takes a pragmatic and low-key approach to showing you how you can start improving the conditions of your body and brain without disrupting your job. His tips, tricks, and “best practices” are backed up by advice and commentary from doctors, therapists, nutritionists, scientists, and fitness experts.

“Having a system or a process is crucial to getting things done,” Kutner says. “In software, we often use an agile method to guide our development efforts. Agile processes are characterized by an iterative and incremental approach to development, which allows us to adapt to changing requirements. The method you use to stay healthy shouldn’t be any different.”

In his book, he shows “how to define a system of time-boxed iterations that will improve your health. We’ll start with two-week intervals, but like with any agile method, you’ll be allowed to change that as needed. At the end of each iteration you’ll do a retrospective to assess your progress.”

Crucially, Kutner’s approach is to start small, by changing one habit, and start gently, by doing some walking. “You won’t be bombarded with exercises and activities right away,” he emphasizes. “Instead, we’ll spend the first few chapters introducing some very simple, but essential, components of a healthy lifestyle. Don’t think that they are too simple, though. These are the activities that will have the biggest effect on your life.”

Kutner’s well-researched, well-written book takes a whole-body approach, with a keen understanding how programmers work.  He has been one for more than a decade and has spent much of that time researching the physical hazards of sedentary coding.

Chair exercises, standing desks, wrist braces, eye-care tips, and dietary recommendations are some of the areas covered. A “Pomodoro break,” for example, can help people involved in many different types of creative work, including programming. The basic approach involves working on a single task for a specific amount of time, such as 60 minutes, with short periods of exercise interspersed.

You might set a timer for 25 minutes, then focus on debugging some code. When the timer goes off, you reset it for five minutes and take a short walk. Then spend another 25 minutes doing a code review. When the timer goes off again, get up from your desk and do some exercises for five minutes. Then start a new task (or continue a previous problem) and repeat the cycle.

You may already have a daily exercise routine.  But Kutner warns that it “can interfere with your job [as a coder] if you don’t coordinate the two activities. If you do coordinate them, you may actually improve your ability to write code. That’s because immediately after exercise, blood shifts rapidly back to the brain, which makes it the perfect time to focus on tasks that require complex analysis and creativity.”

The Healthy Programmer has many good tips for avoiding or minimizing back pain, wrist pain, headaches and other irritants, as well good techniques for “upgrading your hardware,” meaning your body. Numerous easy-to-perform exercises are described and illustrated, including some you can do while seated or standing at your workstation. “[Y]our lifestyle can enhance your ability to do your job well,” Kutner emphasizes. “That’s why staying healthy is the best way to ensure you keep doing this job you love for years to come.”

Si Dunn

Lean Analytics and Lean UX – Two new guides to better business and user experiences – #bookreview

Okay, how are we leaning today? Leaning in? Leaning back? Leaning to the left or right? Leaning over? Or just leaning toward chucking all “hot new” postures that supposedly help us pose ourselves for career success?

Here’s some good news. None of the above leanings are topics in two new books from O’Reilly’s popular “Lean” series, edited by Eric Ries.

Lean Analytics deals with using data to help you determine if there is a profitable need for the product or service you hope to offer with a startup business. Lean UX, meanwhile, deals with the process of designing a better user experience (UX) for a company’s apps, website or other products.  Here are short reviews of each book:

Lean Analytics
Use Data to Build a Better Startup Faster
Alistair Croll and Benjamin Yoskovitz
(O’Reilly – hardback, Kindle)

“Entrepreneurs,” the authors state, “are particularly good at lying to themselves. Lying may even be a prerequisite for succeeding as an entrepreneur–after all, you need to convince others that something is true in the absence of good, hard evidence. You need believers to take a leap of faith with you. As an entrepreneur, you need to live in a semi-delusional state just to survive the inevitable rollercoaster ride of running your startup.”

But…you also need cold, hard data. And what you learn from that data may not mesh well with the lie you are living as you try to start a new business from scratch. Yet, it may save you from failing and wasting a lot of money.

“Your delusions,” the authors argue, “no matter how convincing, will wither under the harsh light of data. Analytics is the necessary counterweight to lying, the yin to the yang of hyperbole. Moreover, data-driven learning is the cornerstone of success in startups. It’s how you learn what’s working and iterate toward the right product and market before the money runs out.”

Lean Analytics builds on the Lean Startup process developed by Eric Ries. In today’s digital world, the authors explain, “[w]e’re in the midst of a fundamental shift in how companies are built. It’s vanishingly cheap to create the first version of something. Clouds are free. Social media is free. Competitive research is free. Even billing and transactions are free.”

Taken together, these facilities mean “you can build something, measure its effect, and learn from it to build something better next time. You can iterate quickly, deciding early on if you should double down on your idea or fold and move on to the next one.”

Their 409-page book is not quick reading. But it deserves attention and study, whether you want to start a business, already have started a business, or hope to revamp and improve a business that has been in operation for some time. Lean Analytics presents many examples and case studies that illustrate how you can gather and analyze existing data, then test products or services to determine if they are something that customers actually need, want and will use.

With new data from the tests and the ability to continue testing, you can modify your product or service and focus more resources, energy, and time on improving and refining what will work best for your customers–and your bottom line.

***

Lean UX
Applying Lean Principles to Improve User Experience
Jeff Gothelf with Josh Seiden
(O’Reilly – hardback, Kindle)

“Lean UX is a collaborative process,” the two authors of this book emphasize. “It brings designers and non-designers together in co-creation. It yields ideas that are bigger than those of the individual contributors. But it’s not design-by-committee. Instead, Lean UX increases a team’s ownership over the work by providing an opportunity for all opinions to be heard much earlier in the process.”

For example, forget the notion of a web designer hiding in an office for a week or so and then emerging with what he or she insists will be a “masterpiece” as the company’s new home page.

Particularly in software development, a key aspect of Lean and Agile development theories is the notion of creating a Minimum Viable Product (MVP). “Lean UX makes heavy use of the notion of MVP,” the two authors explain. “MVPs help test our assumptions–will this tactic achieve the desired outcome?–while minimizing the work we put into unproven ideas. The sooner we can find which features are worth investing in, the sooner we can focus our limited resources on the best solutions to our business problems. This concept is an important part of how Lean UX minimizes waste.”

The web designer’s “masterpiece” might work okay, but it also might offer costly confusions for customers and others visiting the website. Instead, Lean UX emphasizes collaboration, teamwork, testing prototypes, analyzing the results, gathering feedback from outsiders, revamping the project, testing it again–and continuing the process.

According to the writers, the most powerful tool in Lean UX is one that is basic to human beings: conversation. Indeed, conversation should be “the primary means of communication among team members.” Some of the other tools for collaboration also are basic: pencils, pens, notepads, whiteboards, blackboards, and simple paper templates that can spur discussions, opinions, and basic designs for the Minimum Viable Product and its successors, before moving the work to computers.

Lean UX is just 130 pages long. But it is rich with how-to examples, process descriptions, short case studies, clear steps, useful illustrations, and good examples that you can adapt and employ to create cheaper, faster, and better user experiences.


Si Dunn

Designing Games – A well-written, comprehensive guide to video game engineering – #bookreview


Designing Games
A Guide to Engineering Experiences
Tynan Sylvester
(O’Reilly – paperback, Kindle)

If you design video games, if you hope to become a game creator, or if you work for a company whose lifeblood is creating and maintaining successful video games, you need to read this excellent book.

 Tynan Sylvester provides a comprehensive overview of the design processes that are the heart of successful games. And he describes the day-to-day actions necessary to keep game projects on track to completion.

“A game can’t just generate any old string of events, because most events aren’t worth caring about,” Sylvester contends. He is a veteran designer who has worked on everything from independently produced games to big-studio blockbuster games. “For a game to hold attention, those events must provoke blood-pumping human emotion. When the generated events provoke pride, hilarity, awe, or terror, the game works.”

Unlike screenwriters, novelists, or choreographers, game designers do not focus on creating events, Sylvester explains. “Instead of authoring events,  we design mechanics [the rules for how a game works]. Those mechanics then generate events during play.”

In his view, “The hard part of game design is not physically implementing the game. It is inventing and refining knowledge about the design.” And successful game creation involves “inventing mechanics, fiction, art, and technology that interconnect into a powerful engine of experience.”

His 405-page book also shows why you should not try to spell out everything up front before beginning work on a new game. It is too easy to overplan, he emphasizes. But it is also easy to underplan. So you should aim for a process in the middle: iteration, “the practice of making short-range plans, implementing them, testing them, and repeating.” And that loop-like process is applied not just to the overall game. “We can iterate on a level, a tool, or an interface. On larger teams, there should be many different iteration loops running at the same time.”

According to news accounts emerging from the recent Game Developers Conference in San Francisco, much of the video game creation business is now gravitating toward independent developers and game companies with 10 or fewer employees. And the main focus within that movement is on creating games for tablet computers and smartphones–platforms with lower barriers to entry. But powerful new video game consoles are expected to appear soon, and they likely will drive the creation of new games, as well as upgrades for some successful existing games.

Whether you work alone, in a small shop, or on intercontinental game-development teams within big companies, you can learn important insights, processes, and skills from Tynan Sylvester’s Designing Games.  And if you are now in the process of trying to find a design job somewhere in the video game industry, you definitely need to read it.

Si Dunn

Killer UX Design – How to create compelling, user-centered interfaces – #bookreview

Killer UX Design
Jodie Moule
(SitePoint – paperback, Kindle)

The overused term “killer app” tends to kill my curiosity about books with “killer” in the title.

Still,  “killer” title aside, Killer UX Design deserves some attention, particularly if you are struggling to create a better user experience (UX) for products, websites, services, processes, or systems. The eight chapters in this 266-page book provide a well-written “introduction to user experience design.”

The focus, in UX design, is on “understanding the behavior of the eventual users of a product, service, or system. It then seeks to explore the optimal interaction of these elements, in order to design experiences that are memorable, enjoyable, and a little bit ‘wow’,” the author says.

She is a psychologist who co-founded and directs Symplicit, an “experience design consultancy” in Australia. “With the digital and physical worlds merging more than ever before,” she says, “it is vital to understand how technology can enhance the human experience, and not cause frustration or angst at every touchpoint.”

You won’t find JavaScript functions, HTML 5 code, or other programming examples in this book, even though software engineering increasingly is a key factor in UX design. Instead, the tools of choice during initial design phases are: Post-It Notes, index cards, sheets of paper, tape, glue, hand-drawn diagrams and sketches, plus clippings from newspapers, magazines and other materials.

And, you likely will spend time talking with other members of your UX design team, plus potential users of your product, service, or system.

Some of the chapters also deal with prototyping, testing, re-testing and tweaking, and how to modify a design based on what you learn after a product, service, or system has been launched.

A key strength of Killer UX Design is how it  illustrates and explains the real-life — and seldom simple — processes and steps necessary to design an app that is both useful and easy to use.

Si Dunn

Outsource It! — The good, bad, and ugly of offshoring tech projects – #bookreview

Outsource It!
A No-Holds-Barred Look at the Good, the Bad, and the Ugly of Offshoring Tech Projects
Nick Krym
(Pragmatic Bookshelf – paperback)

Like it or not, outsourcing tech projects is here to stay. It’s also there to stay, and everywhere else to stay.

There is no clear way that outsourcing will shrivel up and die within the interconnected and increasingly interdependent world economy.

So, perhaps it’s time to stop griping, resisting, and mouthing political slogans–and focus, instead, on finding ways to make the best of offshoring. There are ways to profit from its advantages. And there are ways to minimize the risks from its quirks, management challenges, traps and disadvantages.

Actually, some “offshoring” is “nearshoring.” To help keep development costs down, big corporations in North America sometimes farm out tech work to smaller companies and individual freelancers located in less-expensive areas of the United States, Canada, and Mexico.

“Inshoring” happens, too. U.S. firms move some of their overseas tech operations back to the States, and foreign companies establish some tech outsource operations in the United States, Canada, and Mexico. Their outsourcing is our insourcing.

Outsourcing veteran Nick Krym calls his new book Outsource It! “a down-to-earth guide to offshore outsourcing.” It is aimed, he says, at “technology professionals…working in small- to medium-sized companies or in the technology trenches of large organizations.”

Outsource It! is well-written and packed with good information and how-to steps, plus insights drawn from Krym’s experiences and the experiences of many others in real-world offshoring. His 25 years in the IT industry include 20 years working in offshore outsourcing.

If you work in outsource situations, or if you are helping manage or set up an outsource team, you can glean good information and how-to ideas from Krym’s pages. And, you likely will want to keep the book handy in your reference collection, because he covers many “soft skills that need to be reinforced continuously until they become second nature.”

The 244-page book is divided into five main parts:

  1. Decide If, What, and How to Outsource
  2. Find the Right Vendors
  3. Negotiate Solid Contracts
  4. Lead Distributed Engagements
  5. Keep Risks Under Control

Three appendices take you inside the positives and negatives of outsourcing to India, China, Russia, Central and Eastern Europe, Ireland, Israel, South America, Central America, Mexico, Canada, and the rural United States.

Other appendices offer: an “Outsourcing Readiness Assessment Checklist”; a summary of “Vendor Search Criteria”; an “Outsourcing Checklist”; and an “Offshore Vendor Technical Assessment” process.

As someone who previously worked in multinational software development, on projects involving teams in the U.S., Canada, France, Italy, Sweden and China, I found myself particularly agreeing with Krym’s assessments of software outsourcing.

“Many companies think that QA—software testing—is a logical function to outsource,” he reports. He offers several reasons why this not always “the most prudent approach” and describes what it takes to make offshore QA work.

For example: “The first rule of setting up a productive offshore team,” he stresses,” is to use QA professionals rather than software developer rejects or English major graduates.”

It is likewise vital to find “a solid QA lead—someone who is sufficiently technical, understands the process and requirements, and can manage the team.”

Krym further emphasizes that “[t]he cost difference between local and outsourced QA engineers is not always as dramatic as it is for developers.”

And: “Poor QA management can generate huge amounts of useless work, producing hard-to-manage artifacts and creating unhealthy team dynamics.”

Nick Krym’s new book is an excellent guide to the ins, outs and complex gray areas of outsourcing technology projects. And it’s not just for managers and executives. Employees, freelancers, and leaders of start-ups also can find ways to benefit and profit from the knowledge and experience Outsource It! offers.

Si Dunn

All for Search and Search for All: 3 New Books for Putting Search to Work – #bookreview

Seek and ye shall find.

That’s the theory behind the still-debated benefits of digging through Big Data to uncover new, overlooked, or forgotten paths to greater profits and greater understanding.

Big Data, however, is here to stay (and get bigger). And search is what we do to find and extract useful nuggets and diamonds and nickels and dimes of information.

O’Reilly Media recently has published three new, enlightening books focused on the processes, application, and management of search: Enterprise Search by Martin White, Mastering Search Analytics by Brent Chaters, and Search Patterns by Peter Morville and Jeffery Callender.

Here are short looks at each.

Enterprise Search
Martin White
(O’Reilly, paperback, Kindle)

Start with this book if you’re just beginning to explore what focused search efforts and search technology may be able to do for your company.

The book’s key goal is “to help business managers , and the IT teams supporting them, understand why effective enterprise-wide search is essential in any organization, and how to go about the process of meeting user requirements.”

You may think, So what’s the big deal? Just put somebody in a cubicle and pay them to use Google, Bing, and a few other search engines to find stuff.

Search involves much more than that. Even small businesses now have large quantities of potentially profitable information stored internally in documents, emails, spreadsheets and other formats. And large corporations are awash in data that can be mined for trends, warnings, new opportunities, new product or service ideas, and new market possibilities, to name just a few.

The goal of Enterprise Search is to help you set up a managed search environment that benefits your business but also enables employees to use search technology to help them do their jobs more efficiently and productively.

Yet, putting search technology within every worker’s reach is not the complete answer, author Martin White emphasizes.

“The reason for the well-documented lack of satisfaction with a search application,” he writes, “is that organizations invest in technology but not staff with the expertise and experience to gain the best possible return on the investment….”

Enterprise Search explains how to determine your firm’s search needs and how to create an effective search support team that can meet the needs of employees, management, and customers.

Curiously, White
waits until his final chapter to list 12 “critical success factors” for getting the most from enterprise-wide search capabilities.

Perhaps, in a future edition, this important list will be positioned closer to the front of the book.

Mastering Search Analytics
Brent Chaters
(O’Reilly – paperback, Kindle)

This in-depth and well-illustrated guide details how a unified, focused search strategy can generate greater traffic for your website, increase conversion rates, and bring in more revenue.

Brent Chaters explains how to use search engine optimization (SEO) and paid search as part of an effective, comprehensive approach.

Key to Chaters’ strategy is the importance of bringing together the efforts and expertise of both the SEO specialists and the Search Engine Marketing (SEM) specialists — two groups that often battle each other for supremacy within corporate settings.

“A well-defined search program should utilize both SEO and SEM tactics to provide maximum coverage and exposure to the right person at the right time, to maximize your revenue,” Chaters contends. “I do not believe that SEO and SEM should be optimized from each other; in fact, there should be open sharing and examination of your overall search strategy.”

His book is aimed at three audiences: “the search specialist, the marketer, and the executive”–particularly executives who are in charge of search campaigns and search teams.

If you are a search specialist, the author expects that “you understand the basics of SEO, SEM, and site search (meaning you understand how to set up a paid search campaign, you understand that organic search cannot be bought, and you understand how your site search operates and works.)”

Search Patterns
Peter Morville and Jeffery Callender
(O’Reilly – paperback, Kindle)

“Search applications demand an obsessive attention to detail,” the two authors of this fine book point out. “Simple, fast, and relevant don’t come easy.”

Indeed, they add, “Search is not a solved problem,” but remains, instead, “a wicked problem of terrific consequence. As the choice of first resort for many users and tasks, search is the defining element of the user experience. It changes the way we find everything…it shapes how we learn and what we believe. It informs and influences our decisions and, and it flows into every noon and cranny….Search is among the biggest, baddest, most disruptive innovations around. It’s a source of entrepreneurial insight, competitive advantage, and impossible wealth.”

They emphasize: “Unfortunately, it’s also the source of endless frustration. Search is the worst usability problem on the Web….We find too many results or too few, and most regular folks don’t know where to search, or how….business goals are disrupted by failures in findability…[and] “Mobile search is a mess.”

Ouch!

Colorfully illustrated and well-written, Search Patterns is centered around major aspects in the design of user interfaces for search and discovery. It is aimed at “designers, information architects, students, entrepreneurs, and anyone who cares about the future of search.”

It covers the key bases, “from precision, recall, and relevance to autosuggestion and faceted navigation.” It looks at how search may be reshaped in the future. And, very importantly, it also joins the growing calls for collaboration across disciplines and “tearing down walls to make search better….”

Si Dunn