I reached for this book because I am one of those readers who needs what it offers. That is, I wanted to learn about network monitoring to improve its security. As the author advises on several occasions, the book is aimed at those professionals who deal with computer security but want to expand their practical knowledge and improve skills. Having read the previous book by this author on the same subject [1], I was curious to see how some of its deficiencies (such as somewhat inconsistent definitions, weak theorizing, and so on) were addressed in this new publication.

The definition of network security monitoring (NSM) was carried over from the previous book: NSM is “the collection, analysis, and escalation of indications and warnings to detect and respond to intrusions.” What intrigues me in this wording is the use of the word “escalation.” I haven’t figured out how it fits in and don’t think it is necessary. It is explained in the book as “the act of notifying a constituent about the status of a compromised asset” (page 188), so it would appear to mean nothing more than sending out notifications or reporting results. But, putting this aside, it must also be noted that, in the author’s view, NSM doesn’t just mean plain traffic monitoring, as one might think. NSM deals with the use of products such as an intrusion detection system to generate alerts, as well as people to respond to security alerts and breaches, and processes to guide people in making decisions and taking actions.

The book is extremely well organized. It comprises 13 chapters, divided into four parts. Part 1 is very well written and presents the rationale and guide for using NSM, describing how to understand traffic flow and, in particular, where to install observation points (soft sensors), how to monitor the network physically, and how to select NSM platform tools. It offers some management recommendations and formulas for the size of storage and memory required for NSM. It adequately sets the foundation for understanding the rest of the material.

Part 2 is much less inspiring because it simply discusses technicalities (albeit necessary ones) on how to build an NSM platform based on the Security Onion (SO). SO is essentially an operating system related to Ubuntu Linux, which forms an environment for using the NSM tools. In this edition, the author departs from FreeBSD, which was the operating system of choice in the earlier book.

Part 3 describes tools for NSM, divided into three categories and outlined in their respective chapters: command line packet analysis tools (such as tcpdump), graphical user interface (GUI) packet analysis tools (such as Wireshark), and complete NSM consoles (Sguil is a basic example). Finally, Part 4 discusses techniques and related case studies; how to apply the NSM with server-side compromise, client-side compromise, proxies, and checksums; and extending SO features to better use its functions.

I would note that the fundamental principle of the book involves reactive security measures, as opposed to preventive measures. The author’s philosophical assumption that “prevention eventually fails” is a very important design consideration and has held sway in computing over the years. It first struck me explicitly when I encountered Ian Pyle’s book [2], in which he stated that programming language exceptions are necessary because “every action may fail.” Naturally, in practice, both approaches, preventive and reactive, are complementary, but it must be stressed that this book advocates the latter.

Comparing this book to the author’s previous publication, I found two major differences in addition to changing the platform from FreeBSD to SO. The current book is much better organized and selects and discusses significantly different tools, which is quite obvious, since they have drastically changed over the last decade. Other differences include dropping the 60-page discussion of literature, and sensitizing the reader to the legal issues involved with observing network traffic.

Overall, the author is very well informed and undoubtedly did his homework as a practitioner. The book delivers on the author’s promise and shows real professionalism in conveying his deep knowledge to the reader.

Being both an academic and a professional sensitive to practical matters, I must say that the book definitely met my expectations in terms of the content and the level of the material. It will be a useful addition to the library of every professional interested in network security.

More reviews about this item: Amazon, GoodReads, Slashdot