Computing Reviews
Today's Issue Hot Topics Search Browse Recommended My Account Log In
Review Help
The practice of network security monitoring : understanding incident detection and response
Bejtlich R., No Starch Press, San Francisco, CA, 2013. 376 pp. Type: Book (978-1-593275-09-9)
Date Reviewed: Feb 10 2014

I reached for this book because I am one of those readers who needs what it offers. That is, I wanted to learn about network monitoring to improve its security. As the author advises on several occasions, the book is aimed at those professionals who deal with computer security but want to expand their practical knowledge and improve skills. Having read the previous book by this author on the same subject [1], I was curious to see how some of its deficiencies (such as somewhat inconsistent definitions, weak theorizing, and so on) were addressed in this new publication.

The definition of network security monitoring (NSM) was carried over from the previous book: NSM is “the collection, analysis, and escalation of indications and warnings to detect and respond to intrusions.” What intrigues me in this wording is the use of the word “escalation.” I haven’t figured out how it fits in and don’t think it is necessary. It is explained in the book as “the act of notifying a constituent about the status of a compromised asset” (page 188), so it would appear to mean nothing more than sending out notifications or reporting results. But, putting this aside, it must also be noted that, in the author’s view, NSM doesn’t just mean plain traffic monitoring, as one might think. NSM deals with the use of products such as an intrusion detection system to generate alerts, as well as people to respond to security alerts and breaches, and processes to guide people in making decisions and taking actions.

The book is extremely well organized. It comprises 13 chapters, divided into four parts. Part 1 is very well written and presents the rationale and guide for using NSM, describing how to understand traffic flow and, in particular, where to install observation points (soft sensors), how to monitor the network physically, and how to select NSM platform tools. It offers some management recommendations and formulas for the size of storage and memory required for NSM. It adequately sets the foundation for understanding the rest of the material.

Part 2 is much less inspiring because it simply discusses technicalities (albeit necessary ones) on how to build an NSM platform based on the Security Onion (SO). SO is essentially an operating system related to Ubuntu Linux, which forms an environment for using the NSM tools. In this edition, the author departs from FreeBSD, which was the operating system of choice in the earlier book.

Part 3 describes tools for NSM, divided into three categories and outlined in their respective chapters: command line packet analysis tools (such as tcpdump), graphical user interface (GUI) packet analysis tools (such as Wireshark), and complete NSM consoles (Sguil is a basic example). Finally, Part 4 discusses techniques and related case studies; how to apply the NSM with server-side compromise, client-side compromise, proxies, and checksums; and extending SO features to better use its functions.

I would note that the fundamental principle of the book involves reactive security measures, as opposed to preventive measures. The author’s philosophical assumption that “prevention eventually fails” is a very important design consideration and has held sway in computing over the years. It first struck me explicitly when I encountered Ian Pyle’s book [2], in which he stated that programming language exceptions are necessary because “every action may fail.” Naturally, in practice, both approaches, preventive and reactive, are complementary, but it must be stressed that this book advocates the latter.

Comparing this book to the author’s previous publication, I found two major differences in addition to changing the platform from FreeBSD to SO. The current book is much better organized and selects and discusses significantly different tools, which is quite obvious, since they have drastically changed over the last decade. Other differences include dropping the 60-page discussion of literature, and sensitizing the reader to the legal issues involved with observing network traffic.

Overall, the author is very well informed and undoubtedly did his homework as a practitioner. The book delivers on the author’s promise and shows real professionalism in conveying his deep knowledge to the reader.

Being both an academic and a professional sensitive to practical matters, I must say that the book definitely met my expectations in terms of the content and the level of the material. It will be a useful addition to the library of every professional interested in network security.

More reviews about this item: Amazon, GoodReads, Slashdot

Reviewer:  Janusz Zalewski Review #: CR141990 (1405-0295)
1) Bejtlich, R. The Tao of network security monitoring. Addison-Wesley, Boston, MA, 2005.
2) Pyle, I. C. The Ada programming language. Prentice Hall, Englewood Cliffs, NJ, 1981.
Bookmark and Share
  Reviewer Selected
Featured Reviewer
Network Monitoring (C.2.3 ... )
Security and Protection (C.2.0 ... )
Would you recommend this review?
Other reviews under "Network Monitoring": Date
Network monitoring explained: design and application
Chiu D., Sudama R., Ellis Horwood, Upper Saddle River, NJ, 1992. Type: Book (9780136147107)
Jun 1 1993
The art of testing network systems
Robert W. J., John Wiley & Sons, Inc., New York, NY, 1996. Type: Book (9780471132233)
Aug 1 1997
Perkins D., Prentice Hall PTR, Upper Saddle River, NJ, 1999. Type: Book (9780130961631)
Oct 1 1999

E-Mail This Printer-Friendly
Send Your Comments
Contact Us
Reproduction in whole or in part without permission is prohibited.   Copyright 1999-2024 ThinkLoud®
Terms of Use
| Privacy Policy