The Practice of Network Security Monitoring: Understanding Incident Detection and Response
by Richard Bejtlich

No Starch Press 2013.
ISBN ISBN 978-1-59237-509-9 USD 29.97, Table of Contents

Reviewed by  Richard Austin   9/16/2013 

Have you ever thought that there has to be a way to harvest the information present in network traffic (both patterns and content) to defend computer-based assets? Richard Bejtlich has previously introduced two books that introduced "network security monitoring" (or NSM) showing that the value of paying just as much attention to traffic leaving a network as the traffic entering it:

The Tao of Network Security Monitoring Extrusion Detection

His third and latest book takes the practice of NSM ("the collection, analysis and escalation of indications and warnings to detect and respond to intrusions", p. 1) to a new level through an open source toolset that you can easily run on your network and put it through its paces. Bejtlich bases his presentation on the Open Source SecurityOnion Linux distribution ( which has the Open Source NSM tools already installed with canned configuration scripts to get the tools running on your network with a minimum of fuss and bother. As your humble correspondent can attest, by following the detailed instructions in Parts I and II of the book, you can set up a functioning NSM platform that will allow you to follow along with rest of the book and also provide useful information about what is happening on your networks.

With your SecurityOnion installation up and running, Part-III of the book walks through the tools (both command line and GUI) with detailed instructions and copious annotated illustrations. While many tools will be familiar, presenting them in an overall NSM-centric context provides a sense of how the puzzle pieces and their capabilities work together to provide visibility into happenings within your networks.

Part IV examines "NSM in Action" beginning with a solid overview of the process of how a well-functioning CIRT operates. I particularly recommend his taxonomy of "Intrusion Categories" (Figure 9-5) to your consideration.

Bejtlich then examines in detail how the tools work together by taking a detailed look at both a server-side and client-side compromise. This is where the rubber meets the road and demonstrates the author's deep knowledge and experience of how intruders operate and the traces their actions leave in the network data. I would almost recommend that you skim this section before reading the entire book to get a sense of the power and insight that NSM can bring to your organization's efforts to monitor and defend its networks.

Bejtlich is a master of his craft and also possesses the rare gift of being able to share his knowledge in a comprehensible way. This book demonstrates how NSM can be implemented using freely available Open Source tools and should inspire even wider adoption of the Tao.

This book is targeted at tools for technical professionals. Managerially focused readers should definitely read Chapter 9, "NSM Operations", for a masterful overview of the processes governing security incident response operations. As Bejtlich makes only too clear, gathering relevant data and transforming it into actionable information is a meaningless activity unless there is an organizational process to make use of it.

My sincere hope is that you will: buy this book; read this book; do as this book recommends.

It has been said "Be careful, for writing books is endless, and much study wears you out" so Richard Austin ( fearlessly samples the wares of the publishing houses and opines as to which might most profitably occupy your scarce reading time. He welcomes your thoughts and comments via raustin at ieee dot org