Robert Bruen's review of "The Practical Intrusion Detection Handbook" by Paul E. Proctor, Prentice Hall, 2001, IEEE Cipher, E42 May 1, 2001"

The Practical Intrusion Detection Handbook
by Paul E. Proctor
Prentice Hall, 2001.
359 pages, index, 2 appendices, bibliography
Hardcover. ISBN 0-13-025960-8. $49.99

Reviewed by Robert Bruen April 13, 2001

This is one of those times where the title of the book actually reflects the content. The Practical Intrusion Detection Handbook is exactly what it says it is and it is done well. TCP/IP is mentioned only twice throughout the book because protocols and what goes on underneath the hood is not the topic. Instead, the book covers ID from a user perspective where the user needs to learn about it, possibly to set one up.

In the introduction, the first item we encounter is "Security versus Business", the main audience. Although it is hard to believe that any business is still without some level of ID, the fact is that many are not. Therefore, justification is the starting point with an entire chapter (Chapter 11) devoted to justifying the cost of an Intrusion Detection System based on the proper risk analysis and asset valuation that any astute corporate CFO should understand (e.g. ROI). Usually it is a hard sell to set up a system of prevention when the risk of failure is small. Fortunately, the media is full of stories of virus attack and defaced web sites. This chapter alone may be worth the price of the book if you are trying to get your management to fund an IDS.

Since the audience is mainly the business world, there are several other chapters of great value for those who are new to IDS and security. One area that business just can not get away from is the legal jungle. Unless your business is directly concerned with money as a product, not just profits, such as banks or credit card companies, most have not taken security seriously. This has begun to change forcing the legal world to be satisfied when problems occur. A long time ago when you suffered a break in, the law was not very interested. Now, when a credit card heist from a web business involves 35,000 or cards at a shot, evidence and liability become important. Knowing how to fold legal requirements into incident response policy is no longer something that you figure out after the fact. Read Chapters 8 & 15.

Continuing down the practical path, the are several chapters that big systems folks will like: the Project Lifecycle, the Requirements Definition and the Tool Selection and Acquisition Process. Having once upon a time taught project management, I appreciate the problems that one can run up against in larger organizations that formalize everything. These chapters will assist those people. These days I prefer the smaller, flexible approach, but it is nice to a resource if the choice is not yours.

No IDS book would be complete with a chapter on things you can purchase, along with pros and cons. For now, at least, most systems will be software, but not all. Another distinction will be host based tools and network based tools. In the end you will be analyzing data in the same place, but naturally, the sources will be different. The important tools are covered with pictures and screen shots.

This is definitely a recommended book, just keep in mind that it aims at the business world, with all the caveats that brings. There are plenty of real world examples of intrusions and detections, but there are also examples of cost estimates, policy management and operational issues.