The Tao of Network Security Monitoring. Beyond Intrusion Detection
by Richard Bejtlich

Addison-Wesley 2004.
ISBN 0-321-24677-2. LoC TK5105.59.B44. 798 pages. $49.99. Index, 3 Appendices

Reviewed by  Robert Bruen   September 16, 2004 

The subtitle of this book, Beyond Intrusion Detection, puts forth a challenge for itself. Intrusion detection (ID) is a fairly well established discipline, even as it continues to evolve with smarter techniques. The Tao pushes the envelope by presenting us with a sophisticated expansion of the monitoring process. ID systems basically watch events and react when something unwanted occurs. There are host based and network based ID systems, as well as anomalous behavior algorithms, and some that are intrusion prevention approaches. For the most part, people acquire systems that will work for them because the traffic volume is large, which is why we all love Snort. It seems to be common knowledge that the human analyst is still the best bet.

The Tao goes into the deep cave where humans pay attention to the network, using more than just the tools. This evolutionary change does not change the quantity of required knowledge, expertise and experience.

The book is divided into five parts with a total of eighteen chapters. One of the major parts is devoted to the people and their training, which is a bit unusual for books of type, but is most welcome.

While the book is chock full of cool tools, it is not simply a listing of the tools. There is significant analysis of the tools and their use. In the interest of full disclosure, the author also presents a tool (Sguil) developed by a colleague in a network monitoring research project. This tool works with Snort data, obviously going beyond simple alerts. "Going beyond: means that after the tool is discussed with an example of how to run it with various options, the results are analyzed and explained. A particularly nice one was Tcpflow, where the session reconstruction resulted in recovery of an executable downloaded by the attacker. It would not have mattered if the actual file was deleted. Not everyone will appreciate the value of this, because the important activity occurs after the alert. If strict ID is the goal, then much of the monitoring will seem pointless. However if one looks at the broader viewpoint of security as a process, then the in-depth observation of events, understanding them and reviewing them will appear to more useful. Networking Security Monitoring shares this philosophy with the "Know Your Enemy" gang.

This book is well constructed, readable and useful. The approach is a good one and the initial challenge of going beyond ID was successfully met by Bejtlich. It is a book that can be recommended without reservation.