Title: The Tao of Network Security Monitoring: Beyond Intrusion Detection
Authors: Richard Bejtlich
Publisher: Addison-Wesley Professional
Published: July 22, 2004
Edition: 1st Edition
Every once in a while you come across a book that really opens your eyes. One that talks in-depth about something completely different.
Unfortunately, most technical IT books are rehashes of a bunch of papers and tutorials off the net, and you often wonder whether the time you spent reading the book would have been better spent on google.
The Tao of Network Security Monitoring is not one of these books. It is with great pleasure that I am reviewing what I consider one of the most informative and well written books I have ever come across.
Network Security Monitoring (NSM) is half a science, and half a black art. It requires an in-depth knowledge of packets, protocols, applications, vulnerabilities and black hat tactics. This book focuses on the philosophy behind NSM, the skills required, the tools you need, and the way to set up an effective NSM operation.
The author, Richard Bejtlich, is a former Air Force intelligence officer, and the approach he dictates is almost military in nature. This book covers an introduction to security, what NSM is, how to deploy it, the best tools for the job and the types of things you will see.
I was most impressed by the analysis of normal versus suspicious versus malicious traffic. Since deep packet inspection is one of my hobbies, I am no stranger to reading data off the wire, but I was amazed by the amount of information this man was able to glean by looking at a simple DNS packet !
He explains the differences between full content data (logging everything to the application layer), session data (looking at just the different conversations between hosts), and statistical data. Everything in this book is practical, you can even go to the website and download the same packet traces he uses for explanation and run through them yourself.
This book taught me about a host of new tools, from Argus, to the incredible SGUIL. It taught me a lot of tricks about designing a top notch NSM collection and analysis setup, and more than anything, it introduced me to a completely new mind-set.
In short, this is at present the most enlightening book on my IT bookshelf. I strongly recommend it to anyone who is involved with networks or security. It will be of special interest to the sort of people who get a rush ripping up packets and understanding what happens below the surface. It also goes really well with firewall.cx, since most of the protocols talked about are explained here in detail.
If there is one disappointment, it's the absence of an included CD-ROM containing tools, or perhaps a live FreeBSD CD (Freebie) like the one he introduces in the book.
This one gets a scorching 4/5. Get it now, and open your mind !