Book Review: The Practice of Network Security Monitoring

Book Cover

Earlier this year Richard Bejtlich (@taosecurity) was on PSW #327. Since that time his book as been released. The Practice of Network Security Management from NoStarch ( Richard is an individual who knows what he is talking about when it comes to NSM, having run a CIRT for the Air Force and GE and now resides as the CSO for Mandiant. Richard has also authored The Tao of Network Security Monitoring and Extrusion Detection.

This an excellent resource for beginners to NSM or people starting to do NSM in their environment and it is not intended for experienced NSM practitioners. It begins with a very good overview of what NSM is and what constitutes NSM and the sort of data that needs to be collected. Gives some good examples of how to place sensors and caveats found in large organizations with NAT and the like. Then to tie the types of devices into a tool, Richard introduces a very good set of Open Source tools like, Bro (, Snort, Squil, Snorby, ELSA etc. that are part of the Security Onion distribution created by Doug Burks (@dougburks).

The first section of the book is dedicated to in the installation of Security Onion and configuration of the tools that go along with it so that the reader could spin up their own instance and learn along with the book. If you are in anyway experienced with Linux installations you can skip most of this section, it was written so folks without much exposure can install SO. Once that is taken care of he builds on the tools contained within SO. When he can he shows multiple ways and tools to achieve the same thing, for example using tshark and the GUI version of Wireshark to analyze packets. He gives real world examples of data that tripped things like Snort to help understand the workings of the tools.

After the basics and tools are introduced it dives into using NSM to monitor a network. Areas like phases of an investigation and what data might help identify success vs attempt in an incident. He discusses incident classification which is one place I think some CIRTs tend to miss. The best part in my opinion of the whole book is in chapters 10 and 11. Once everything is introduced and a good understanding of the tools are in place Richard walks through 2 sample breech investigations and takes a step by step approach on the analysis done, data and tools used to identify the extent of a breach.

This is a very well written technical book. This is a very easy and quick read for its size, provides many examples and screen shots to give readers a good understanding of how to use the tools in the book. I would recommend this for anyone getting into the field of incident response who doesn’t have a great understanding of NSM, newcomers or perhaps less technical Managers.

-Greg Hetrick @gchetrick

Paul Asadoorian

Paul Asadoorian is currently the Principal Security Evangelist for Eclypsium, focused on firmware and supply chain security awareness. Paul’s passion for firmware security extends back many years to the WRT54G hacking days and reverse engineering firmware on IoT devices for fun. Paul and his long-time podcast co-host Larry Pesce co-authored the book “WRTG54G Ultimate Hacking” in 2007, which fueled the firmware hacking fire even more. Paul has worked in technology and information security for over 20 years, holding various security and engineering roles in a lottery company, university, ISP, independent penetration tester, and security product companies such as Tenable. In 2005 Paul founded Security Weekly, a weekly podcast dedicated to hacking and information security. In 2020 Security Weekly was acquired by the Cyberrisk Alliance. Paul is still the host of one of the longest-running security podcasts, Paul’s Security Weekly, he enjoys coding in Python & telling everyone he uses Linux.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.