The Practice of Network Security Monitoring

Richard Bejtlich

Published by

No Starch Press





Reviewed by



7 out of 10

Network security monitoring (NSM) deals with ways to find intruders on a network and do something about them before they perpetrate any damage to an enterprise. This six-part book complements three previous books on the subject by the same author.

The first part introduces the subject, explaining why it matters to monitor networks and how the required information is best collected. Part two deals with installing Security Onion (SO) software, its effective deployment and configuration.

SO is a Linux distribution for intrusion detection and network security monitoring. Part three describes the software shipped with SO and the use of these applications. The final part deals with how to use NSM processes and data to detect and respond to intrusions.

The author starts by comparing NSM with other approaches to intrusion prevention/detection such as blocking, filtering and denying network configurations, and explains how and where NSM differs in its approach and set-up. He also points out that, if it is not possible to observe traffic on a network, such as when devices talk directly with each other, NSM is unlikely to work.

The range of NSM data, such as session data, transaction data and statistical data used by NSM to allow analysts to discover and act on intrusions is then considered and discussed.

The deployment of the open source SO NSM suite is then dealt with in some depth. SO is used as an NSM case study by the author due to its easy deployment and operation. This section also covers stand-alone and distributed deployment and considers effective housekeeping of the SO platform to ensure smooth running of installations.

The final two parts of the book consider the key applications shipped as part of SO such as the command line and graphic packet analysis tools along with the NSM console configurations. Lastly, NSM in practice is discussed along with the author’s experiences in building and running an NSM team. The book concludes by considering the future role of NSM, particularly with respect to cloud environments.

The author uses a wide variety of illustrative techniques throughout the book to support and amplify the written text such as screen shots, example print-outs and coding snippets to aid understanding along with references to other available books on the topic.

Although perhaps a bit overly detailed in places, the book does provide a comprehensive grounding in the subject matter. It is likely to command readership amongst security professionals unfamiliar with NSM monitoring as well as possibly more senior staff required to teach NSM. I award the book seven out of ten in terms of its readability and value for money.

Further information: No Starch Press

January 2014