Book Review: "The Practice of Network Security Monitoring"

The Practice of Network Security Monitoring: Understanding Incident Detection and Response, written by Richard Bejtlich and published by NoStarchPress, is one of those staple texts in the world of incident response and information security. For about $30 this book provides over 350+ pages of free tools, fundamental theories, and verified techniques for detecting and responding to network incidents in an information security context. This has been called the definitive text on Network Security Monitoring (NSM) and would serve as an excellent baseline knowledge for any network security analyst. In fact, while this book can be read cover to cover, it actually targets a wide audience of people, from those who don't even know what tools to use all the way to tactics for more seasoned analysts. Therefore, I would recommend any blue teamer, network engineer, or even information security practitioner to pick the book up and look at which chapters could best fill gaps in one's NSM understanding.  Overall, I'm giving this book 8/10 stars, because it's entirely based on free tools, should be considered a seminal text on NSM, and provides a rock solid approach for not only hunting down and acting on network incidents, but running a Computer Incident Response Team (CIRT). However, the book dosn't dive deep into advanced topics, but rather chooses to address the breadth of NSM, meaning it may be more review than insight for advanced network analysts.

The reasons I love this book are innumerable but here goes: the ease it finds in guiding noobies through instillation and tool configuration, eloquently conveying theories on incident response, the core network security tools covered, analyzing the attacker's kill chains, hunting on the network for new indicators, a model for the functions of a successful SOC or CIRT, and most importantly the focus on constantly improving incident response metrics. But despite the reasons I hold this book so high, one of my concerns is the book is almost entirely tool driven, so if you aren't using the tools exemplified in the book, it may be harder to pick up the underlying lessons. The book is entirely focused around Security Onion, which is a great collection of blue team tools neatly packaged in an ISO, similar to what Kali Linux is for the red team. Further, this book is part of Palo Alto Network's Cyber Security Cannon and their review really distills the core theories of the book. Ultimately, this is the kind of book that can replace a class, the kind of book that can help an interested and driven individual find a lot of success in the network security world. I also really enjoyed the detective like narrative when working through the examples, showing us the screenshots and letting us make our own judgments on events before explaining to the reader the event's true significance. Don't be intimidated by the books large size either, it dosn't have to be read from cover to cover, in fact more experienced network analysts will probably pick and choose their favorite chapters quickly. The following is the list of chapters and their subtopics, in my typical review style, so you can see which chapters would be important to you:

Part 1: Getting Started

Chapter 1: Network Security Monitoring Rationale

An Introduction to NSM
A Sample NSM Test
The Range of NSM Data
What’s the Point of All This Data?
NSM Drawbacks
Where Can I Buy NSM?
Where Can I Go for Support or More Information?
Conclusion

Chapter 2: Collecting Network Traffic: Access, Storage, and Management

A Sample Network for a Pilot NSM System
IP Addresses and Network Address Translation
Choosing the Best Place to Obtain Network Visibility
Getting Physical Access to the Traffic
Choosing an NSM Platform
Ten NSM Platform Management Recommendations
Conclusion

Part 2: Security Onion Deployment

Chapter 3: Stand-alone NSM Deployment and Installation

Stand-alone or Server Plus Sensors?
Choosing How to Get SO Code onto Hardware
Installing a Stand-alone System
Conclusion

Chapter 4: Distributed Deployment

Installing an SO Server Using the SO .iso Image
Installing an SO Sensor Using the SO .iso Image
Building an SO Server Using PPAs
Building an SO Sensor Using PPAs
Conclusion

Chapter 5: SO Platform Housekeeping

Keeping SO Up-to-Date
Limiting Access to SO
Managing SO Data Storage
Conclusion

Part 3: Tools

Chapter 6: Command Line Packet Analysis Tools

SO Tool Categories
Running Tcpdump
Using Dumpcap and Tshark
Running Argus and the Ra Client
Conclusion

Chapter 7: Graphical Packet Analysis Tools

Using Wireshark
Using Xplico
Examining Content with NetworkMiner
Conclusion

Chapter 8: NSM Consoles

An NSM-centric Look at Network Traffic
Using Sguil
Using Squert
Using Snorby
Using ELSA
Conclusion

Part 4: NSM in Action

Chapter 9: NSM Operations

The Enterprise Security Cycle
Collection, Analysis, Escalation, and Resolution
Remediation
Conclusion

Chapter 10: Server-side Compromise

Server-side Compromise Defined
Server-side Compromise in Action
Exploring the Session Data
Stepping Back
Conclusion

Chapter 11: Client-side Compromise

Client-side Compromise Defined
Client-side Compromise in Action
Analyzing the Bro dns.log File
Checking Destination Ports
Examining the Command-and-Control Channel
Conclusion

Chapter 12: Extending SO

Using Bro to Track Executables
Using Bro to Extract Binaries from Traffic
Using APT1 Intelligence
Reporting Downloads of Malicious Binaries
Conclusion

Chapter 13: Proxies and Checksums

Proxies
Checksums
Conclusion
Conclusion
Cloud Computing
Workflow, Metrics, and Collaboration
Conclusion

(Chapter 14:) SO Scripts and Configuration

SO Control Scripts
SO Configuration Files
Updating SO
Colophon
Appendix Updates

By far I found the most interesting section being 'Part 4: NSM in Action', which covered the processes of detecting and tracking down an incident using your entire toolkit. This was a very real chapter to me and reminded me of many of the operations we used to perform at Mandiant. Similarly, I enjoy this book so much because Richard really takes you from start to finish, performing practical network security monitoring throughout the book, making the learning experience very real world and applicable. If your still not convinced you need network security monitoring in your life or don't know if this book is right for you, you can read the first chapter for free! But if you ask me, I say pick up a copy and start tcpdump today!