Book Review: "Crafting The InfoSec Playbook"

"Crafting the InfoSec Playbook: Security Monitoring and Incident Response Master Plan" by Jeff Bollinger, Brandon Enright, and Matthew Valites is a crucial blue team book on the theory of security monitoring and detection. I was impressed with the takeaway theories that this book imparts, things that can save blue teams months of learning, trial, and error; however the book also left me wanting more in terms of technical implementation and incident response theory, leading me to believe the books true scope is tighter than it originally lets on. I got the book on Amazon at ~$40 for ~270 pages, which felt a little over priced for the content, however the lessons in this book are those you can only get from experience in a detection role or from a book like this, where someone has already gone through these pain points. In general, it's a fairly wordy book on detection theory with a plethora of examples of detecting malicious actions. For me, it seemed to be lacking technical implementation, meaning you couldn't actually set up a detection program following this book, but it did impart some amazing theory regarding detection throughout the book as well as examples of the malicious traffic such a system should catch. This abstract approach may also give it more longevity as it isn't tied to any specific implementations. I give the book 6 out of 10 stars, in my opinion its a more valuable than a book like the Defensive Security Handbook, specifically for the theory around starting your own detection program, but less practical when compared to texts like BTFM or the Blue Team Handbook.  I recommend it to blue team members working on detection teams or those looking for some solid cyber security detection theory. Despite the flashy sounding chapter titles, I was ultimately disappointed with most chapters as they lacked a lot of technical details, preferring wordy paragraphs of theory or diagrams of theoretical models (take a look at the Chapter 7 example linked below for more details):

Chapter 1: Incident Response Fundamentals
Chapter 2: What Are You Trying to Protect?
Chapter 3: What Are the Threats?
Chapter 4: A Data-Centric Approach to Security Monitoring
Chapter 5: Enter the Playbook
Chapter 6: Operationalize!
Chapter 7: Tools of the Trade
Chapter 8: Queries and Reports
Chapter 9: Advanced Querying
Chapter 10: I’ve Got Incidents Now! How Do I Respond?

The book imparts some crucial lessons, such as the critical nature of a robust log pipeline and SIEM solution, as well as the ethicacy of the alerts analysts create, citing the golden rule of false positives. My favorite chapter is Chapter 7 (careful with the example page, it may host some malvertising), which talks about the location and effectiveness of a network IDS system for monitoring and detection. This was one of the first chapters that I saw with really good technical examples, and most content after this was generally better than content before Chapter 7 in my opinion. The book hardly covers host based detection technologies, it seems to have a paragraph mention in Chapter 7, while the rest of the book puts a large focus on netflow analysis. Further, the book dosen't cover any incident response or remediation playbooks. While there is a chapter on response, it only makes mention of the IR life cycle from a high level and talks a little bit about containment options, making this chapter feel kind of forced and not fulfilling in terms of responding to a cyber attack or incident. The lack luster emphasis on this chapter really makes me think this is mostly a book on cyber security signals and detection, as opposed to playbook for the entire IR life cycle.  Finally, the book has a pretty awful companion site, just linking to the O'Reilly store and Amazon page. The following is a presentation by Brandon Enright on security monitoring and detection philosophy, which largely covers the same stuff in the book: