The Practice Of Network Security Monitoring

The Practice of Network Security Monitoring

Understanding Incident Detection and Response
by Richard Bejtlich
July 2013, 376 pp.

Network security is not simply about building impenetrable walls — determined attackers will eventually overcome traditional defenses. The most effective computer security strategies integrate network security monitoring (NSM): the collection and analysis of data to help you detect and respond to intrusions.

In The Practice of Network Security Monitoring, Mandiant CSO Richard Bejtlich shows you how to use NSM to add a robust layer of protection around your networks — no prior experience required. To help you avoid costly and inflexible solutions, he teaches you how to deploy, build, and run an NSM operation using open source software and vendor-neutral tools.

You'll learn how to:

  • Determine where to deploy NSM platforms, and size them for the monitored networks
  • Deploy stand-alone or distributed NSM installations
  • Use command line and graphical packet analysis tools, and NSM consoles
  • Interpret network evidence from server-side and client-side intrusions
  • Integrate threat intelligence into NSM software to identify sophisticated adversaries

There’s no foolproof way to keep attackers out of your network. But when they get in, you’ll be prepared. The Practice of Network Security Monitoring will show you how to build a security net to detect, contain, and control them. Attacks are inevitable, but losing sensitive
data shouldn't be.

Author Bio 

Richard Bejtlich is Chief Security Strategist at FireEye, and was formerly Chief Security Officer at Mandiant. He also served as Director of Incident Response for General Electric, where he built and led the 40-member GE Computer Incident Response Team (GE-CIRT). He is a graduate of Harvard University and the United States Air Force Academy. His previous works include The Tao of Network Security Monitoring, Extrusion Detection, and Real Digital Forensics (all from Addison-Wesley). He blogs ( and writes on Twitter as @taosecurity.

Table of contents 

Foreword by Todd Heberlein
Preface (Download PDF)

Part I: Getting Started
Chapter 1: Network Security Monitoring Rationale
Chapter 2: Collecting Network Traffic: Access, Storage, and Management
Part II: Security Onion Deployment
Chapter 3: Stand-alone NSM Deployment and Installation
Chapter 4: Distributed Deployment
Chapter 5: SO Platform Housekeeping
Part III: Tools
Chapter 6: Command Line Packet Analysis Tools
Chapter 7: Graphical Packet Analysis Tools
Chapter 8: NSM Consoles
Part IV: NSM in Action
Chapter 9: NSM Operations
Chapter 10: Server-side Compromise
Chapter 11: Client-side Compromise
Chapter 12: Extending SO
Chapter 13: Proxies and Checksums

SO Scripts and Configuration

View the detailed Table of Contents (PDF)


"A comprehensive guide. Certain to make the reader a better information security practitioner, and their network more secure."
Ben Rothke, Slashdot (Read More)

"If you are in cyber security, this is a must read. The book is the best resource for tools I have seen anywhere."
Stephen Northcutt, SANS Institute (Read More)

"A very well written technical book. I would recommend this for anyone getting into the field of incident response who doesn't have a great understanding of NSM."
Greg Hetrick, PaulDotCom (Read More)

"Deploying NSM not only means you can quickly identify, contain, and remediate intrusions, it gives you insight into the network as a whole."
Michael W. Lucas, author of Absolute OpenBSD, 2nd Edition (Read More)

"The Practice of Network Security Monitoring: the best surveillance book you'll read anytime soon."
Peter N. M. Hansteen, author of The Book of PF (Read More)

"This gem from No Starch Press covers the life-cycle of Network Security Monitoring (NSM) in great detail and leans on Security Onion as its backbone. I recommend an immediate download of the latest version of Security Onion and a swift purchase of Richard’s book."
Russ McRee, senior security analyst, Microsoft (Read More)

"The principles Bejtlich outlines for running your security monitoring are the kind of best practice you should apply to any important server."
Mary Branscombe, ZDNet (Read More)

"If you want to know what to do when intruders arrive on your network and how to best prepare for that eventuality, you must read this book."
Sandra Henry-Stocker, ITWorld (Read More)

"Bejtlich is a master of his craft and also possesses the rare gift of being able to share his knowledge in a comprehensible way."
Richard Austin, IEEE Cipher (Read More)

"As tech books go, it's a pretty fun ride."
Michael Larsen, Testhead (Read More)


Page 48:
The middle of the last paragraph should read "In other words, cable R01 would be connected to one of the switches—say switch uplink S1—while cable R02 would be connected to the firewall interface facing uplink S1."

Page 166:
The code at the top of the page that reads:
WHERE event.timestamp > '2014-02-10 11: 13: 00' AND event .timestamp < '2013-02-10 11: 16: 00' AND event.signature LIKE 'URL%'"
Should instead read:
WHERE event.timestamp > '2013-02-10 11: 13: 00' AND event .timestamp < '2013-02-10 11: 16: 00' AND event.signature LIKE 'URL%'