Book Review: Tao of Network Security Monitoring
(From my review on Amazon)
This is a great book. With most geek books, I browse and grab what I need. With this one, I even read the apendices!
At first, the author's tone put me off. He spends the introductory chapters talking about the "Way" of Network Security Monitoring, (capitalized) and how it's much better than other approaches. It felt a little like, "My Burping Crane Kung-Fu will defeat your Shining Fist techniques!" I really didn't see much difference between what he was talking about and other approaches. I admit to being much newer to this discipline than the author, and he has an impressive appendix on the intellectual history of intrusion detection (uncapitalized). So it may be that the lessons he advocates have already been internalized; my exposure may have been to a field that has already moved up to his standard. But I have a hard time imagining that intrusion analysts have ever been satisfied with a single approach with no correlation. As I understand what he means by upper-case NSM, it's basically the efficient use of multiple techniques to detect intrusions. I can't see trying to argue the contrary position.
Ah, but then we get to the good stuff. He goes through the major types of indicators and the means of reviewing them. He covers the use of a number of important tools, but doesn't rehash what is better covered elsewhere. For example, he doesn't bother covering Snort, because there are plenty of books on Snort already. If you are reading the book, it's almost a certainty that you are familiar with Snort. Good call to skip over that. Instead, he covers some other tools that might be useful in the same area. He also refers to tons of other books. I made a lengthy wish-list based on his recommendations and they've been good. (He also reviews exhaustively here on Amazon). So this book is like the first stone in an avalanche- it triggers the acquisition of many other books.
The book provided many 'light bulb' moments. For example, he talks about giving up on source-based focus. In a world where a DDoS attack is currently using 23,000 separate bots, we may exhaust our resources tracking low-value drones. So focus on the targets they are after: light-bulb! In spite of my earlier resistance, I was soon going through it as eagerly as I did with the Patrick O'Brian Aubrey/Maturin novels. It's fun to read such clear, authoritative writing.
One quibble - he trashes the SANS intrusion detection course, which I took and thought was terrific. He has taught the class, and considered the course material out of date. Maybe they have updated, but his book didn't contradict anything in the course as I took it 1.5 years ago.
(From my review on Amazon)
This is a great book. With most geek books, I browse and grab what I need. With this one, I even read the apendices!
At first, the author's tone put me off. He spends the introductory chapters talking about the "Way" of Network Security Monitoring, (capitalized) and how it's much better than other approaches. It felt a little like, "My Burping Crane Kung-Fu will defeat your Shining Fist techniques!" I really didn't see much difference between what he was talking about and other approaches. I admit to being much newer to this discipline than the author, and he has an impressive appendix on the intellectual history of intrusion detection (uncapitalized). So it may be that the lessons he advocates have already been internalized; my exposure may have been to a field that has already moved up to his standard. But I have a hard time imagining that intrusion analysts have ever been satisfied with a single approach with no correlation. As I understand what he means by upper-case NSM, it's basically the efficient use of multiple techniques to detect intrusions. I can't see trying to argue the contrary position.
Ah, but then we get to the good stuff. He goes through the major types of indicators and the means of reviewing them. He covers the use of a number of important tools, but doesn't rehash what is better covered elsewhere. For example, he doesn't bother covering Snort, because there are plenty of books on Snort already. If you are reading the book, it's almost a certainty that you are familiar with Snort. Good call to skip over that. Instead, he covers some other tools that might be useful in the same area. He also refers to tons of other books. I made a lengthy wish-list based on his recommendations and they've been good. (He also reviews exhaustively here on Amazon). So this book is like the first stone in an avalanche- it triggers the acquisition of many other books.
The book provided many 'light bulb' moments. For example, he talks about giving up on source-based focus. In a world where a DDoS attack is currently using 23,000 separate bots, we may exhaust our resources tracking low-value drones. So focus on the targets they are after: light-bulb! In spite of my earlier resistance, I was soon going through it as eagerly as I did with the Patrick O'Brian Aubrey/Maturin novels. It's fun to read such clear, authoritative writing.
One quibble - he trashes the SANS intrusion detection course, which I took and thought was terrific. He has taught the class, and considered the course material out of date. Maybe they have updated, but his book didn't contradict anything in the course as I took it 1.5 years ago.
posted by JimmytheGeek at 3:15 PM
1 Comments:
I have also read The Tao Of NSM. I love that book.
"I really didn't see much difference between what he was talking about and other approaches"
You should read the comments of the blog and the blog of Richard Bejtlich: http://taosecurity.blogspot.com (the author of the book), and you will see that many people has approaches far too different from Richard Bejtlich's approach to network security.
"But I have a hard time imagining that intrusion analysts have ever been satisfied with a single approach with no correlation". I worked as a junior security analyst in a company, and too many people think that understanding an alert is the only way to detect an intrusion. That's why I think the most important chapters of "The Tao Of NSM" are the first two chapters that explain why you should follow NSM.
If you want to learn more about NSM you should idle on #snort-gui (sguil) irc channel on irc.freenode.org.
See ya!
Post a Comment
<< Home