M-unition -

Richard Bejtlich on His Latest Book, “The Practice of
Network Security Monitoring”

By on August 20, 2013

Practice of Network Security Monitoring

The Practice of Network Security Monitoring

Everyone wants to know how to find intruders on their networks. I learned one approach when I served in the Air Force Computer Emergency Response Team (AFCERT) as a captain from 1998 to 2001. When I left the service and brought my refinements of network security monitoring (NSM) to the commercial world, I decided that at some point I would explain what I knew in book form for the good of the computer network defense community.

In July 2004, I published my first book, The Tao of Network Security Monitoring: Beyond Intrusion Detection . Although I had published material on NSM in 2002 in Hacking Exposed, 4th Edition and in 2003 in Incident Response, 2nd Edition, the Tao was my first major contribution to the field of detecting and responding to intrusions using network-centric tools and tactics. I wrote two other books in the following two years, namely Extrusion Detection and Real Digital Forensics, the latter as a co-author. I wrote for the intermediate-to-advanced level audience, and people seemed to find the works useful.

I began teaching multi-day classes on NSM and related subjects in 2004, and in 2007 brought new classes on NSM to Black Hat. Over the years I kept my material at the intermediate-to-advanced level because I thought that sort of viewpoint was most needed. In late 2012, however, teaching for Black Hat in Dubai, I realized that for every intermediate-to-advanced student in my class, there were probably 100 or more introductory-level students trying to better understand security and their networks. By writing for people who I thought already “got” NSM, I ignored thousands of deserving readers and students.

In late December 2012 I decided it was time to a write a book for people who knew something about computers, networking, and security, but little to nothing about NSM or incident detection and response. I submitted a proposal to No Starch and began writing a new book the first week of January 2013, with the goal of having it in print for Black Hat in July 2013. Thanks to the fine work of No Starch’s team and my editors and contributors, The Practice of Network Security Monitoring arrived in time for Black Hat last month.

If you want to know how to use network-derived evidence to detect and respond to intrusions, my new book is for you. I teach you why NSM matters, where and how to obtain visibility, how to collect and analyze traffic, and what to do when you find something suspicious or malicious. Although you may be able to use your existing tools and data to accomplish these goals, I demonstrate NSM using the amazing open source NSM distro Security Onion by Doug Burks and Scott Runnels. With nothing more than the investment in some reading time and downloading free software, you can start learning how intruders are abusing your network.

In addition to writing the new book for those at the introductory level of NSM practice, I also wrote a new class titled “NSM 101.” I taught the material at Black Hat last month, and feedback was positive. I intend to teach the same course in Seattle for Black Hat on December 9-10, 2013 and again in 2014 in Vegas and elsewhere with Black Hat. I find that my network-centric approach nicely complements the powerful endpoint- and log-centric tools and capabilities available from Mandiant’s products and services.

If you have questions about how NSM can help defend your organization, please feel free to leave a comment or send me a tweet via @taosecurity. I am happy to respond to thoughtful questions.

Category: The Suite Spot


    1. By Andrew Rourke on August 22 at 5:19 pm

      Hello Richard, Greetings from down under, my copy of your book arrived in the mail last night and looking forward to reading it. We have met a number of times most recently at Black hat last year (Vegas) where you signed my Bruce Lee T shirt. (what happend to retiering from training? :)),

      My question is in relation to the Mandiant Webcasts. The live presentation is local time 3:00 am for us so we rarely see them. Is it possible to access them after the fact and watch a playback?

      Thanks, Andrew.

    2. By David on September 18 at 3:25 am

      It is very helpful for all those people who really wants to know about network security, Network security is the major issue and yes it is the most critical factor in an organization. It is true that most of the people are not aware about all aspects related to a network, but they should be….. Network monitoring can give a huge impact on performance as well can help you to maintain security. I will definitely buy one for me, Hope so I will get some more knowledge and information excluding which I have.

    Leave a Comment

Get M-Unition in Your Inbox:

Follow @mandiant

Follow @mandiant on twitter.


From the Front Lines: It's the End of the Year as We Know It - 2014

Wed, Dec 3, 2014

2014 is drawing to a close, which means it’s time for Mandiant’s annual year-end review.

Join Richard Bejtlich, Chief Security Strategist at FireEye, Kelly Jackson Higgins, Executive Editor at DarkReading and Kristen Verderame, Chief Executive Officer at Pondera International as they share highlights from the past twelve months.

Register Today!

Career Opps @ Mandiant

We’re growing fast, but we’re as demanding as ever. Our clients come to us in their hours of need, so we need the best. That means more than just the right education and the right experience in information security.

As Mandiant continues to grow, we are able to offer certain positions in multiple locations. For details on the location(s) of each opening, please refer to the position descriptions.

Click here to view available positions.