Jump to ratings and reviews
Rate this book

The Practice of Network Security Monitoring: Understanding Incident Detection and Response

Rate this book
Network security is not simply about building impenetrable walls — determined attackers will eventually overcome traditional defenses. The most effective computer security strategies integrate network security monitoring (NSM): the collection and analysis of data to help you detect and respond to intrusions.

In The Practice of Network Security Monitoring, Mandiant CSO Richard Bejtlich shows you how to use NSM to add a robust layer of protection around your networks — no prior experience required. To help you avoid costly and inflexible solutions, he teaches you how to deploy, build, and run an NSM operation using open source software and vendor-neutral tools.

You'll learn how to:

Determine where to deploy NSM platforms, and size them for the monitored networks Deploy stand-alone or distributed NSM installations Use command line and graphical packet analysis tools, and NSM consoles Interpret network evidence from server-side and client-side intrusions Integrate threat intelligence into NSM software to identify sophisticated adversaries There's no foolproof way to keep attackers out of your network. But when they get in, you'll be prepared. The Practice of Network Security Monitoring will show you how to build a security net to detect, contain, and control them. Attacks are inevitable, but losing sensitive data shouldn't be.

376 pages, Paperback

First published July 22, 2013

Loading interface...
Loading interface...

About the author

Richard Bejtlich

22 books12 followers

Ratings & Reviews

What do you think?
Rate this book

Friends & Following

Create a free account to discover what your friends think of this book!

Community Reviews

5 stars
92 (37%)
4 stars
100 (40%)
3 stars
45 (18%)
2 stars
8 (3%)
1 star
3 (1%)
Displaying 1 - 20 of 20 reviews
8 reviews2 followers
February 9, 2017
The book:
NoStarch Press as always delivers a well crafted book. High quality paper, elegant font and overall a very nice design.

The content:
Offers a great place to start with NSM. It's well written and coherent. by Bejtlich kept it practical, and to the point avoiding other writer's pitfalls like trying to show off or jumping randomly into different topics. The content is also uniform in terms of it's depth. That is, Bejtlich gives the same amount of attention to the various aspects of NSM.

Also, most of the book's contents are still relevant as of 2017.

Other stuff:
The book should've been titled, Mandiant's Operations Manual for NSM. The foreword is by Mandiant's CEO, written by Mandiant's CSO, he liberally quotes and features Mandiant's reports, and then most of the 'secondary' references are to his other books and his blog. I suppose there's nothing technically wrong with that, but it did left me with the feeling that the content was somewhat narrow and two dimensional.
Profile Image for Ilya.
7 reviews
August 21, 2013
This is a great beginners book. However, it does not go beyond that. Policy and process sections are lacking, however are just as important as technology. ELSA is only covered in elementary level.
Profile Image for Rick Howard.
Author 2 books28 followers
July 28, 2017
You can read all of the book reviews in the Cybersecurity Canon here:https://paloaltonetworks.com/threat-r...

Executive Summary

Richard Bejtlich is one of the most respected security practitioners in the community. If he publishes something, we should all take notice. In The Practice of Network Security Monitoring, Bejtlich provides the theory and the hands-on tutorial on how to do network security monitoring the right way. The book is a primer on how to think about network security monitoring and incident response. For seasoned security practitioners, working through the examples in this book will only increase your understanding of the subject. For the beginners in the crowd, Bejtlich provides step-by-step instructions on how to install, configure, and use some of the best open-source tools available that will help any security program improve its network security monitoring capability. Newbies working through the examples in this book will demonstrate to themselves, once and for all, if they have what it takes to work in this field. This book is absolutely a Cybersecurity Canon Candidate and you should have read it by now.


I have been a fan of Bejtlich for a long time. He has been a cyber security book reviewer for many years and he was the inspiration for me to start doing my own book reviews. He is a no-nonsense kind of guy and has been practicing and advancing the craft of network security monitoring and incident response since he started in the industry as a US Air Force officer in 1998. Since then, he has risen in the ranks at some prominent security-minded companies—Foundstone, ManTech, and GE—and today he is the chief security strategist for FireEye. He knows a thing or two about network security monitoring and response. I happen to agree with his general philosophy of cyber security defense, and this book provides an introduction to that philosophy as well as an in-depth, hands-on look at the best open-source tools available.

The book is a primer on how to think about network security monitoring and incident response, and for the beginners in the crowd, it provides step-by-step instructions on how to install, configure, and use some of the best open-source tools available that will help any security program improve its network security monitoring capability.

I am often asked what skills a wannabe cyber security analyst needs to get into the cyber security industry. My glib go-to answer, and the first question I ask any candidates asking to work for me is, can you install a Linux distribution on your home computer? If a newbie cannot get through that basic exercise, he or she should probably seek employment somewhere else. After reading this book though, I plan to up my game. My new question is, can you work through all of the examples in this book and make sense of it all? If you can, you may have a future in the cyber security industry as a SOC analyst or an incident responder. If you struggle with this book, then cybersecurity might not be for you.

The Network Security Monitoring Story

In my own career, I have routinely seen organizations buy and deploy every shiny and new cybersecurity tool that they could get their hands on and deploy them within the enterprise. Their leadership’s grand strategy seemed to be that shiny equals good. In my early days, I may have even subscribed to that theory. Today, I do not have the energy to chase every bright light that appears on the cyber security market. I mostly just want to see what I have already deployed work the way that I thought it should when I originally bought it.

Network Security Monitoring Is More Than Just a Set Of Tools

Buying and deploying new technology is relatively easy compared to training the people and developing the processes necessary to fully use it. Organizations tend to forget this. They think that if they just buy the latest tool—pick your tool, it does not matter which one—that it will miraculously configure itself, monitor itself, and forcefully eject any intruders by itself. In the real world, this does not happen. Bejtlich agrees:

“Products and technologies are not solutions. They are just tools. Defenders (and an organization’s management) need to understand this. No shiny silver bullet will solve the cybersecurity problem. Attacks have life cycles, and different phases of these life cycles leave different evidence in different data sources that are best exposed and understood using different analysis techniques. Building a team (even if it is just a team of one) that understands this and knows how to effectively position the team’s assets (including tools, people, and time) and how to move back and forth between the different data sources and tools is critical to creating an effective incident response capability.”[1]

In a previous job, I had all of the best toys pumping mountains of data to a 24/7 security operations center, but finding an advanced adversary in all of that data was way too hard. The SOC analysts performed Herculean tasks, but we did not have the processes in place, nor the people trained to develop the processes, to fully use all of that advanced technology. It was frustrating. The bottom line is that if you buy the tool, make sure you spend some resources training your people and developing a plan to incorporate the tool into your overall security program.

Bejtlich also says that your traditional tools are not going to help much with our brand new cloud environments.[1] Customers of cloud environments just do not have access to the networks that a network security monitoring team needs. As we move more and more to the cloud, this can be either a liability or a major opportunity for a young entrepreneur to solve the problem.

Operate Like You Are Compromised: Kill Chain Analysis

In a previous blog, I said that kill chain analysis is one of the three great innovations that have come down the pipe from the security community this past decade.[2] Bejtlich says that Lockheed Martin’s paper on kill chain analysis[3] is unique because followers of the philosophy align their security program along the same lines that adversaries must use to penetrate their victim’s network.

He confirms the notion that I have had for a few years now that the very old “defense-in-depth” model—which we all adopted in the early 1990s to keep the adversary out of our networks—is dead. It is simply not possible. On the other hand, it does not necessarily mean that you have a disaster on your hands just because one or more adversaries manage to work their way down a couple of links of your kill chain.[3] The idea is to detect these adversaries before they can accomplish their ultimate goal: crime, espionage, hacktivism, warfare, mischief, or whatever. Bejtlich says,

“Prevention eventually fails … Rather than just trying to stop intruders, mature organizations now seek to rapidly detect attackers, efficiently respond by scoping the extent of incidents, and thoroughly contain intruders to limit the damage they might cause.”[1]

My own personal goal is early detection, quick eradication, and automatic prevention of those observed attacks going forward before these adversaries can claim victory. With the old defense-in-depth model, we were trying to prevent all penetrations into the network. Bejtlich says,

“It’s become smarter to operate as though your enterprise is always compromised.”[1]

Kelly Jackson Higgins interviewed Steve Adegbite, the director of cyber security for Lockheed Martin (LM), in 2013 regarding how LM used kill chain analysis to discover that the company’s RSA token deployment had been compromised.[4] Adegbite said that

"The goal of the Kill Chain is to make sure [the adversaries] don't get to step 7 [of the Kill Chain] and exfiltrate.”[4]

In other words, it is acceptable for adversaries to penetrate your networks as long as you have installed the processes to contain the damage they might cause.

Network Security Monitoring as a Decision Tool, Not a Reaction Process

Bejtlich’s take on network security monitoring is subtly different than what I would expect from most other security practitioners who have not had a lot of experience actually doing it. According to Bejtlich, these practitioners use network security monitoring for forensics and troubleshooting.[1] His take is to use the discipline as a decision tool for how to contain the detected adversary. He also believes you have to measure your team’s effectiveness by measuring things like

* How long it takes to detect adversaries once they have entered your network
* How long it takes to contain adversaries once you have detected them

In the 2014 Verizon Data Breach report,[5] researchers show that of the 1,367 known data breaches in 2013, security teams discovered less than 25 percent of them (341) within days of the initial compromise. Security teams discovered the rest (1,026) many days and weeks later. Bejtlich says that for a network security monitoring program do be effective, teams must measure how they reduce that time.[1]

Incident Response and Threat Intelligence Go Together

Bejtlich talks about the various approaches to handle a breach within your organization. Some incident response teams elect to identify the compromised asset, take it offline, maybe do some forensics on it, re-image it, and then put it back online so that they can wait for the next breach to happen. I call this the whack-a-mole approach to incident response. This process provides you no context about what the adversaries did and why. Other organizations engage their threat intelligence group and are able to understand the impact of what these adversaries are trying to accomplish. Bejtlich explains that incident response teams can frame the attacks from different perspectives: a threat-centric approach andBottom of Form an asset-centric approach.[1] He says that threat intelligence teams track adversaries by campaigns but that incident response teams respond to the adversary’s actions in waves.[1] He provides practical guidance about what kind of skills and capabilities an incident response team and intelligence team require.

So that’s the story: build a network security monitoring program by deploying the right tool, training your people how to use the tool properly, and developing the processes necessary to incorporate the tool into the overall program. Assume that your network is already compromised, and aggressively track adversaries down the kill chain. Remember, the network security monitoring team’s goal is to prevent adversaries from accomplishing their goals. Use the program to make decisions about how to contain the adversary quickly and efficiently, and use your intelligence team to understand the context of how and why the adversary is attacking your network.

Let’s talk about the tech.

The Network Security Monitoring Tech

This is where it gets really good. The theory is one thing—and I like the theory part—but the actual doing is what really matters. Bejtlich provides a hands-on tutorial on how to deploy the best open-source tools to do network security monitoring. If you are a young person thinking that you want to be a cyber security professional or if you are transitioning careers and you think cyber security is something you can handle, get this book and work through the examples. If you can do them, then I want to talk to you about a job. If you can’t, then maybe consider a less technically demanding career.

Bejtlich says that there are two types of network security monitoring data: full content and extracted content. He says that network security monitoring tools help analysts review these different data types and make a decision about containment based on an organization’s network security process. [1] He points practitioners to Doug Burks’ Security Onion (SO) distribution to get three types of tools: data collection, data presentation, and packet analysis.

Data Collection Tool:


Data Presentation Tools:

Tshark (the command line version of Wireshark)
Argus’s Ra client
Dumpcap in concert with Tshark

Packet Analysis Tools:


Richard Bejtlich is one of the most respected security practitioners in the community. If he is speaking somewhere, take the time to hear what the man has to say. The same goes for his writing. If he publishes something, we should all take notice. In The Practice of Network Security Monitoring, Bejtlich provides the theory of and the hands-on tutorial on how to do network security monitoring the right way. He tells you why you should be doing it and how it should work together, and he gives you step-by-step instructions on how to deploy and use the best open-source tools available. If you are already a seasoned security practitioner, working through the examples in this book will only increase your understanding of the subject. If you are a newcomer to the subject, working through the examples will indicate once and for all if you have what it takes to work in this field. This book is absolutely a cyber security canon candidate, and you should have read it by now.


[1] "The Practice of Network Security Monitoring: Understanding Incident Detection and Response, " by Richard Bejtlich, No Starch Press, 2 August 2013, last visited 29 September 2014,

[2] "Help Me Obi Wan – You’re My only Hope: Three Cyber Security Innovations to Give You Courage," by Rick Howard, Terebrate, 10 June 2013, last visited 30 September 2014,

[3] "Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains," by Hutchins, Cloppert & Amin, Lockheed Martin Corp., 2011, last visited 29 September 2014,

[4] "How Lockheed Martin's 'Kill Chain' Stopped SecurID Attack," by Kelly Jackson Higgins, DarkReading, 12 February 2013, last visited 30 September 2014,

[5] "2014 DATA BREACH INVESTIGATIONS REPORT," by Verizon, 2014, last visited 1 October 2014,
Author 2 books11 followers
January 22, 2018
A good overview, but the contents are now too outdated. Two chapters were still useful.
Profile Image for Ray.
17 reviews
February 21, 2022
My 2nd copy is dogeared and tattered. A great working book.
Profile Image for Michael Larsen.
21 reviews9 followers
September 24, 2013
This certainly fell into my lap at an opportune time. With the various revelations being made about the NSA and its tactics, as well as the upsurge in attention being paid to network and application security in general, this book was a welcome arrival in and of itself. There's a lot of attention paid to the "aftermath" of security breaches. We see a lot of books that talk about what to do after you've been hacked, or tools that can help determine if your application can be penetrated, along with tools and recommendations for performing that kind of testing. Less often asked (or covered) is "what can we do to see if people are actually trying to get into our network or applications in the first place?" While it's important to know how we got hacked, I'd like to see where we might get hacked, and sound an early warning to stop those hackers in their tracks.

To that end, Network Security Monitoring (NSM) makes a lot of sense, and an important line of defense. If the networks can be better monitored/protected, our servers are less likely to be hacked. We cannot prevent all breaches, but if we understand them and can react to them, we can make it harder for hackers to get to anything interesting or valuable.

It's with this in mind that Richard Bejtlich has written "The Practice of Network Security Monitoring", and much of the advice in this book focuses on monitoring and protecting the network, rather than protecting end servers. The centerpiece of this book (at least from a user application standpoint) is the open source Security Onion (SO) NSM suite from Doug Burks (http://securityonion.blogspot.com/). The descriptions and the examples provided (as well as numerous sample scripts in the back of the book) help the user get a good feel for the operations they could perform (and control) to collect network data, as well as how to analyze the collected data.

The tools can be run from a single server, but to get the maximum benefit, a more expansive network topology would be helpful. I can appreciate that my ops people didn't quite want to see me "experiment" on a broader network for this book review. After reading it, though, they may be willing to give me the benefit of the doubt going forward ;).

There are lots of individual tools (graphical and command line) that can be used to help collect and analyze network traffic details. Since there are a variety of tools that can be used, the author casts a broad net. Each section and tool gets its own setup, and an explanation as to how to use them. The examples are straightforward and easy enough to follow to get a feel as to how they can be used.

The last part of the book puts these tools into action, and demonstrates examples as to how and where they can be used. The enterprise security cycle is emphasized (planning, resistance, detection, and response), with an emphasis on the last two items. NSM uses its own process flow (collection, analysis, escalation, and resolution). By examining a variety of server side and client side compromises, and how those compromises can be detected and ultimately frustrated, we get a sense of the value and power of this model.

Bottom Line:

My approach to learning about NSM in general comes from being a software tester, and therefore I'm very interested in tools that I can learn and implement quickly. More important, though is the ability to apply a broad array of options. Since I don't really know what I may be called on to test, this varied model of NSM interests me greatly. From an understanding level, i.e. an ease of following along and seeing how it could work and where, I give the book high marks. I'm looking forward to when I can set up a broader and more varied network so I can try out some of the more expansive options.

On the whole, "The Practice of Network Security Monitoring" gets the reader excited about getting deeper into the approach, and looking to where they can get more engaged. As tech books go, it's a pretty fun ride :).
Profile Image for BCS.
218 reviews27 followers
January 17, 2014
Network security monitoring (NSM) deals with ways to find intruders on a network and do something about them before they perpetrate any damage to an enterprise. This six-part book complements three previous books on the subject by the same author.

The first part introduces the subject, explaining why it matters to monitor networks and how the required information is best collected. Part two deals with installing Security Onion (SO) software, its effective deployment and configuration.

SO is a Linux distribution for intrusion detection and network security monitoring. Part three describes the software shipped with SO and the use of these applications. The final part deals with how to use NSM processes and data to detect and respond to intrusions.

The author starts by comparing NSM with other approaches to intrusion prevention/detection such as blocking, filtering and denying network configurations, and explains how and where NSM differs in its approach and set-up. He also points out that, if it is not possible to observe traffic on a network, such as when devices talk directly with each other, NSM is unlikely to work.

The range of NSM data, such as session data, transaction data and statistical data used by NSM to allow analysts to discover and act on intrusions is then considered and discussed.

The deployment of the open source SO NSM suite is then dealt with in some depth. SO is used as an NSM case study by the author due to its easy deployment and operation. This section also covers stand-alone and distributed deployment and considers effective housekeeping of the SO platform to ensure smooth running of installations.

The final two parts of the book consider the key applications shipped as part of SO such as the command line and graphic packet analysis tools along with the NSM console configurations. Lastly, NSM in practice is discussed along with the author’s experiences in building and running an NSM team. The book concludes by considering the future role of NSM, particularly with respect to cloud environments.

The author uses a wide variety of illustrative techniques throughout the book to support and amplify the written text such as screen shots, example print-outs and coding snippets to aid understanding along with references to other available books on the topic.

Although perhaps a bit overly detailed in places, the book does provide a comprehensive grounding in the subject matter. It is likely to command readership amongst security professionals unfamiliar with NSM monitoring as well as possibly more senior staff required to teach NSM. I award the book seven out of ten in terms of its readability and value for money.

Reviewed by Jim McGhie CEng MBCS CITP
Profile Image for Glenda.
20 reviews
August 26, 2015
This book is extremely informative if the reader is not at all familiar with NSMs in general. As someone who has a little um, dusty grasp of NSMs, this was nice, as it is kind of a refresher. However, I do feel like most of this could be found in Security Onion's Wiki.

The tone of the book is excellent. There are plenty of useful screenshots to explain exactly what each operation does.

My main concern with the book is actually the acronyms. It seems to be a little unfriendly in terms of "I need to read one chapter now, but there's a three letter acronym and I have no clue what it is" only to have the definition be several chapters earlier. Small grievance, I know. :)

Final word: LOVE the stuff No starch does, and can pretty reliably suggest any book they've put out. Book itself felt WONDERFUL to hold.
Profile Image for Robert Lee.
Author 6 books13 followers
September 5, 2013
Richard has done such an amazing job with leaning forward in network security; his focus on Network Security Monitoring (NSM) has been extremely helpful to industry beginners as well as professionals. I liked the approachable nature of this book, the cohesive and natural writing style, and the depth of expertise offered. The book should be required reading for beginning to mid level network security professionals and is still a "must read" by everyone else in this industry.
Profile Image for Fuat .
21 reviews
August 4, 2014
Suggesting this book for network security monitoring. You will start with Security Onion and will have a hands on experience. A good and cost free start for NSM. Your only cost will be the time you invest learning NSM.
15 reviews3 followers
April 30, 2016
Years later and it still applies. That is how critical this book is. If you are a defender then you MUST read this.
Displaying 1 - 20 of 20 reviews

Can't find what you're looking for?

Get help and learn more about the design.