Everyone wants to know how to find intruders on their networks. I learned one approach when I served in the Air Force Computer Emergency Response Team (AFCERT) as a captain from 1998 to 2001. When I left the service and brought my refinements of network security monitoring (NSM) to the commercial world, I decided that at some point I would explain what I knew in book form for the good of the computer network defense community.
In July 2004, I published my first book, The Tao of Network Security Monitoring: Beyond Intrusion Detection . Although I had published material on NSM in 2002 in Hacking Exposed, 4th Edition and in 2003 in Incident Response, 2nd Edition, the Tao was my first major contribution to the field of detecting and responding to intrusions using network-centric tools and tactics. I wrote two other books in the following two years, namely Extrusion Detection and Real Digital Forensics, the latter as a co-author. I wrote for the intermediate-to-advanced level audience, and people seemed to find the works useful.
I began teaching multi-day classes on NSM and related subjects in 2004, and in 2007 brought new classes on NSM to Black Hat. Over the years I kept my material at the intermediate-to-advanced level because I thought that sort of viewpoint was most needed. In late 2012, however, teaching for Black Hat in Dubai, I realized that for every intermediate-to-advanced student in my class, there were probably 100 or more introductory-level students trying to better understand security and their networks. By writing for people who I thought already "got" NSM, I ignored thousands of deserving readers and students.
In late December 2012 I decided it was time to a write a book for people who knew something about computers, networking, and security, but little to nothing about NSM or incident detection and response. I submitted a proposal to No Starch and began writing a new book the first week of January 2013, with the goal of having it in print for Black Hat in July 2013. Thanks to the fine work of No Starch's team and my editors and contributors, The Practice of Network Security Monitoring arrived in time for Black Hat last month.
If you want to know how to use network-derived evidence to detect and respond to intrusions, my new book is for you. I teach you why NSM matters, where and how to obtain visibility, how to collect and analyze traffic, and what to do when you find something suspicious or malicious. Although you may be able to use your existing tools and data to accomplish these goals, I demonstrate NSM using the amazing open source NSM distro Security Onion by Doug Burks and Scott Runnels. With nothing more than the investment in some reading time and downloading free software, you can start learning how intruders are abusing your network.
In addition to writing the new book for those at the introductory level of NSM practice, I also wrote a new class titled "NSM 101." I taught the material at Black Hat last month, and feedback was positive. I intend to teach the same course in Seattle for Black Hat on December 9-10, 2013 and again in 2014 in Vegas and elsewhere with Black Hat. I find that my network-centric approach nicely complements the powerful endpoint- and log-centric tools and capabilities available from Mandiant's products and services.
If you have questions about how NSM can help defend your organization, please feel free to send me a tweet via @taosecurity. I am happy to respond to thoughtful questions.