Monday, April 29, 2013

Practice of Network Security Monitoring Table of Contents

Since many of you have asked, I wanted to provide an updated Table of Contents for my upcoming book, The Practice of Network Security Monitoring. The TOC has only solidified in the last day or so. I delayed responding until I completed all of the text, which I did this weekend.

You can preorder the book through No Starch. Please consider using the discount code NSM101 to save 30%.

I'm still on track to publish by July 22, 2013, in time to teach two sessions of my new course, Network Security Monitoring 101, in Las Vegas. I'll be using the new book's themes for inspiration but will likely have to rebuild all the labs.

I expect the book to approach the 350 page mark, exceeding my initial estimates for 256 pages and 7 chapters. Here's the latest Table of Contents.

  • Part I, “Getting Started,” introduces NSM and how to think about sensor placement.
    • Chapter 1, “NSM Rationale,” explains why NSM matters, to help you gain the support needed to deploy NSM in your environment.
    • Chapter 2, “Collecting Network Traffic: Access, Storage, and Management,” addresses the challenges and solutions surrounding physical access to network traffic.

  • Part II, “Security Onion Deployment,” focuses on installing SO on hardware, and configuring SO effectively.
    • Chapter 3, “Stand-alone Deployment,” introduces SO, and explains how to install the software on spare hardware to gain initial NSM capability at low or no cost.
    • Chapter 4, “Distributed Deployment,” extends Chapter 3 to describe how to install a dispersed SO system.
    • Chapter 5, “SO Housekeeping,” discusses maintenance activities for keeping your SO installation running smoothly.

  • Part III, “Tools,” describes key software shipped with SO, and how to use these applications.
    • Chapter 6, “Command Line Packet Analysis Tools,” explains the key features of Tcpdump, Tshark, Dumpcap, and Argus in SO.
    • Chapter 7, “Graphical Packet Analysis Tools,” adds GUI-based software to the mix, describing Wireshark, Xplico, and NetworkMiner.
    • Chapter 8, “Consoles,” shows how NSM suites like Sguil, Squert, Snorby, and ELSA enable detection and response workflows.

  • Part IV, “NSM in Action,” discusses how to use NSM processes and data to detect and respond to intrusions.
    • Chapter 9, “Collection, Analysis, Escalation, and Resolution,” shares my experience building and leading a global Computer Incident Response Team (CIRT).
    • Chapter 10, “Server-Side Compromise,” is the first NSM case study, wherein you’ll learn how to apply NSM principles to identify and validate the compromise of an Internet-facing application.
    • Chapter 11, “Client-Side Compromise,” is the second NSM case study, offering an example of a user being victimized by a client-side attack.
    • Chapter 12, “Extending SO,” covers tools and techniques to expand SO’s capabilities.
    • Chapter 13, “Proxies and Checksums,” concludes the main text by addressing two challenges to conducting NSM.

  • The Conclusion offers a few thoughts on the future of NSM, especially with respect to cloud environments and workflows.
  • Appendix A, “Security Onion Scripts and Configuration,” includes information from SO developer Doug Burks on core SO configuration files and control scripts.

I hope you enjoy the book and consider the new class! If you have comments or questions, please post them here on via @taosecurity.

2 comments:

JsH said...

Hi Thanks It´s a very useful and practical book than I had never been read before. Can you tell me if on page 247 the text said IP 203.0.113.115 and on the figure 11-12 said ip 203.0.11.15. Is it correct?
Thanks in advance

Richard Bejtlich said...

I'm glad you like the book. The line on p 247 saying

We decide to take another look at traffic involving 203.0.113.115

should say

We decide to take another look at traffic involving 203.0.113.15