Amazon.com just posted my four star review of Defend IT. From the review:
"I commend ch 2 ('Home Architecture') for insights I find lacking in most books on intrusion detection or incident response. The authors astutely state on p. 26 and 33: 'this incident was not discovered by flashing lights and alerts set off by an IDS... In fact, there was no early indication of a network compromise.' This explains the authors' next recommendation: 'It is a good idea to keep access logs that are as detailed as possible -- at least with respect to inbound and outbound connections... Though you may not use these logs on a regular basis, for those instances when you need them, especially including investigations of network compromise, they are invaluable." Exactly!"
Although I didn't mention it in the review, I found the authors' use of Cenzic's Hailstorm vulnerability testing software to generate IDS alerts, and Mercury LoadRunner to load the network, to be interesting. I had heard of Hailstorm but I'm not convinced it's an appropriate technology for assessing the effectiveness of an IDS.
If you read my review you'll notice I cautioned the authors about sanitizing data about clients. If you think you've identified the organization documented in chapter 4, email me at taosecurity at gmail dot com. I have my guess...