Review of Practical Intrusion Analysis Posted

Amazon.com just published my three star review of Practical Intrusion Analysis by Ryan Trost. From the review:

I must start this review by stating the lead author lists me in the Acknowledgments and elsewhere in the book, which I appreciate. I also did consulting work years ago for the lead author's company, and I know the lead author to be a good guy with a unique eye for applying geography to network security data. Addison-Wesley provided me a review copy.

I did not participate in the writing process for Practical Intrusion Analysis (PIA), but after reading it I think I know how it unfolded. The lead author had enough material to write his two main sections: ch 10, Geospatial Intrusion Detection, and ch 11, Visual Data Communications. He realized he couldn't publish a 115-page book, so he enlisted five contributing authors who wrote chapters on loosely related security topics. Finally the lead author wrote two introductory sections: ch 1, Network Overview, and ch 2, Infrastructure Monitoring. This publication-by-amalgamation method seldom yields coherent or helpful material, despite the superior production efforts of a company like Addison-Wesley. To put a point on PIA's trouble, there's only a single intrusion analyzed in the book, and it's in the lead author's core section. The end result is a book you can skip, although it would be good for chapters 4 and 10 to be published separately as digital "Short Cuts" on InformIT.

Richard Bejtlich is teaching new classes in Las Vegas in 2009. Late Las Vegas registration ends 22 July.

Comments

Anonymous said…
Thanks for writing honest reviews!
7:01 AM
Semper Fi said…
I disagree with Richard's book review. I had a transcontinental flight last week and grabbed the book to give me something to read in the air. I've been working in a military SOC for going on 10 years now and found the overall book interesting (especially the Geospatial chapter).

I was ecstatic that the book hit several different security topics all revolving around intrusion detection rather than purely focusing on Snort, Snort, and finally...yes, more Snort.

I especially enjoyed reading about Bro (something I've been playing around with for about 18 months now), the NetFlow chapter, the physical security chapter and (as previously mentioned) the geospatial chapter.

Although, unless you've been living under a rock for the past 2 years, I would recommend skipping the first 2 chapters as they were obviously written for a beginner.

Overall I'd give it 4 out of 5 stars.
6:04 PM
Anonymous said…
The Geospatial chapter is a fascinating approach to early threat detection and pretty much the only reason I bought the book.

I can't express how nice it is to read about an intrusion detection method that I have NOT already heard about or studied in the last 6 years. Coincidentally even more interesting as the upcoming Snort seminar includes a Snort/Google Earth introduction.

The chapter completely makes the book for me!
9:13 AM
Anton Chuvakin said…
Your generosity officially reached legendary status, based on this review. I just finished the book and the bit about ROI(IDS)=$517,580 (in ch12) made me fall under the table and laugh for about 12 minutes. I can barely crawl out...
7:02 PM
Post a Comment

Popular posts from this blog

Zeek in Action Videos

Image
This is a quick note to point blog readers to my Zeek in Action YouTube video series for the Zeek network security monitoring project .  Each video addresses a topic that I think might be of interest to people trying to understand their network using Zeek and adjacent tools and approaches, like Suricata, Wireshark, and so on.  I am especially pleased with Video 6 on monitoring wireless networks . It took me several weeks to research material for this video. I had to buy new hardware and experiment with a Linux distro that I had not used before -- Parrot .  Please like and subscribe, and let me know if there is a topic you think might make a good video.
Read more

MITRE ATT&CK Tactics Are Not Tactics

Image
Just what are "tactics"? Introduction MITRE ATT&CK  is a great resource, but something about it has bothered me since I first heard about it several years ago. It's a minor point, but I wanted to document it in case it confuses anyone else. The MITRE ATT&CK Design and Philosophy document from March 2020 says the following: At a high-level, ATT&CK is a behavioral model that consists of the following core components: • Tactics, denoting short-term, tactical adversary goals during an attack; • Techniques, describing the means by which adversaries achieve tactical goals; • Sub-techniques, describing more specific means by which adversaries achieve tactical goals at a lower level than techniques; and • Documented adversary usage of techniques, their procedures, and other metadata. My concern is with MITRE's definition of "tactics" as "short-term, tactical adversary goals during an attack," which is oddly recursive. The key word in the tacti
Read more

New Book! The Best of TaoSecurity Blog, Volume 4

Image
  I've completed the TaoSecurity Blog book series . The new book is  The Best of TaoSecurity Blog, Volume 4: Beyond the Blog with Articles, Testimony, and Scholarship .  It's available now for Kindle , and I'm working on the print edition.  I'm running a 50% off promo on Volumes 1-3 on Kindle through midnight 20 April. Take advantage before the prices go back up. I described the new title thus: Go beyond TaoSecurity Blog with this new volume from author Richard Bejtlich. In the first three volumes of the series, Mr. Bejtlich selected and republished the very best entries from 18 years of writing and over 18 million blog views, along with commentaries and additional material.  In this title, Mr. Bejtlich collects material that has not been published elsewhere, including articles that are no longer available or are stored in assorted digital or physical archives. Volume 4 offers early white papers that Mr. Bejtlich wrote as a network defender, either for technical or pol
Read more