Sunday, July 12, 2009

Review of Practical Intrusion Analysis Posted just published my three star review of Practical Intrusion Analysis by Ryan Trost. From the review:

I must start this review by stating the lead author lists me in the Acknowledgments and elsewhere in the book, which I appreciate. I also did consulting work years ago for the lead author's company, and I know the lead author to be a good guy with a unique eye for applying geography to network security data. Addison-Wesley provided me a review copy.

I did not participate in the writing process for Practical Intrusion Analysis (PIA), but after reading it I think I know how it unfolded. The lead author had enough material to write his two main sections: ch 10, Geospatial Intrusion Detection, and ch 11, Visual Data Communications. He realized he couldn't publish a 115-page book, so he enlisted five contributing authors who wrote chapters on loosely related security topics. Finally the lead author wrote two introductory sections: ch 1, Network Overview, and ch 2, Infrastructure Monitoring. This publication-by-amalgamation method seldom yields coherent or helpful material, despite the superior production efforts of a company like Addison-Wesley. To put a point on PIA's trouble, there's only a single intrusion analyzed in the book, and it's in the lead author's core section. The end result is a book you can skip, although it would be good for chapters 4 and 10 to be published separately as digital "Short Cuts" on InformIT.

Richard Bejtlich is teaching new classes in Las Vegas in 2009. Late Las Vegas registration ends 22 July.


Anonymous said...

Thanks for writing honest reviews!

Semper Fi said...

I disagree with Richard's book review. I had a transcontinental flight last week and grabbed the book to give me something to read in the air. I've been working in a military SOC for going on 10 years now and found the overall book interesting (especially the Geospatial chapter).

I was ecstatic that the book hit several different security topics all revolving around intrusion detection rather than purely focusing on Snort, Snort, and finally...yes, more Snort.

I especially enjoyed reading about Bro (something I've been playing around with for about 18 months now), the NetFlow chapter, the physical security chapter and (as previously mentioned) the geospatial chapter.

Although, unless you've been living under a rock for the past 2 years, I would recommend skipping the first 2 chapters as they were obviously written for a beginner.

Overall I'd give it 4 out of 5 stars.

Anonymous said...

The Geospatial chapter is a fascinating approach to early threat detection and pretty much the only reason I bought the book.

I can't express how nice it is to read about an intrusion detection method that I have NOT already heard about or studied in the last 6 years. Coincidentally even more interesting as the upcoming Snort seminar includes a Snort/Google Earth introduction.

The chapter completely makes the book for me!

Dr Anton Chuvakin said...

Your generosity officially reached legendary status, based on this review. I just finished the book and the bit about ROI(IDS)=$517,580 (in ch12) made me fall under the table and laugh for about 12 minutes. I can barely crawl out...