Applied Network Security Monitoring
Collection, Detection, and Analysis
A practitioner's walkthrough of building an NSM capability end to end, from deciding what to collect through detection and the analysis workflow that ties it together. The tooling is dated, but the way it teaches you to think about monitoring is not.
As an Amazon Associate we earn from qualifying purchases. The link above is sponsored.
- Authors
- Chris Sanders,Jason Smith
- Published
- 2013
- Publisher
- Syngress
- Pages
- 496
- Language
- English
Prerequisites
Comfort with TCP/IP, packet captures, and basic Linux. You should already know what a SYN flag is before you open this.
Read this if
SOC analysts and aspiring detection engineers who want a structured mental model for collection, detection, and analysis rather than a pile of disconnected tooling tutorials.
Skip this if
Anyone hoping for a current toolkit. Skip this if you want hands-on Zeek/Suricata/Elastic configs you can paste today, the commands here have aged out.
Key takeaways
- Collection is a deliberate decision, not a default. Decide what data matters before you drown in everything.
- The book's split of detection into signature, anomaly, and statistical approaches still maps cleanly onto how modern stacks work.
- Analysis is a discipline with a workflow, not improvised packet-staring, and that framing is the most durable thing here.
Notes
The methodology has held up better than almost anything else from 2013: the collection-detection-analysis spine is exactly how you should still reason about NSM. What hasn't held up is the toolchain, Security Onion, Snort, and the specific commands are a generation behind, so read it for the thinking and get your configs elsewhere. Worth it for the mental model alone.
What to read before
What to read before Applied Network Security Monitoring →Intermediate · 2013
The Practice of Network Security Monitoring
Richard Bejtlich's NSM playbook: how to deploy collection sensors, validate that you actually see what you think you see, and build detection workflows around open-source tools.
Intermediate · 2017
Network Security Through Data Analysis
Michael Collins on building situational awareness from network telemetry: collection architecture, statistical baseline-setting, and the analytic patterns that turn raw flows into detection.
Beginner · 2017
Practical Packet Analysis
Chris Sanders' working manual for Wireshark, geared at troubleshooting and incident response rather than abstract protocol theory. Updated for Wireshark 2.x.
What to read next
What to read after Applied Network Security Monitoring →Intermediate · 2013
The Practice of Network Security Monitoring
Richard Bejtlich's NSM playbook: how to deploy collection sensors, validate that you actually see what you think you see, and build detection workflows around open-source tools.
Intermediate · 2017
Network Security Through Data Analysis
Michael Collins on building situational awareness from network telemetry: collection architecture, statistical baseline-setting, and the analytic patterns that turn raw flows into detection.
Intermediate · 2007
Linux Firewalls
Michael Rash, author of psad and fwsnort, on building and operating Linux-native packet filtering and intrusion-response tooling. Pre-nftables in detail but conceptually durable.
Explore similar books
Alternatives to Applied Network Security Monitoring →Intermediate · 2013
The Practice of Network Security Monitoring
Richard Bejtlich's NSM playbook: how to deploy collection sensors, validate that you actually see what you think you see, and build detection workflows around open-source tools.
Intermediate · 2017
Network Security Through Data Analysis
Michael Collins on building situational awareness from network telemetry: collection architecture, statistical baseline-setting, and the analytic patterns that turn raw flows into detection.
Intermediate · 2017
Zero Trust Networks
Evan Gilman and Doug Barth's pre-marketing-bubble treatment of zero-trust architecture — what it is when you actually implement it (trust evaluation, device identity, dynamic policy) versus what the vendor pitch turned it into.