Network Security Through Data Analysis
From Data to Action
Michael Collins on building situational awareness from network telemetry: collection architecture, statistical baseline-setting, and the analytic patterns that turn raw flows into detection.
As an Amazon Associate we earn from qualifying purchases. The link above is sponsored.
- Authors
- Michael Collins
- Published
- 2017
- Publisher
- O'Reilly Media
- Pages
- 428
- Language
- English
Read this if
Detection engineers and SOC analysts who've graduated from "what alert is this" to "is this alert worth triaging at all." Collins is the quantitative-detection text the field needed.
Skip this if
Beginners with no NSM background, or readers who only do log-based detection. The book leans heavily on flow data and statistical thinking; pair with The Practice of Network Security Monitoring (Bejtlich) first if you're new to the discipline.
Key takeaways
- Detection engineering at scale is a statistical problem; the book teaches the framing every modern SOC eventually reinvents.
- Flow-data analytics (NetFlow / IPFIX / sFlow) catch lateral movement that packet-based detection misses; the book is the cleanest treatment in print.
- Time-series anomaly detection can be done well with off-the-shelf tooling and clear thinking; the chapters on baseline calibration are the practical core.
Notes
Pair with Practice of Network Security Monitoring (Bejtlich) for the operational frame and Practical Packet Analysis (Sanders) for the Wireshark fluency. Collins's research at Carnegie Mellon's CERT/CC underlies much of the book; his subsequent work on security data analytics is the natural follow-up reading.
What to read before
What to read before Network Security Through Data Analysis →Intermediate · 2013
The Practice of Network Security Monitoring
Richard Bejtlich's NSM playbook: how to deploy collection sensors, validate that you actually see what you think you see, and build detection workflows around open-source tools.
Beginner · 2017
Practical Packet Analysis
Chris Sanders' working manual for Wireshark, geared at troubleshooting and incident response rather than abstract protocol theory. Updated for Wireshark 2.x.
Beginner · 2019
Foundations of Information Security
Jason Andress' compact tour of the field: confidentiality / integrity / availability, identification and authentication, network and OS controls, written for newcomers and adjacent disciplines.
What to read next
What to read after Network Security Through Data Analysis →Intermediate · 2013
The Practice of Network Security Monitoring
Richard Bejtlich's NSM playbook: how to deploy collection sensors, validate that you actually see what you think you see, and build detection workflows around open-source tools.
Intermediate · 2007
Linux Firewalls
Michael Rash, author of psad and fwsnort, on building and operating Linux-native packet filtering and intrusion-response tooling. Pre-nftables in detail but conceptually durable.
Intermediate · 2017
Zero Trust Networks
Evan Gilman and Doug Barth's pre-marketing-bubble treatment of zero-trust architecture — what it is when you actually implement it (trust evaluation, device identity, dynamic policy) versus what the vendor pitch turned it into.
Explore similar books
Alternatives to Network Security Through Data Analysis →Intermediate · 2013
The Practice of Network Security Monitoring
Richard Bejtlich's NSM playbook: how to deploy collection sensors, validate that you actually see what you think you see, and build detection workflows around open-source tools.
Intermediate · 2017
Zero Trust Networks
Evan Gilman and Doug Barth's pre-marketing-bubble treatment of zero-trust architecture — what it is when you actually implement it (trust evaluation, device identity, dynamic policy) versus what the vendor pitch turned it into.
Intermediate · 2007
Linux Firewalls
Michael Rash, author of psad and fwsnort, on building and operating Linux-native packet filtering and intrusion-response tooling. Pre-nftables in detail but conceptually durable.