Network Security Through Data Analysis
From Data to Action
Michael Collins on building situational awareness from network telemetry: collection architecture, statistical baseline-setting, and the analytic patterns that turn raw flows into detection.
As an Amazon Associate we earn from qualifying purchases. The link above is sponsored.
- Authors
- Michael Collins
- Published
- 2017
- Publisher
- O'Reilly Media
- Pages
- 428
- Language
- English
Read this if
Detection engineers and SOC analysts who've graduated from "what alert is this" to "is this alert worth triaging at all." Collins is the quantitative-detection text the field needed.
Skip this if
Beginners with no NSM background, or readers who only do log-based detection. The book leans heavily on flow data and statistical thinking; pair with The Practice of Network Security Monitoring (Bejtlich) first if you're new to the discipline.
Key takeaways
- Detection engineering at scale is a statistical problem; the book teaches the framing every modern SOC eventually reinvents.
- Flow-data analytics (NetFlow / IPFIX / sFlow) catch lateral movement that packet-based detection misses; the book is the cleanest treatment in print.
- Time-series anomaly detection can be done well with off-the-shelf tooling and clear thinking; the chapters on baseline calibration are the practical core.
Notes
Pair with Practice of Network Security Monitoring (Bejtlich) for the operational frame and Practical Packet Analysis (Sanders) for the Wireshark fluency. Collins's research at Carnegie Mellon's CERT/CC underlies much of the book; his subsequent work on security data analytics is the natural follow-up reading.
What to read before
What to read before Network Security Through Data Analysis →Intermediate · 2013
The Practice of Network Security Monitoring
Richard Bejtlich's NSM playbook: how to deploy collection sensors, validate that you actually see what you think you see, and build detection workflows around open-source tools.
Intermediate · 2013
Applied Network Security Monitoring
A practitioner's walkthrough of building an NSM capability end to end, from deciding what to collect through detection and the analysis workflow that ties it together. The tooling is dated, but the way it teaches you to think about monitoring is not.
Beginner · 2017
Practical Packet Analysis
Chris Sanders' working manual for Wireshark, geared at troubleshooting and incident response rather than abstract protocol theory. Updated for Wireshark 2.x.
What to read next
What to read after Network Security Through Data Analysis →Advanced · 2010
Tableaux de bord de la sécurité réseau
A practitioner's manual for measuring and steering network security — metrics, dashboards, monitoring and risk indicators — for the people who run security operations.
Intermediate · 2013
The Practice of Network Security Monitoring
Richard Bejtlich's NSM playbook: how to deploy collection sensors, validate that you actually see what you think you see, and build detection workflows around open-source tools.
Intermediate · 2013
Applied Network Security Monitoring
A practitioner's walkthrough of building an NSM capability end to end, from deciding what to collect through detection and the analysis workflow that ties it together. The tooling is dated, but the way it teaches you to think about monitoring is not.
Explore similar books
Alternatives to Network Security Through Data Analysis →Intermediate · 2013
The Practice of Network Security Monitoring
Richard Bejtlich's NSM playbook: how to deploy collection sensors, validate that you actually see what you think you see, and build detection workflows around open-source tools.
Intermediate · 2013
Applied Network Security Monitoring
A practitioner's walkthrough of building an NSM capability end to end, from deciding what to collect through detection and the analysis workflow that ties it together. The tooling is dated, but the way it teaches you to think about monitoring is not.
Advanced · 2010
Tableaux de bord de la sécurité réseau
A practitioner's manual for measuring and steering network security — metrics, dashboards, monitoring and risk indicators — for the people who run security operations.