// Comparison

Network Security Through Data Analysis vs The Practice of Network Security Monitoring: Which Should You Read?

Two cybersecurity books on Defensive, compared honestly: who each is for, what each does best, and which to read first.

Intermediate

4/52017

From Data to Action

Michael Collins

Michael Collins on building situational awareness from network telemetry: collection architecture, statistical baseline-setting, and the analytic patterns that turn raw flows into detection.

Intermediate

5/52013

The Practice of Network Security Monitoring

Understanding Incident Detection and Response

Richard Bejtlich

Richard Bejtlich's NSM playbook: how to deploy collection sensors, validate that you actually see what you think you see, and build detection workflows around open-source tools.

Read this if

Detection engineers and SOC analysts who've graduated from "what alert is this" to "is this alert worth triaging at all." Collins is the quantitative-detection text the field needed.

Every SOC analyst and detection engineer. Bejtlich's foundational text on NSM: collect-everything, alert-on-narrow, investigate-broadly. Defines the vocabulary the modern detection field still uses.

Skip this if

Beginners with no NSM background, or readers who only do log-based detection. The book leans heavily on flow data and statistical thinking; pair with The Practice of Network Security Monitoring (Bejtlich) first if you're new to the discipline.

Readers wanting current SIEM tooling specifics. The book pre-dates EDR-as-default and modern cloud-native telemetry; the principles transfer, the tooling specifics don't.

Key takeaways

Detection engineering at scale is a statistical problem; the book teaches the framing every modern SOC eventually reinvents.
Flow-data analytics (NetFlow / IPFIX / sFlow) catch lateral movement that packet-based detection misses; the book is the cleanest treatment in print.
Time-series anomaly detection can be done well with off-the-shelf tooling and clear thinking; the chapters on baseline calibration are the practical core.

Detection without prevention is a strategic choice, not a fallback; Bejtlich was years ahead in arguing the case and the book remains the clearest argument.
The four data types (full content, session, transactional, statistical) are still the right framework for thinking about detection coverage.
Most SOC failures are organizational and procedural, not tooling; the book's chapters on workflows, runbooks, and analyst growth are still the best in print.

How they compare

We rate The Practice of Network Security Monitoring higher (5/5 against 4/5 for Network Security Through Data Analysis). For most readers, that means The Practice of Network Security Monitoring is the primary pick and Network Security Through Data Analysis is a useful follow-up.

Both books target intermediate-level readers, so the choice is about topic, not difficulty.

Network Security Through Data Analysis and The Practice of Network Security Monitoring both cover Defensive, Networking, Detection, so reading them in sequence reinforces the same material from different angles.

Keep reading

Network Security Through Data Analysis

→ Alternatives to Network Security Through Data Analysis → What to read after Network Security Through Data Analysis