The Practice of Network Security Monitoring
Understanding Incident Detection and Response
Richard Bejtlich's NSM playbook: how to deploy collection sensors, validate that you actually see what you think you see, and build detection workflows around open-source tools.
As an Amazon Associate we earn from qualifying purchases. The link above is sponsored.
- Authors
- Richard Bejtlich
- Published
- 2013
- Publisher
- No Starch Press
- Pages
- 376
- Language
- English
Read this if
Every SOC analyst and detection engineer. Bejtlich's foundational text on NSM: collect-everything, alert-on-narrow, investigate-broadly. Defines the vocabulary the modern detection field still uses.
Skip this if
Readers wanting current SIEM tooling specifics. The book pre-dates EDR-as-default and modern cloud-native telemetry; the principles transfer, the tooling specifics don't.
Key takeaways
- Detection without prevention is a strategic choice, not a fallback; Bejtlich was years ahead in arguing the case and the book remains the clearest argument.
- The four data types (full content, session, transactional, statistical) are still the right framework for thinking about detection coverage.
- Most SOC failures are organizational and procedural, not tooling; the book's chapters on workflows, runbooks, and analyst growth are still the best in print.
Notes
Pair with Network Security Through Data Analysis (Collins) for the quantitative side and with Practical Packet Analysis (Sanders) for Wireshark fluency. Bejtlich's blog and Twitter remain mandatory reading. Required reading for anyone joining a SOC or designing detection programs; the principles age slowly and are foundational to the discipline.
What to read before
What to read before The Practice of Network Security Monitoring →Intermediate · 2013
Applied Network Security Monitoring
A practitioner's walkthrough of building an NSM capability end to end, from deciding what to collect through detection and the analysis workflow that ties it together. The tooling is dated, but the way it teaches you to think about monitoring is not.
Intermediate · 2017
Network Security Through Data Analysis
Michael Collins on building situational awareness from network telemetry: collection architecture, statistical baseline-setting, and the analytic patterns that turn raw flows into detection.
Beginner · 2017
Practical Packet Analysis
Chris Sanders' working manual for Wireshark, geared at troubleshooting and incident response rather than abstract protocol theory. Updated for Wireshark 2.x.
What to read next
What to read after The Practice of Network Security Monitoring →Advanced · 2010
Tableaux de bord de la sécurité réseau
A practitioner's manual for measuring and steering network security — metrics, dashboards, monitoring and risk indicators — for the people who run security operations.
Intermediate · 2013
Applied Network Security Monitoring
A practitioner's walkthrough of building an NSM capability end to end, from deciding what to collect through detection and the analysis workflow that ties it together. The tooling is dated, but the way it teaches you to think about monitoring is not.
Intermediate · 2017
Network Security Through Data Analysis
Michael Collins on building situational awareness from network telemetry: collection architecture, statistical baseline-setting, and the analytic patterns that turn raw flows into detection.
Explore similar books
Alternatives to The Practice of Network Security Monitoring →Intermediate · 2017
Network Security Through Data Analysis
Michael Collins on building situational awareness from network telemetry: collection architecture, statistical baseline-setting, and the analytic patterns that turn raw flows into detection.
Intermediate · 2013
Applied Network Security Monitoring
A practitioner's walkthrough of building an NSM capability end to end, from deciding what to collect through detection and the analysis workflow that ties it together. The tooling is dated, but the way it teaches you to think about monitoring is not.
Advanced · 2010
Tableaux de bord de la sécurité réseau
A practitioner's manual for measuring and steering network security — metrics, dashboards, monitoring and risk indicators — for the people who run security operations.