The Practice of Network Security Monitoring
Understanding Incident Detection and Response
Richard Bejtlich's NSM playbook: how to deploy collection sensors, validate that you actually see what you think you see, and build detection workflows around open-source tools.
As an Amazon Associate we earn from qualifying purchases. The link above is sponsored.
- Authors
- Richard Bejtlich
- Published
- 2013
- Publisher
- No Starch Press
- Pages
- 376
- Language
- English
Read this if
Every SOC analyst and detection engineer. Bejtlich's foundational text on NSM: collect-everything, alert-on-narrow, investigate-broadly. Defines the vocabulary the modern detection field still uses.
Skip this if
Readers wanting current SIEM tooling specifics. The book pre-dates EDR-as-default and modern cloud-native telemetry; the principles transfer, the tooling specifics don't.
Key takeaways
- Detection without prevention is a strategic choice, not a fallback; Bejtlich was years ahead in arguing the case and the book remains the clearest argument.
- The four data types (full content, session, transactional, statistical) are still the right framework for thinking about detection coverage.
- Most SOC failures are organizational and procedural, not tooling; the book's chapters on workflows, runbooks, and analyst growth are still the best in print.
Notes
Pair with Network Security Through Data Analysis (Collins) for the quantitative side and with Practical Packet Analysis (Sanders) for Wireshark fluency. Bejtlich's blog and Twitter remain mandatory reading. Required reading for anyone joining a SOC or designing detection programs; the principles age slowly and are foundational to the discipline.
What to read before
What to read before The Practice of Network Security Monitoring →Intermediate · 2017
Network Security Through Data Analysis
Michael Collins on building situational awareness from network telemetry: collection architecture, statistical baseline-setting, and the analytic patterns that turn raw flows into detection.
Beginner · 2017
Practical Packet Analysis
Chris Sanders' working manual for Wireshark, geared at troubleshooting and incident response rather than abstract protocol theory. Updated for Wireshark 2.x.
Beginner · 2019
Foundations of Information Security
Jason Andress' compact tour of the field: confidentiality / integrity / availability, identification and authentication, network and OS controls, written for newcomers and adjacent disciplines.
What to read next
What to read after The Practice of Network Security Monitoring →Intermediate · 2017
Network Security Through Data Analysis
Michael Collins on building situational awareness from network telemetry: collection architecture, statistical baseline-setting, and the analytic patterns that turn raw flows into detection.
Intermediate · 2007
Linux Firewalls
Michael Rash, author of psad and fwsnort, on building and operating Linux-native packet filtering and intrusion-response tooling. Pre-nftables in detail but conceptually durable.
Intermediate · 2017
Zero Trust Networks
Evan Gilman and Doug Barth's pre-marketing-bubble treatment of zero-trust architecture — what it is when you actually implement it (trust evaluation, device identity, dynamic policy) versus what the vendor pitch turned it into.
Explore similar books
Alternatives to The Practice of Network Security Monitoring →Intermediate · 2017
Network Security Through Data Analysis
Michael Collins on building situational awareness from network telemetry: collection architecture, statistical baseline-setting, and the analytic patterns that turn raw flows into detection.
Intermediate · 2017
Zero Trust Networks
Evan Gilman and Doug Barth's pre-marketing-bubble treatment of zero-trust architecture — what it is when you actually implement it (trust evaluation, device identity, dynamic policy) versus what the vendor pitch turned it into.
Intermediate · 2007
Linux Firewalls
Michael Rash, author of psad and fwsnort, on building and operating Linux-native packet filtering and intrusion-response tooling. Pre-nftables in detail but conceptually durable.