What do you think?
Rate this book
Extrusion Detection: Security Monitoring for Internal Intrusions
Provides information on how to prevent, detect, and mitigate a security attack that comes from within a company.
416 pages, Paperback
First published November 18, 2005
2 people are currently reading
95 people want to read
Ratings & Reviews
Friends & Following
Create a free account to discover what your friends think of this book!
Community Reviews
Displaying 1 - 4 of 4 reviews
August 23, 2012
Let's hear it for another exceptionally well written book on network monitoring. Aside from a very clear
and easy to understand writing style, Richard hits home with practicality and rich detail. I've become
a big fan of his writings including those on his informative blog, http://taosecurity.blogspot.com/.
First, the praise.New material, different from that in Tao his former book, includes a more extensive look
at taps, along with defense and mitigation ( and lots of it), querying NMS data from databases, Ra tools, handling
NMS data properly and with care, and network design and filtering. There's a lot of discussion on implementing
defensive measures with Cisco products and proxies. I was glad to see more examples of argus use and the
utilization of shell redirection to grab and format what you want. With that said, other things I really appreciate
that tend to be innate of Richards books are his heavy use of foot notes and citations, recommended and further
readings, explanations of all command-line options and arguments, methodical case-studies, and line number
and font emphasized addendum to help the reader focus on key elements when looking at large output.
Richard also makes an effort to provide new tools and material not covered elsewhere as stated in his book.
I always end up making notes of new tools to check out and play with. e.g. netsed, flowgrep, dhcpdump, ntsyslog.
I especially enjoy his use of FreeBSD when choosing a platform, not because I think it's a good operating system ( I do),
but because tech literature on the BSDs is not as abundant as it is for other operating systems. This will attract the
interest of newer and non-users.
Finally, the criticism. This is probably less of the author but I really didn't like that the page numbers in this book
were on the inside corners rather than the outside. You have to really open the book in rooms that are not well lit
to see the page numbers. There is a formatting error on pg 52 where the 22 foot note is: "Start Squid by simply
executing squid.2 2" 22 is separated by what looks to be two spaces and the least significant 2 :) runs into the
letter "Y" on the word "You" in the next sentence. Again, less the author and more the editor (maybe?), there's a
mistake on page 100. In the sentence, "This means we could forge any TCP packet with content uid=0(root0) and...",
I believe the sentence means uid=0(root) rather than uid=0(root0). Personal requests: I would have liked to see more
examples of BRO, rather than snort, a case study of a web app attack, and more use of ARGUS and its Ra tools.
Conclusion: This book was informative and enjoyable to read, I highly recommend it.
and easy to understand writing style, Richard hits home with practicality and rich detail. I've become
a big fan of his writings including those on his informative blog, http://taosecurity.blogspot.com/.
First, the praise.New material, different from that in Tao his former book, includes a more extensive look
at taps, along with defense and mitigation ( and lots of it), querying NMS data from databases, Ra tools, handling
NMS data properly and with care, and network design and filtering. There's a lot of discussion on implementing
defensive measures with Cisco products and proxies. I was glad to see more examples of argus use and the
utilization of shell redirection to grab and format what you want. With that said, other things I really appreciate
that tend to be innate of Richards books are his heavy use of foot notes and citations, recommended and further
readings, explanations of all command-line options and arguments, methodical case-studies, and line number
and font emphasized addendum to help the reader focus on key elements when looking at large output.
Richard also makes an effort to provide new tools and material not covered elsewhere as stated in his book.
I always end up making notes of new tools to check out and play with. e.g. netsed, flowgrep, dhcpdump, ntsyslog.
I especially enjoy his use of FreeBSD when choosing a platform, not because I think it's a good operating system ( I do),
but because tech literature on the BSDs is not as abundant as it is for other operating systems. This will attract the
interest of newer and non-users.
Finally, the criticism. This is probably less of the author but I really didn't like that the page numbers in this book
were on the inside corners rather than the outside. You have to really open the book in rooms that are not well lit
to see the page numbers. There is a formatting error on pg 52 where the 22 foot note is: "Start Squid by simply
executing squid.2 2" 22 is separated by what looks to be two spaces and the least significant 2 :) runs into the
letter "Y" on the word "You" in the next sentence. Again, less the author and more the editor (maybe?), there's a
mistake on page 100. In the sentence, "This means we could forge any TCP packet with content uid=0(root0) and...",
I believe the sentence means uid=0(root) rather than uid=0(root0). Personal requests: I would have liked to see more
examples of BRO, rather than snort, a case study of a web app attack, and more use of ARGUS and its Ra tools.
Conclusion: This book was informative and enjoyable to read, I highly recommend it.
July 4, 2010
“This is my 2nd book by Bejtlich that I have read, with the first being “The Tao of Network Security Monitoring: Beyond Intrusion Detection.” While the Tao of NSM focused mainly on detecting attacks coming in from the perimeter, this book focused on Network Security Monitoring principles as applied to traffic going out of the network.
Bejtlich starts out by doing an overview of Network Security Monitoring, referencing his earlier book as a more in-depth treatise on NSM. He then goes on to the theory and illustration of “Extrusion Detection.” (“‘The process of identifying unauthorized activity by inspecting outbound network traffic.”) We see Extrusion Detection illustrated with the 4 types of NSM data. (Full Content, Session, Statistical, and Alert)
We then moved onto “Enterprise Network Instrumentation,” which included discussions on network/packet capture equipment, some I had never seen before: SPAN Regeneration Taps, Link Aggregator Taps, etc.
The next section was probably my favorite: Enterprise Sink Holes. What a fantastic way to discover a local compromised host scanning your internal network. This section also had some great ways to do short-term containment (with a Sink Hole) on a loose worm. (The coolest, in my opinion, being Unicast Reverse Path Forwarding)
Next we have sections on Traffic Threat Assessments, Network Incident Response, and Network Forensics. The book finishes up with a case study on traffic threat assessment and a discussion on Malicious Bots.
I have to give this book 5 stars out of 5 for it’s fresh and unique look at internal and outbound intrusions. Richard doesn’t rehash what a thousand other network security pros have written.”
Josh
Bejtlich starts out by doing an overview of Network Security Monitoring, referencing his earlier book as a more in-depth treatise on NSM. He then goes on to the theory and illustration of “Extrusion Detection.” (“‘The process of identifying unauthorized activity by inspecting outbound network traffic.”) We see Extrusion Detection illustrated with the 4 types of NSM data. (Full Content, Session, Statistical, and Alert)
We then moved onto “Enterprise Network Instrumentation,” which included discussions on network/packet capture equipment, some I had never seen before: SPAN Regeneration Taps, Link Aggregator Taps, etc.
The next section was probably my favorite: Enterprise Sink Holes. What a fantastic way to discover a local compromised host scanning your internal network. This section also had some great ways to do short-term containment (with a Sink Hole) on a loose worm. (The coolest, in my opinion, being Unicast Reverse Path Forwarding)
Next we have sections on Traffic Threat Assessments, Network Incident Response, and Network Forensics. The book finishes up with a case study on traffic threat assessment and a discussion on Malicious Bots.
I have to give this book 5 stars out of 5 for it’s fresh and unique look at internal and outbound intrusions. Richard doesn’t rehash what a thousand other network security pros have written.”
Josh
July 20, 2010
This book is readable and useful, but in the end I think if you've carefully read "The Tao of NSM", then you've gotten all the information you're going to from both books...
June 9, 2014
Good follow up to The Tao of Network Security Monitoring. The chapters on Network Incident Response and Network Forsensics were the most informative for me.
Displaying 1 - 4 of 4 reviews