Future Books
- Role: Co-author
- Publisher: Addison-Wesley
- Availability: July 2011
- Subject: Brand-new cases from the Jones, Bejtlich, and company team! We are working on this book now.
Published Books
- Role: Author, with several contributors
- Publisher: Addison-Wesley; November 2005, ISBN 0321349962
- Availability: Amazon.com
- Reviews and Citations: Amazon.com, Tony Stevenson, USENIX Login (.pdf), Information Security Magazine
- Subject: Extrusion Detection helps security architects and engineers control and instrument their networks, and helps analysts investigate security events. Extrusion Detection is a sequel to my first book, but this one is focused on monitoring client-side intrusions. Readers will learn theory, techniques, and tools to implement network security monitoring (NSM) for internal intrusions. This book believes that a defensible network can be built and operated only if the people, products, and processes enable pervasive network awareness.
- Excerpts: Foreword by Marcus Ranum; Chapter 4 ("Enterprise Network Instrumentation") and chapter 3 ("Extrusion Detection Illustrated"), all in .pdf format
- Errata: here
- Downloads: none yet
- Miscellaneous: not applicable
- Role: Author
- Publisher: Addison-Wesley; July 2004, ISBN 0321246772
- Availability: Amazon.com
- Reviews and Citations: Amazon.com,
BN.com, Slashdot, Computerworld,LinuxSecurity.com, IEEE Cipher, USENIX Login (.pdf), Information Security, Dru Lavigne, BMonday.com,
(IN)SECURE magazine (.pdf), Firewall.cx.
- Subject: My first solo book, The Tao of NSM is a comprehensive overview of the products, people, and processes needed to implement network security monitoring.
- Excerpts: foreword; Chapters 2 and 10 ("What is NSM?" and "Alert Data: NSM Using Sguil"), chapter 11 ("Best Practices"), and chapter 18 ("Tactics for Attacking NSM"), all in .pdf format; chapter 10 is browsable at Informit.com
- Errata: here -- note the fixed references to figures in Appendix A for the TCP sequence
number discussion
- Downloads: The traffic captures referenced in chapter 4 are available here.
They are in .tar.gz format (Windows users can use WinZip or 7-Zip to access them) and about 2 MB
prior to extraction. The papers discussed in Appendix B are available here (17 MB).
- Role: Contributor, chapter 8 ("Collecting Network-Based Evidence") and chapter 14 ("Analyzing Network Traffic")
- Publisher: McGraw-Hill/Osborne, July 2003
- Availability: Amazon.com
listing
- Subject: Incident Response was the best IR book in the early 2000's. I contributed material to chapters 8 and 14, although Kevin modified them to suit his needs.
- Excerpts: none
- Errata: none
- Downloads: none
- Miscellaneous: not applicable
- Role: Contributor, "Case Study: Network Security Monitoring"
- Publisher: McGraw-Hill/Osborne, February 2003
- Availability: Amazon.com
- Subject: Hacking Exposed put Foundstone on the map. This book featured the first formal publication of the term "network security monitoring" as defined by the NSM community.
- Excerpts: none
- Errata: none
- Downloads: See HackingExposed.com
- Miscellaneous: none