Flip to back Flip to front
Listen Playing... Paused   You're listening to a sample of the Audible audio edition.
Learn more
See this image
Sell yours for a Gift Card
We'll buy it for $10.79
Learn More
Trade in now
Have one to sell? Sell on Amazon

Extrusion Detection: Security Monitoring for Internal Intrusions Paperback – November 18, 2005

ISBN-13: 978-0321349965 ISBN-10: 0321349962
Buy used
Buy new
Used & new from other sellers Delivery options vary per offer
46 used & new from $18.76
Amazon Price New from Used from
Paperback, November 18, 2005
"Please retry"
$25.74 $18.76

Hero Quick Promo
Save up to 90% on Textbooks
Rent textbooks, buy textbooks, or get up to 80% back when you sell us your books. Shop Now
$46.41 FREE Shipping. In stock but may require an extra 1-2 days to process. Ships from and sold by Amazon.com. Gift-wrap available.

Frequently Bought Together

Extrusion Detection: Security Monitoring for Internal Intrusions + The Tao of Network Security Monitoring: Beyond Intrusion Detection + The Practice of Network Security Monitoring: Understanding Incident Detection and Response
Price for all three: $124.58

Some of these items ship sooner than the others.

Buy the selected items together

Editorial Reviews

From the Back Cover

Overcome Your Fastest-Growing Security Problem: Internal, Client-Based Attacks

Today's most devastating security attacks are launched from within the company, by intruders who have compromised your users' Web browsers, e-mail and chat clients, and other Internet-connected software. Hardening your network perimeter won't solve this problem. You must systematically protect client software and monitor the traffic it generates.

Extrusion Detectionis a comprehensive guide to preventing, detecting, and mitigating security breaches from the inside out. Top security consultant Richard Bejtlich offers clear, easy-to-understand explanations of today's client-based threats and effective, step-by-step solutions, demonstrated against real traffic and data. You will learn how to assess threats from internal clients, instrument networks to detect anomalies in outgoing traffic, architect networks to resist internal attacks, and respond effectively when attacks occur.

Bejtlich'sThe Tao of Network Security Monitoringearned acclaim as the definitive guide to overcoming external threats. Now, inExtrusion Detection, he brings the same level of insight to defending against today's rapidly emerging internal threats. Whether you're an architect, analyst, engineer, administrator, or IT manager, you face a new generation of security risks. Get this book and protect yourself.

Coverage includes

  • Architecting defensible networks with pervasive awareness: theory, techniques, and tools
  • Defending against malicious sites, Internet Explorer exploitations, bots, Trojans, worms, and more
  • Dissecting session and full-content data to reveal unauthorized activity
  • Implementing effective Layer 3 network access control
  • Responding to internal attacks, including step-by-step network forensics
  • Assessing your network's current ability to resist internal attacks
  • Setting reasonable corporate access policies
  • Detailed case studies, including the discovery of internal and IRC-based bot nets
  • Advanced extrusion detection: from data collection to host and vulnerability enumeration
About the Web Site

Get book updates and network security news at Richard Bejtlich's popular blog,taosecurity.blogspot.com, and his Web site,www.bejtlich.net.

About the Author

Richard Bejtlich is founder of TaoSecurity, a company that helps clients detect, contain, and remediate intrusions using Network Security Monitoring (NSM) principles. He was formerly a principal consultant at Foundstone--performing incident response, emergency NSM, and security research and training--and created NSM operations for ManTech International Corporation and Ball Aerospace & Technologies Corporation. For three years, Bejtlich defended U.S. information assets as a captain in the Air Force Computer Emergency Response Team (AFCERT). Formally trained as an intelligence officer, he is a graduate of Harvard University and of the U.S. Air Force Academy. He has authored or coauthored several security books, including The Tao of Network Security Monitoring (Addison-Wesley, 2004).


Shop the new tech.book(store)
New! Introducing the tech.book(store), a hub for Software Developers and Architects, Networking Administrators, TPMs, and other technology professionals to find highly-rated and highly-relevant career resources. Shop books on programming and big data, or read this week's blog posts by authors and thought-leaders in the tech industry. > Shop now

Product Details

  • Paperback: 416 pages
  • Publisher: Addison-Wesley Professional (November 18, 2005)
  • Language: English
  • ISBN-10: 0321349962
  • ISBN-13: 978-0321349965
  • Product Dimensions: 6.9 x 1 x 9.1 inches
  • Shipping Weight: 1.6 pounds (View shipping rates and policies)
  • Average Customer Review: 4.6 out of 5 stars  See all reviews (12 customer reviews)
  • Amazon Best Sellers Rank: #72,238 in Books (See Top 100 in Books)

More About the Author

Richard Bejtlich is Chief Security Strategist at FireEye, and was Mandiant's Chief Security Officer when FireEye acquired Mandiant in 2013. He is a nonresident senior fellow at the Brookings Institution, a board member at the Open Information Security Foundation, and an advisor to Threat Stack, Sqrrl, and Critical Stack. He is also a Master/Doctor of Philosophy in War Studies Researcher at King's College London. He was previously Director of Incident Response for General Electric, where he built and led the 40-member GE Computer Incident Response Team (GE-CIRT). Richard began his digital security career as a military intelligence officer in 1997 at the Air Force Computer Emergency Response Team (AFCERT), Air Force Information Warfare Center (AFIWC), and Air Intelligence Agency (AIA). Richard is a graduate of Harvard University and the United States Air Force Academy. His fourth book is "The Practice of Network Security Monitoring" (nostarch.com/nsm). He also writes for his blog (taosecurity.blogspot.com) and Twitter (@taosecurity), and teaches for Black Hat.

Customer Reviews

4.6 out of 5 stars
5 star
4 star
3 star
2 star
1 star
See all 12 customer reviews
Share your thoughts with other customers

Most Helpful Customer Reviews

14 of 14 people found the following review helpful By Christos Partsenidis on December 5, 2005
Format: Paperback
Following the success of 'The Tao of Network Security Monitoring' last year, world renowned security expert Richard Bejtlich raises once again the standard for security professionals, this time by focusing on analyzing threats coming from within our network - a kind of underestimated area.

Traditionally, the point of network security is about keeping the bad guys out of a network ¡V ¡¥out¡¦ being where we hope they are to start with. Possible points of entry are considered to be devices accessible from the outside in some way, mostly servers and perhaps routers. Workstations with no address on the network have no apparent footprint that would betray their existence, so if potential intruders don't even know the hosts exist, and are unable to make any connection to them, how could they possibly exploit them? The truth is they can, in many ways, using not only technical skills but imagination and ability to exploit the human factor - against which no automated procedure or device can defend for long.

Furthermore, many administrators put all their effort and resources into trying to design an impenetrable network infrastructure, but ignore the fact that every prevention measure is bound to fail at any moment. These administrators put little or no thought into the possibility of a real intrusion and, as a result, when it occurs the network infrastructure they've built doesn't allow them to cut their losses to a minimum, regain control in a timely manner and collect credible evidence that may lead to a future investigation.

This, Richard Bejtlich's second book on the subject of network security, attempts to establish into readers' minds a solid grounding on how things are, while emphasizing common misconceptions of the past.
Read more ›
Comment Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback. If this review is inappropriate, please let us know.
Sorry, we failed to record your vote. Please try again
Format: Paperback
First, this book should be called The Engineers Guide to Implementing Security to Detect and Prevent Malicious Traffic in Your Network. This is a very thorough book on how to detect malicious traffic leaving a network (hence Extrusion), with great illustrations and walkthroughs. There are chapters on planning, deployment, tuning and other key, often overlooked, aspects surrounding the wonderful world of Intrusion Detection.

The first hint that this book was a bit different is noticed in the Foreward. Marcus Ranum wrote the forward, or I should say guided the direction of the Foreward. Marcus opts for an interview with the author, versus "telling you a bunch of stuff about the book". The Foreward is a must when browsing this book. Very creative, something perhaps missing in the world of Information Security these days.

After the foreward, chapters include Defensible Network Architecture, a brief overview of IDS, Enterprise network Instrumentation (packet captures, tools and some techniques), Layer 3 Network Access Control, Traffic Threat Assessment, Network Incident Response, Network Forensics, and Internal Intrusions that discuss Traffic Threat Assessment Case Study and Malicious Bots. There are several Appendixes as well (a requirement for all technical books) that include how to Collect Session Data, minimal Snort Installation Guide, Enumeration Methods (identifying systems on a network), and Open Source Host Enumeration (doing it for free).

The author uses firewall technology, proxy technology, and IDS technology to define how to monitor and control traffic entering or leaving a network. Specific configurations that could be copied line by line and implemented into a network are provided.

Richard leaves nothing to the imagination in this book.
Read more ›
Comment Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback. If this review is inappropriate, please let us know.
Sorry, we failed to record your vote. Please try again
10 of 10 people found the following review helpful By Dr Anton Chuvakin on December 1, 2005
Format: Paperback
Now, they say that one way to be happy is to have low expectations about stuff. In case of me and this book, the opposite has happened: my expectations were really high. In fact, I was counting days until the book's arrival. Do not get me wrong, it's an excellent book, but it seems to fall slightly short of my lofty expectations.

My first unmet expectation was the term `extrusion' itself. I suspected that the book will have more coverage of real insider attacks, and not just infected misbehaving client PCs. The author does say that some use the term `extrusion' to refer to intellectual property theft (or `IP leakage') in his section on the `History of Extrusion Detection', but does not follow up on that. His definition of `extrusion detection' seem to be closer to the `detection of consequences of intrusion in the form of outbound connections', such as after a client-targeting attack, rather than a separate phenomenon of a trusted insider attack.

The second thing I did not quite like was too much overlapping material with Richard's previous book, `Tao of Network Security Monitoring.' For example, security process and security principles sections seem to be taken from his Tao book (which is a superb book, by itself!). Similarly, in my opinion, an in depth coverage of NSM methodology and `network forensics', presented in the Tao book should not have been repeated since the differences between applying NSM for intrusion and extrusion detection are really minor.

And, I liked pretty much everything else: detailed examples of `traffic threat assessment', unmatched technical accuracy, easy to follow style, etc. Coverage of bots in chapter 10 deserves a favorable mention as well as a strategy for network incident response.
Read more ›
Comment Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback. If this review is inappropriate, please let us know.
Sorry, we failed to record your vote. Please try again

Most Recent Customer Reviews