Intrusion Detection (MTP) (Paperback)

by Rebecca Gurley Bace (Author)

Editorial Reviews

Review
Security books, quite frankly, are pretty much a dime a dozen, most of which are written by people in IT field security. What immediately separates this book from the rest is the background of the author. Ms. Bace is an ex-government employee, spending 12 years in everyone's favorite spook organization, the National Security Agency. ...For those with functioning brains who have vested interests in InfoSec and protecting their organization from people who wish to do harm, and getting real security info ...then pick this book up. -- Slashdot.org, 1/27/2000

What differentiates Bace as an author is her purist's passion for intellectual honesty and generosity. She pays homage to the many computer security folks who preceded her, who do important, innovative work in this area, but seldom get singled out. Reading Bace's opening chapter on the history of intrusion detection is a pleasure...(Throughout the book) the technical-theoretical is balanced by real examples and real-world challenges. Her chapter dealing with legal issues should be read by every in-house attorney whose companies have hard/software components. Outside computer security firms hoping for "consulting" fees will probably memorize large chunks from the book in order to appear knowledgeable. -- CyberWire Dispatch, 1/4/2000

Product Description
With the number of intrusion and hacking incidents around the world on the rise, the importance of having dependable intrusion detection systems in place is greater than ever. Offering both a developmental and technical perspective on this crucial element of network security, Intrusion Detection covers: practical considerations for selecting and implementing intrusion detection systems; methods of handling the results of analysis, and the options for responses to detected problems, data sources commonly used in intrusion detection and how they influence the capabilities of all intrusion detection systems; legal issues surrounding detection and monitoring that affect the design, development, and operation of intrusion detection systems. More than just an overview of the technology, Intrusion Detection presents real analysis schemes and responses, as well as a detailed discussion of the vulnerabilities inherent in many systems, and approaches to testing systems for these problems.

See all Editorial Reviews

Product Details

• Paperback: 368 pages
• Publisher: Sams (January 1, 2000)
• Language: English
• ISBN-10: 1578701856
• ISBN-13: 978-1578701858
• Product Dimensions: 9.4 x 7.6 x 1.1 inches
• Shipping Weight: 1.7 pounds (View shipping rates and policies)
• Average Customer Review: 4.4 out of 5 stars See all reviews (5 customer reviews)
• Amazon.com Sales Rank: #893,385 in Books (See Bestsellers in Books)

Customer Reviews

Most Helpful Customer Reviews

34 of 35 people found the following review helpful:

4.0 out of 5 stars An excellent textbook, but not an implementor's handbook, April 6, 2000

By	J. G. Heiser (Sunninghill, Berks) - See all my reviews (REAL NAME)

This is a well-researched and well-written text. It is an excellent complement to Northcutt's book, which is more concrete and oriented to the hands-on practitioner. Those hoping to just buy an off-the-shelf IDS and turn it on may find Bace's book somewhat abstract. Although it reads well, it has a very strong academic flavor (this is probably inevitable in any book that uses the word 'etiology' twice in the first chapter). If Amoroso's book is a graduate-level text, then this is an appropriate book for undergrads.

Every specialized text on security seems to succumb to the temptation to flesh out the book with elementary security topics, and this one is no exception. Whether they are absolutely appropriate in a book like this or not, Bace does offer some very wise and useful advice and understandings on information security in general--some of which I was able to apply immediately by sharing with a client.

The author provides a comprehensive history of intrusion detection that is effective in creating an understanding of the reasons that specific techniques are used and what their shortcomings and strong points are--15 years worth of non-commercial intrusion detection systems are described and analyzed. While academic and government sponsored IDS initiatives are well-covered, those who are shopping for a commercial solution will probably be disappointed by the almost total lack of mention of currently available products. Discussion of commercial products consists of generalizations such as "Many products" or "some products" or "be aware of vendors that".

The chapter on legal issues is excellent and up-to-date, and it should be read by anyone implementing any form of monitoring system. The chapter 'For Strategists' is just a rehash of basic risk management concepts. It isn't particularly applicable to IDS and I disagree with the author on the prominence of ROI calculations in the security product implementation decision process. The bibliography is complete and very current. Although it lacks annotations, many of the sources are referenced within the book itself, so the reader interested in further research has plenty of guidance.

The weaknesses in this book are probably due to a lack of audience focus. It is aimed at Chief Security Officers, network and OS admins, college compsci students, and security systems designers.

Consultants and decision-makers should read this text, as should network engineers who want to expand their awareness of the tools they are purchasing and using. Given that this serves well as a reference book, the sturdy hard binding is appreciated, and the pages withstand highlighting without bleed through. It isn't a lot of verbiage for the price, but the quality is high.

5 of 6 people found the following review helpful:

5.0 out of 5 stars The most underappreciated intrusion detection book available, October 16, 2003

By	Richard Bejtlich "TaoSecurity.com" (Metro Washington, DC) - See all my reviews (TOP 500 REVIEWER)    (REAL NAME)

Three years ago, as a captain in the Air Force CERT, I didn't think I had time to read books on theory and definitions like Rebecca Bace's "Intrusion Detection." If a book didn't show packet captures, I didn't need it! Fast forward to 2003, as I research intrusion detection history and re-discover Bace's contribution to the field. Now, I consider her book so important that I consider most of it mandatory preparation for my own book. If you've got the time for "high level" monitoring concerns, check out "Intrusion Detection."

As a researcher, my favorite aspect of the book is Bace's readiness to "lay down the law" and provide numerous definitions for intrusion detection concepts. Most of them are so clear as to be considered definitive in my eyes. Like Paul Proctor's 2001 title "The Practical Intrusion Detection Handbook," I get the sense that Bace "gets it." She doesn't show packet traces, but what she says makes sense.

The best aspect of the book, for my purposes, is its historical nature. Bace covers several decades of intrusion detection concepts and products. She cites the players and their papers, and the themes prevalent as IDS moved from the lab to the front lines. I also found the legal issues chapter extremely valuable. IDS operators should know their products implement wiretaps or trap and trace/pen registers, for which legal cover should be sought. The legal chapter also featured two great case studies on capturing Kevin Mitnick and responding to the 1994 Rome Labs intrusion.

On the negative side, I offer a few disagreements and suggestions. First, vulnerability assessment products are not "a special case of intrusion detection" (ch. 6). This association clouds the issue and confuses the layman. Vulnerability assessment products identify vulnerabilities. Intrusion detection products identify threats. VA can work with IDS in an overall risk management strategy, or to provide context to improve IDS detection methods (e.g. Sourcefire RNA or Tenable NeVO), but VA is not IDS. I also disagree the a primary goal of IDS is real-time response. While this is a goal for science fiction writers, I still don't trust the removal of the human operator. Minor points include a lack of discussing Snort (created in 1998, popular by 1999) and an incorrect claim regarding "NSM" on p. 19 -- the acronym means "Network Security Monitor."

If you're looking for background on the history and purpose of IDS, I strongly recommend reading "Intrusion Detection." It's as relevant today as it was three years ago. I'm fortunate I didn't miss out by waiting so long!

4.0 out of 5 stars This is an academic book, July 15, 2008

By	C. Langin - See all my reviews (REAL NAME)

This is one of at least three books you will need for academic research on intrusion detection. This book is appropriate for undergraduate students, but it also contains theory and references. For a graduate level presentation with theory and references, see Intrusion Detection: An Introduction to Internet Surveillance, Correlation, Trace Back, Traps, and Response. The third book is Network Intrusion Detection (3rd Edition) (Voices (New Riders)) and contains practical advice on how intrusion detection is actually done. If you are non-academic and do not need theory and references, you probably only need the third book.