On this day in 2004, Addison-Wesley/Pearson published my first book, The Tao of Network Security Monitoring: Beyond Intrusion Detection.

This post from 2017 explains the differences between my first four books and why I wrote Tao. 

Today, I'm always thrilled when I hear that someone found my books useful. 

I am done writing books on security, but I believe the core tactics and strategies in all my books are still relevant. I'm not sure that's a good thing, though. I would have liked to not need the tactics and strategies in my book anymore. "The Cloud," along with so many other developments and approaches, was supposed to have saved us by now.

Consider this statement from a report describing CISA’s red team against a fed agency: 

“[A]ttempts to capture forensic data via packet captures occurred directly on the compromised Solaris and Windows hosts, where the red team observed the data being collected and therefore had the opportunity to disrupt collection, tamper with evidence files, and better adapt and evade their defenses.”

This is why you should not rely on EDR, either, for your only understanding of adversary activity. The adversary can shut down or alter your endpoint security tooling. For network security monitoring, you also shouldn’t collect on endpoints. Collect using network taps, or in a pinch, span ports.

There is nothing in this intrusion that would have been a surprise in 2004.

Here is the post I published in 2004 when the first copy showed up on my doorstep. 

There's nothing like getting a real copy in your hands, and I cherish that experience!

I will probably revisit this event in 5 years. See you then!