Disclosure: I received copy of the book for reviewing from the publisher, Packt. I was not given any direction for this review.
Book Title: Practical Threat Detection Engineering
Publisher: Packt Publishing
Publication Date: 2023-06, 1st Edition
Authors: Megan Roddie, Jason Deyalsingh, Gary J. Katz
I am the leader of a small security operations team at a research institution, so I read this book with great interest. Practical Threat Detection Engineering is an excellent introduction to using local log sources and threat intelligence to build out detection methods for threats into your computer infrastructure. It is not for people new to cybersecurity, but if you've seen the terms MITRE ATT&CK or the Pyramid of Pain and have been curious about what they mean and how they might apply to your job, this book is for you. The authors have strong backgrounds in cybersecurity, and it shows.
The book is well-organized, with each chapter building on the previous and with callbacks when appropriate. You can read the table of contents yourself on the publisher's site, so I won't step through it. Several chapters have lab exercises or thought experiments which mesh well with the source material. I particularly appreciated how close attention is paid to correctly documenting and maintaining the detections one has written.
The authors presuppose a certain amount of existing systems and application administration experience. For example, the reader is walked through setting up a home-type lab based on the Elastic Stack and Docker, but there are no troubleshooting tips. I did not follow the step by step for a lab myself, but having some familiarity with Elastic, everything should work well with Elastic 7 or 8. Readers wanting to set up a lab in production environments will want to be quite familiar with Elastic, or to have as a resource a person or team who can assist with maintenance. Of course, most of the techniques described in the book should translate well to other log storage and alerting capabilities the reader's organization might have available. While a certain amount of "lock-in" is unavoidable when describing how to do something technically, the authors do well in avoiding application or version traps as much as possible.
There are a few small issues I'd have liked to have seen the authors pay more attention to. For example, with the heavy focus on free and open-source technologies, it was curious that Zeek and Suricata are mentioned, but not described in any detail. I believe the book would have been improved by having a page or two on these technologies and their application to threat detection. Similarly, the text does not cover in any detail the practicalities of working with other teams in the environment the authors seem to envision. I also found the description of measuring the return on investment for a detection engineering program to be circular. As I understood it, the reader is meant to show an RoI by demonstrating that their detections are well-engineered. As a manager, I would want to understand why these detections are important in the first place. These are relatively minor details, however, and do not distract greatly from the book's message.
I appreciate the belt-and-suspenders type approach of modern cybersecurity practise. It should not be assumed that firewalls and endpoint detection will catch everything, and it's great to see some exploration of supplemental techniques and technologies. I will be recommending this book to my team, and strongly recommend it to anybody with some existing experience who is interested in the theory and practise of detecting cybersecurity threats.