Five years ago today I left the information warfare planning directorate at Air Intelligency Agency and joined the Air Force Computer Emergency Response Team at then-Kelly Air Force Base in San Antonio, Texas. Back then we were part of the Air Force Information Warfare Center, tasked with monitoring all of the intrusion detection systems deployed inside border routers at Air Force's installations. I was a new captain and had voluntarily attended some UNIX training after work hours while deployed to RAF Molesworth in late 1997.
Just yesterday I was asked how to get into the computer security field. Here's how I did it. I looked at the AFCERT's manning roster for the network security monitoring teams and put myself on the schedule. Wherever I saw an opening -- usually between 2 and 10 pm or 10 pm and 6 am -- I added my name. I sat next to people who seemed to understand the alerts they were analyzing and asked a lot of questions. Six months later I was in charge of the real-time NSM team, and a year later I was in charge of all NSM operations. I wrote my first white paper in late 1999 and spoke at my first SANS conference on 25 Mar 00. Currently I'm writing Real Digital Forensics and The Tao of Network Security Monitoring, both to be published in 2004.