You may have noticed the new banner at the top of the Blog showing the 14th USENIX Security Symposium in Baltimore, MD, 31 July - 5 August 2005. I presented a one day NSM tutorial at USENIX Security 04 in San Diego, CA last year, and an improved version of that course at USENIX 05 in Anaheim, CA two weeks ago.
In Baltimore this summer, I will be presenting Network Security Monitoring with Open Source Tools on 31 July, followed by my brand-new Network Incident Response tutorial on 1 August. Descriptions for each class are available via the provided links. I am really looking forward to offering these classes, especially with the MD-DC-VA crowds in attendance. These are both day-long classes.
If you register before 11 July, one day will cost $625 and two days will cost $1200 (for non-students). USENIX offers discounts if five or more people from the same organization attend.
I plan to create a proposal for a network forensics class, and submit it along with my NSM and network IR tutorials for Large Installation System Administration (LISA) conference in December in San Diego, CA. If you would like to see such a class, please contact the training coordinator and let him know!
What's the difference between network IR and network forensics? The network IR class is more about reacting to, containing, and remediating intrusions. It's similar to firefighting. The network forensics class covers collecting, preserving, analyzing, presenting (perhaps to a jury), and defending (under cross-examination) network evidence. The forensics angle concentrates on ensuring your investigation is sound and could support a successful prosecution or human resources action, if necessary.
IR and forensics subjects are often taught from a host-centric perspective, so I believe there is room for network-focused tutorials.