Friday, April 29, 2005

Join Me at USENIX Security 05

You may have noticed the new banner at the top of the Blog showing the 14th USENIX Security Symposium in Baltimore, MD, 31 July - 5 August 2005. I presented a one day NSM tutorial at USENIX Security 04 in San Diego, CA last year, and an improved version of that course at USENIX 05 in Anaheim, CA two weeks ago.

In Baltimore this summer, I will be presenting Network Security Monitoring with Open Source Tools on 31 July, followed by my brand-new Network Incident Response tutorial on 1 August. Descriptions for each class are available via the provided links. I am really looking forward to offering these classes, especially with the MD-DC-VA crowds in attendance. These are both day-long classes.

If you register before 11 July, one day will cost $625 and two days will cost $1200 (for non-students). USENIX offers discounts if five or more people from the same organization attend.

I plan to create a proposal for a network forensics class, and submit it along with my NSM and network IR tutorials for Large Installation System Administration (LISA) conference in December in San Diego, CA. If you would like to see such a class, please contact the training coordinator and let him know!

What's the difference between network IR and network forensics? The network IR class is more about reacting to, containing, and remediating intrusions. It's similar to firefighting. The network forensics class covers collecting, preserving, analyzing, presenting (perhaps to a jury), and defending (under cross-examination) network evidence. The forensics angle concentrates on ensuring your investigation is sound and could support a successful prosecution or human resources action, if necessary.

IR and forensics subjects are often taught from a host-centric perspective, so I believe there is room for network-focused tutorials.

4 comments:

Anonymous said...

Richard,

Does this mean you're not going to be at BlackHat Las Vegas then?

Richard Bejtlich said...

Correct. I will not be there. 2002 and 2003 was enough for me.

nr said...

Richard,

You may remember I was asking you about the Foundstone IR/Forensics course on IRC some weeks ago.

In your view, what are the differences between a class at a conference like USENIX or LISA when compared to something like a one week Foundstone or SANS course? Obviously the classes at the conferences are generally much shorter, but do they have merits that can make them more attractive than a one-week course?

I'm new to the security field and did not have much opportunity to attend events in my previous job as a system administrator. I am really trying to develop a plan on what path to take to increase my knowledge. On-the-job training, reading/researching on my own (I'm reading Tao right now), structured classes, and attending conferences are all in the mix.

Richard Bejtlich said...

Hello,

You may know I have taught for all three groups -- SANS, Foundstone, and USENIX. I stopped teaching at SANS, I may re-engage with Foundstone this year, and I still teach at USENIX.

Some week-long courses are more hands-on, with labs; Foundstone and the SANS forensics track are examples. Some USENIX classes are hands-on, but their tutorials are never more than one or two days.

I am currently involved in two other new training programs. I will be teaching the network aspects of a new week-long security course with my friends at Special Ops Security. I am also developing a solo week-long Network Security Operations course, which will cover NSM, network incident response, and network forensics. Both courses will be open to the public, although the initial runs are for private customers.