If you're in Myrtle Beach, SC for the 2005 Techno Security Conference, stop by and say hello. I should be at the 3:00 pm Monday book signing, and I will be speaking on behalf of Tenable Security at 7:00 pm Monday. I hope to squeeze in a Monday afternoon visit to managed security vendor LURHQ while I am here as well.
This is my first Techno Security Conference, but I don't plan to see any talks other than those by Ron Gula and Marcus Ranum tomorrow morning. The conference organizers told me this is the 7th such event, and they have over 1,000 attendees. The vendor exhibits and program seems very host-based forensics-centric. It seems that every associates the word "forensics" with host-based evidence, with few exceptions.
I am sensitive to this situation as I devote several chapters in my new book Extrusion Detection to network-centric incident response and forensics. I intend for these chapters to supplement existing excellent works that take a traditional host-centric view of both disciplines. I am also acutely aware of network-centric IR and forensics as I continue to improve my new Network Security Operations class.
So why do I consider network IR and forensics to be important? In my experience, quite often investigators don't know where to begin the IR or forensics process. Security staff have indicators that their enterprise is compromised, but they are not sure where to look. To compound a bad situation, consider the consequences of poking around potentially compromised hosts. Not only are you potentially alerting the intruder to your investigation. You are also potentially damaging or destroying important host-based evidence.
Therefore, I like to start with network evidence when conducting IR and forensics, and use network-based evidence (NBE) to learn where I should focus my host-based IR and forensics work. Analyzing NBE never touches sensitive victim hosts, and NBE can often be captured without revealing the collection process to the intruder.