Friday, April 13, 2007

Brief Thoughts on Security Education

Once in a while I get requests from blog readers for recommendations on security education. I am obviously biased because I offer training independently, in private and public forums. However, I've attended or spoken at just about every mainstream security forum, so I thought I would provide a few brief thoughts on the subject.

First, decide if you want to attend training, briefings, or classes. I consider training to be an event of at least 1/2 day or longer. Anything less than 1/2 day is a briefing, and is probably part of a conference. Some conferences include training, so the two topics are not mutually exclusive. Classes include courses offered by .edu's.

Training events focus on a specific problem set or technology, for an extended period of time. Training is usually a stand-alone affair. For example, when I prepared for my CCNA, took a week-long class by Global Net Training. If I choose to pursue the CCNP I will return to GNT for more training. I seldom attend training because I do not usually need in-depth discussions of a single topic.

Briefings also focus on specific problems or technologies, but their scope is usually narrow due to their time constraints. The content is typically fresher because it takes less work to prepare a briefing compared to a 1/2 day or longer training session. Briefings are more likely to contain marketing material because you can be halfway through the talk before realizing it's a pitch piece. I attend briefings more often than training because they tend to fit my schedule and I can quickly learn something new.

Classes are the forums offered by institutions over an extended period of time. Traditional colleges and universities provide classes, although some non-traditional teaching vehicles exist. I've never taken any of these although I would like to pursue my PhD some point soon.

With that background, here are a few thoughts on popular education venues:

  • USENIX: USENIX is my favorite venue. USENIX offers 1/2, 1, and 2-day training, plus briefings. I usually train at the three major conferences they offer: Annual, Security, and LISA (Large Installation System Administration). Training tends to be very practical, with strong preferences for operational information for system administrators. The briefings especially tend to be more academic, with lots of research by students and/or professors. People-wise, I tend to like USENIX for connecting with the university community.

  • Black Hat: Black Hat is the best place to learn the newest public attack tools and techniques. Defense is usually secondary. Black Hat offers 1 and 2-day training, plus briefings. I've trained through Foundstone at Black Hat, and I'll be training at Black Hat in Las Vegas this summer. If you want to get very technical information on attacks (and some countermeasures), Black Hat is a great venue. People-wise, I've decided to begin attending Black Hat regularly because the most interesting people are there.

  • SANS: SANS offers a wide variety of material, through training, briefings, classes, newsletters, and webcasts. I taught the SANS IDS track in 2002 and 2003, then returned to teach Enterprise Network Instrumentation late last year. I'll be back teaching ENI at SANSFIRE 2007. In my opinion some SANS training is woefully out-of-date, while other training is very good. SANS tracks are usually six days. SANS also offers shorter training like the log management summit I attended last year. Other times SANS offers very short briefings on a single topic, like the SANS Software Security Institute. People-wise, SANS tracks tend to involve more people at the beginning of their security careers.

  • RSA: I mention RSA because it's big and people might want to know more about it. I spoke at RSA 2006. That was enough for me. RSA is the place to be if you're a vendor, but otherwise I found the talks less inspiring than other venues. If you're a cryptographer you might find RSA's cryptography track to be helpful, since that subject is usually not emphasized elsewhere. People-wise, I met lots of people trying to attract business at RSA last year.

  • Niche Public Events: A lot of other venues fill this space. Among those I've attended or spoken at, CanSecWest is one leader. I delivered a Lightning Talk there in 2004. The best part of CSW is the fact it's a single track. By the end of the event, some sense of community has been built. ShmooCon is similar to CSW, although it has multiple tracks. Techno Security and Techno Forensics are two great sources of education, generally heavy on Feds and forensics. I'll be teaching at Security and probably later at Forensics this year. If you're in Europe take a look at CONFidence in Poland.

  • Niche Government or Government-Centric Events: I include conferences usually sponsored or mainly attended by law enforcement, government, and military audiences here. FIRST and GFIRST fit these bills. I speak there to meet people and less to hear about what's happening. The Telestrategies ISS World events are similar. For those of you in Australia, AusCERT looks like a good bet; I'll be there this year.

That's all I have time to discuss now. Good luck spending your security education dollars.


Keydet89 said...

I understand about the training, and I've taken a different approach. One of the things I find about the public training is that folks will go away and them come back and not be able to perform to the standard of the training...and I have to wonder why.

Some training is vendor specific, and even though the individual goes off to the training, when they return, they may not have access to the vendor's product itself. I know what you're thinking...but I've seen it.

Another issue with this scenario that is pervasive through others, as well, is that the training is done via a GUI or some other abstraction layer, and the trained IT staff member knows some of what he or she was taught, but not what goes on "under the hood".

Other training offered is too far off from the individual's "home environment" that they aren't able to make the leap to incorporating the training in their environment. I've taught at the RCFG/GMU conference and saw LEOs taking a Linux forensics course, and during a break some said that they weren't actually going to be using the training, but it was nice to know. Also, sending someone from a Windows shop off to Linux-based training isn't very effective.

What I've developed, based on the content of my new book, is a series of hands-on, functional workshops that can be easily configured to meet the needs of the attendees. Better still is that they can be configured to meet the specific functional needs of a particular infrastructure or environment. I do this by working with the customer to identify systems architecture, what keeps them awake, what issues they've had, etc.

These workshops are publicly available through my employer, and are designed to provide training in IR and CF techniques for Windows systems. We also have modules available in incident management, acquiring images, etc.

One of the benefits of this is that our delivery strategy is flexible, as well. We can come on-site and provide the workshops right there in your facility, training 20+ people for less $$ than it would take to send 1/4 of them to SANS or other publicly-available training.

It's another option, it's not vendor-specific, it's not a sales pitch, and it is valuable to LEOs, public/private/govt sectors alike.

Author: "Windows Forensic Analysis"

Jordan said...

I'd second pretty much all these observations, Richard (except I haven't attended USENIX and couldn't comment one way or another on that one -- ironic since I work for a university)

Another suggestion I'd make is Cansecwest -- it feels a lot like BlackHat except that it's much smaller, more intimate, and yet the presentations are even better, and there's an even higher concentration of interesting people. I won't be going this year, unfortunately, but the past two years I've attended, I've loved it.

Anonymous said...

Hey Richard, I was wondering: I took Foundstone training around 2000 (and I attending Advanced Hacking that you taught) and was impressed. How does Foundstone training stack up now as compared to the earlier days when the company was just starting? Thanks.

Richard Bejtlich said...


I really don't know. I restricted my comments to venues with which I had recent experience. I haven't taught for Foundstone since 2003 so I don't know what the story is now.