Sunday, May 27, 2007

Bejtlich Teaching Network Security Operations in Cincinnati

I am happy to announce that I will be teaching a three day edition of my Network Security Operations training class in Cincinnati, OH on 21-23 August 2007. The Cincinnati ISSA chapter is hosting the class. Please register here. The early discount applies to registrations before 20 July. ISSA members get an additional discount on top of the early registration discount.

Network Security Operations addresses the following topics:

  • Network Security Monitoring

    • NSM theory

    • Building and deploying NSM sensors

    • Accessing wired and wireless traffic

    • Full content tools: Tcpdump, Ethereal/Tethereal, Snort as packet logger, Daemonlogger

    • Additional data analysis tools: Tcpreplay, Tcpflow, Ngrep, Netdude

    • Session data tools: Cisco NetFlow, Fprobe, Flow-tools, Argus, SANCP

    • Statistical data tools: Ipcad, Trafshow, Tcpdstat, Cisco accounting records

    • Sguil (

    • Case studies, personal war stories, and attendee participation

  • Network Incident Response

    • Simple steps to take now that make incident response easier later

    • Characteristics of intruders, such as their motivation, skill levels, and

    • Common ways intruders are detected, and reasons they are often initially

    • Improved ways to detect intruders based on network security monitoring

    • First response actions and related best practices

    • Secure communications among IR team members, and consequences of negligence

    • Approaches to remediation when facing a high-end attacker

    • Short, medium, and long-term verification of the remediation plan to keep the
      intruder out

  • Network Forensics

    • Collecting network traffic as evidence

    • Protecting and preserving traffic from tampering, either by careless
      helpers or the intruder himself

    • Analyzing network evidence using a variety of open source tools, based
      on network security monitoring (NSM) principles

    • Presenting findings to lay persons, such as management, juries, or judges

    • Defending the conclusions reached during an investigation, even in the
      face of adversarial defense attorneys or skeptical business leaders

This is only one of two Network Security Operations courses left for 2007. Please consider attending this class if you want to understand how to detect, inspect, and eject network intruders.


Roland said...

You may wish to consider updating your NetFlow tools section - the flow-tools have lain fallow for quite some time, and don't seem to've been updated to support NetFlow v9. nfdump/nfsen would be a suggested replacement.

Richard Bejtlich said...

Thanks Roland -- I'm aware of those tools but never tried them. Since they're in the ports tree I will check them out!