Sunday, May 27, 2007

Bejtlich Teaching Network Security Operations in Chicago

I am happy to announce that I will be teaching a three day edition of my Network Security Operations training class in Chicago, IL on 27-29 August 2007. This is a public class, although I will be speaking at the 30 August meeting of the Chicago Electronic Crimes Task Force. Please register here. The early discount applies to registrations before midnight 27 July. ISSA members get an additional discount on top of the early registration discount.

Network Security Operations addresses the following topics:

  • Network Security Monitoring

    • NSM theory

    • Building and deploying NSM sensors

    • Accessing wired and wireless traffic

    • Full content tools: Tcpdump, Ethereal/Tethereal, Snort as packet logger, Daemonlogger

    • Additional data analysis tools: Tcpreplay, Tcpflow, Ngrep, Netdude

    • Session data tools: Cisco NetFlow, Fprobe, Flow-tools, Argus, SANCP

    • Statistical data tools: Ipcad, Trafshow, Tcpdstat, Cisco accounting records

    • Sguil (

    • Case studies, personal war stories, and attendee participation

  • Network Incident Response

    • Simple steps to take now that make incident response easier later

    • Characteristics of intruders, such as their motivation, skill levels, and

    • Common ways intruders are detected, and reasons they are often initially

    • Improved ways to detect intruders based on network security monitoring

    • First response actions and related best practices

    • Secure communications among IR team members, and consequences of negligence

    • Approaches to remediation when facing a high-end attacker

    • Short, medium, and long-term verification of the remediation plan to keep the
      intruder out

  • Network Forensics

    • Collecting network traffic as evidence

    • Protecting and preserving traffic from tampering, either by careless
      helpers or the intruder himself

    • Analyzing network evidence using a variety of open source tools, based
      on network security monitoring (NSM) principles

    • Presenting findings to lay persons, such as management, juries, or judges

    • Defending the conclusions reached during an investigation, even in the
      face of adversarial defense attorneys or skeptical business leaders

This is only one of two Network Security Operations courses left for 2007. Please consider attending this class if you want to understand how to detect, inspect, and eject network intruders.


AdaĆ­l said...

Hi Richard,
I´ve been in this course in 2007. I lost my documentation, there is any place to download?


Richard Bejtlich said...

Sorry, there is not.