Posts

Showing posts from January, 2013

On Thought Leadership and Non-Technical Relevance

Image
A reader left a comment on my post 2012: The Year I Changed What I Read . He said: Richard, it's interesting to note that your career has shifted from "pure" technology to more of a thought leadership role where you can leverage your training and interest in history, political science, etc. I wonder if you ever expected to become such a public figure in the whole debate about China when you first started with infosec? Your career path is an encouraging example for others to follow. Even though I work in technology, I also have a sociology/political science background and I've been wondering how I can leverage those interests, especially as I get older and cheaper/hungrier techies continue to enter the industry. Thank you for your comment and question. I will try to answer here. I did not plan to become a "public" figure, and I don't necessarily consider myself exceptionally "public" now. I just reviewed my TaoSecurity news page to see wh...

How to Win This TCP/IP Book

Image
Last week I wished this blog happy tenth birthday and announced plans for a new book on network security monitoring . I also mentioned a contest involving a book give-away. I finally figured out a good way to select a winner, and it involves your participation in my current writing project! Thanks to No Starch Press I have a brand-new, shrink-wrapped copy of The TCP/IP Guide , a mammoth 1616 page hardcover book by Charles M. Kozierok. Here's what you have to do to try to win this book: submit a case study on how network security monitoring helped you detect, respond to, and contain an intrusion in your environment . You don't have to reveal your organization, but I want to know some general information like the number of users and computers. Readers need to know the sort of environment where NSM worked for you, but I don't want you to reveal your organization (unless you want to). Tell the reader what happened, what NSM data you used, how you used it, and how you ha...

Bejtlich's New Book: Planned for Summer Publication

Image
Nearly ten years after I started writing my first book , the Tao of Network Security Monitoring , I'm pleased to announce that I just signed a contract to write a new book for No Starch titled Network Security Monitoring in Minutes . From the book proposal: Network Security Monitoring in Minutes provides the tactics, techniques, and procedures for maximum enterprise defense in a minimum amount of time. Network Security Monitoring (NSM) is the collection, analysis, and escalation of indications and warnings to detect and respond to intrusions. Network Security Monitoring in Minutes teaches information technology and security staff how to leverage powerful NSM tools and concepts immediately. Using open source software and vendor-neutral methods, the author applies lessons he first began applying to military networks in 1998. After reading this book, the audience will be able to integrate the same winning approaches to better defend his or her company’s data and networks. Net...

Happy 10th Birthday TaoSecurity Blog

Image
Today, 8 January 2013, is the 10th birthday of TaoSecurity Blog ! I wrote my first post on 8 January 2003 while working as an incident response consultant for Foundstone working for Kevin Mandia. Today I am Chief Security Officer at Mandiant , back working for Kevin Mandia. (It's a small world.) With 2905 posts published over these 10 years, I am still blogging -- but much less. Looking at all 10 years of blogging, I averaged 290 per year, but in the age of Twitter (2009-2012) I averaged only 144 blog posts per year. Last year I wrote 60 times. Why the drop over the years? First, I "blame" my @taosecurity Twitter account. With over 15,000 followers, easy posting from mobile devices, and greater interactivity, Twitter is an addictive platform. However, I really enjoy Twitter and make the trade-off gladly. It would be nice to become a verified user though, with access to two-factor or two-step authentication. Second, blogging used to be the primary way I could s...

Welcome to Network Security Monitoring in the Cloud

Image
I just watched an incredible technical video. If you have about 10 minutes to spare, and want to be amazed, take a look at Snorby Cloud. I think the video and Web site does an excellent job explaining this new offering, but let me provide a little background. Many of the readers of this blog are security pros. You're out there trying to defend your organization, not necessarily design, build, and run infrastructure. You still need tools and workflows that accelerate your incident detection and response process though. So, you work as a security admin, system admin, storage admin, database admin... you get the picture. You manage to keep up, but you probably wish you could focus on finding bad guys, as quickly as possible, without taking care of all the *stuff* that you need to do your job. While many of you are security experts, some are just beginning your journeys. The responsibilities of being an admin of four or more different shades is overwhelming. Furthermore, you don...

Security Onion + (ELSA or Snorby) + CapMe = Awesome

Image
Happy New Year everyone, and with some new open source software, what a year it will be. Monday Doug Burks released Security Onion 12.04 . Please read Doug's post to learn how great this new 64 bit release is. I wanted to highlight a few features of the new release which takes Network Security Monitoring with open source tools to a new level for security analysts. 12.04 ships with Martin Holste's Enterprise Log and Search Archive (ELSA) working out of the box. Thanks to close integration with the latest version of Bro , analysts have Web-based, indexed access to Bro logs. If that weren't enough, 12.04 also ships with a late addition -- Paul Halliday's CapMe . What this means is that you can now access full TCP transcripts from any alert in Dustin Webber's Snorby or Martin's ELSA. You might not appreciate that right away, but it's a step in the right direction. Thus far, Bamm Visscher's Sguil has been the de facto open source NSM reference tool, ...