On "Advanced" Network Security Monitoring
My TaoSecurity News page says I taught 41 classes lasting a day or more, from 2002 to 2014. All of these involved some aspect of network security monitoring (NSM). Many times students would ask me when I would create the "advanced" version of the class, usually in the course feedback. I could never answer them, so I decided to do so in this blog post. The short answer is this: at some point, advanced NSM is no longer NSM. If you consider my collection - analysis - escalation - response model, NSM extensions from any of those phases quickly have little or nothing to do with the network. Here are a few questions I have received concerned "advanced NSM," paired with the answers I could have provided. Q: "I used NSM to extract a binary from network traffic. What do I do with this binary?" A: "Learn about reverse engineering and binary analysis." Or: Q: "I used NSM to extra Javascript from a malicious Web page. What do I do with th...