Bejtlich Teaching at Black Hat West Coast Trainings

I'm pleased to announce that I will be teaching at Black Hat West Coast Trainings 9-10 December 2013 in Seattle, Washington. This is a brand new class, only offered thus far in Las Vegas in July 2013. I posted Feedback from Network Security Monitoring 101 Classes last month as a sample of the student feedback I received.Several students asked for a more complete class outline. So, in addition to the outline posted currently by...

Read More

Feedback from Network Security Monitoring 101 Classes

At Black Hat in Las Vegas I taught two Network Security Monitoring 101 (NSM101) classes. This is a new class that I developed this year, after retiring the third edition of my TCP/IP Weapons School. Once again I was glad to have Steve Andres from Special Ops Security there to help students with questions and lab issues. I wanted to share some feedback from the classes, in case any of you are considering attending an upcoming edition. Currently...

Read More

President Obama Is Right On US-China Hacking

I strongly recommend watching the excerpt on the Charlie Rose show titled Obama: Blunt Conversation With China on Hacking. I reproduced the relevant part of the transcript below and added emphasis to key points. CHARLIE ROSE: Speaking of pushing back, what happened when you pushed back on the question of hacking and serious allegations that come from this country that believe that the Chinese are making serious strides and hacking not only private...

Read More

Pre-Order The Practice of Network Security Monitoring Before Price Hike

When my publisher and I planned and priced my new book The Practice of Network Security Monitoring, we assumed the book would be about 250 pages. As we conclude the copyediting process and put print in layout format, it's clear the book will be well over 300. The current estimate is 328, but I think it could approach 350 pages. Because of the much larger page count, the publisher and I agreed to reprice the book. The price will rise from the current...

Read More

Practice of Network Security Monitoring Table of Contents

Since many of you have asked, I wanted to provide an updated Table of Contents for my upcoming book, The Practice of Network Security Monitoring. The TOC has only solidified in the last day or so. I delayed responding until I completed all of the text, which I did this weekend. You can preorder the book through No Starch. Please consider using the discount code NSM101 to save 30%. I'm still on track to publish by July 22, 2013, in time to teach two...

Read More

Bejtlich Teaching New Class at Black Hat in July

I'm pleased to announce I will teach two sessions of a brand-new two day class at Black Hat USA 2013 this summer. The new class is Network Security Monitoring 101. From the overview: Is your network safe from intruders? Do you know how to find out? Do you know what to do when you learn the truth? If you are a beginner, and need answers to these questions, Network Security Monitoring 101 (NSM101) is the newest Black Hat course for you. This vendor-neutral,...

Read More

Mandiant APT1 Report: 25 Best Commentaries of the Last 12 Days

Two weeks ago today our team at Mandiant was feverishly preparing the release of our APT1 report. In the twelve days that followed publication on the evening of Monday the 18th, I've been very pleased by the amount of constructive commentary and related research published online. In this post I'd like to list those contributions that I believe merit attention, in the event you missed them the first time around. These sorts of posts are examples...

Read More

Recovering from Suricata Gone Wild

Recently I tried interacting with one of my lab Security Onion sensors running the Suricata IDS. I found the Sguil server was taking a really long time to offer services on port 7734 TCP. Since I hadn't worked with this lab system in a while, I guessed that there might be too many uncategorized events in the Sguil database. I dusted off an old blog post titled More Snort and Sguil Tuning from 2006 and took a look at the system. First I stopped the NSM applications on the server. sudo service nsm stopStopping: securityonion * stopping: sguil server...

Read More

Using Bro to Log SSL Certificates

I remember using an older version of Bro to log SSL certificates extracted from the wire. The version shipped with Security Onion is new and that functionality doesn't appear to be enabled by default. I asked Seth Hall about this capability, and he told me how to get Bro to log all SSL certs that it sees. Edit /opt/bro/share/bro/site/local.bro to contain the changes as shown below. diff -u /opt/bro/share/bro/site/local.bro.orig /opt/bro/share/bro/site/local.bro---...

Read More

Practical Network Security Monitoring Book on Schedule

First the good news: my new book Practical Network Security Monitoring is on track, and you can pre-order with a 30% discount using code NSM101. I'm about 1/3 of the way through writing the book. Since I announced the project last month, I've submitted chapters 1, 2, and 3. They are in various stages of review by No Starch editors and my technical editors. I seem to be writing more than I expected, despite trying to keep the book at an introductory...

Read More

On Thought Leadership and Non-Technical Relevance

A reader left a comment on my post 2012: The Year I Changed What I Read. He said: Richard, it's interesting to note that your career has shifted from "pure" technology to more of a thought leadership role where you can leverage your training and interest in history, political science, etc. I wonder if you ever expected to become such a public figure in the whole debate about China when you first started with infosec? Your career path is an encouraging...

Read More

How to Win This TCP/IP Book

Last week I wished this blog happy tenth birthday and announced plans for a new book on network security monitoring. I also mentioned a contest involving a book give-away. I finally figured out a good way to select a winner, and it involves your participation in my current writing project! Thanks to No Starch Press I have a brand-new, shrink-wrapped copy of The TCP/IP Guide, a mammoth 1616 page hardcover book by Charles M. Kozierok. Here's what...

Read More

Bejtlich's New Book: Planned for Summer Publication

Nearly ten years after I started writing my first book, the Tao of Network Security Monitoring, I'm pleased to announce that I just signed a contract to write a new book for No Starch titled Network Security Monitoring in Minutes. From the book proposal: Network Security Monitoring in Minutes provides the tactics, techniques, and procedures for maximum enterprise defense in a minimum amount of time. Network Security Monitoring (NSM) is the collection,...

Read More

Happy 10th Birthday TaoSecurity Blog

Today, 8 January 2013, is the 10th birthday of TaoSecurity Blog! I wrote my first post on 8 January 2003 while working as an incident response consultant for Foundstone wortking for Kevin Mandia. Today I am Chief Security Officer at Mandiant, back working for Kevin Mandia. (It's a small world.) With 2905 posts published over these 10 years, I am still blogging -- but much less. Looking at all 10 years of blogging, I averaged 290 per year, but...

Read More

Welcome to Network Security Monitoring in the Cloud

I just watched an incredible technical video. If you have about 10 minutes to spare, and want to be amazed, take a look at Snorby Cloud.I think the video and Web site does an excellent job explaining this new offering, but let me provide a little background. Many of the readers of this blog are security pros. You're out there trying to defend your organization, not necessarily design, build, and run infrastructure. You still need tools and workflows...

Read More