Wireshark 1.0.0 Released

I'd like to congratulate the Wireshark team for releasing Wireshark 1.0.0. As the news item says, it's been nearly 10 years in the making. I started using Ethereal in 1999 at the AFCERT with data collected from our ASIM sensors. It's a great time for network security monitoring right now! With Sguil 0.7.0 released there's a lot of attention from high level players. It's co...

Read More

Practical Data Analysis and Reporting with BIRT

A friend of mine from my days at Ball Aerospace named John Ward wrote a book titled Practical Data Analysis and Reporting with BIRT. John was responsible for writing the reports we provided to customers of our network security monitoring service. He used that experience as a reason to learn more about BIRT, the Business Intelligence and Reporting Tools Eclipse-based reporting system. If you have any interest in using an open source product to...

Read More

Two Studies on Security Spending

I would like to note two articles on security spending. I learned of the first by listening to the audio edition of The Economist, specifically Anti-terrorist spending: Feel safer now?. The article summarizes a report (Transnational Terrorism, [.pdf]) by The Copenhagen Consensus, a think tank that analyzes government spending. The Economist says:The authors of the study calculate that worldwide spending on homeland security has risen since 2001...

Read More

Sguil 0.7.0 Released

...and there was much rejoicing. Sguil 0.7.0 is now available for download. Sguil is an open source interface to statistical, alert, session, and full content data written by Bamm Visscher. A great way to quickly see the differences between 0.6.1 and 0.7.0 is to visit the NSM Wiki Sguil Overview and check out the diagrams near the bottom of the page. I've been using Sguil 0.7.0 from CVS for several weeks in production and it's working well. ...

Read More

Implementing Enterprise Visibility by Leading Change

I've been advocating increased digital situational awareness via network security monitoring and related enterprise visibility initiatives for several years. Recently I read a Harvard Business Review case study called Leading Change: Why Transformation Efforts Fail by John P. Kotter. His eight stage process for creating a major change include:Establish a sense of urgency.Create a guiding coalition.Develop a vision and strategy.Communicate the change...

Read More

E-discovery Is an Information Lifecycle Management Problem, Not a Security Problem

The more I learn about e-discovery, the less I think it's a security problem. The vast majority of e-discovery issues are pure Information Lifecycle Management (ILM) concerns. The one area where I think security has a role is countering the subject's utilization of anti-forensics and counter-forensics (defined previously as attacking evidence and attacking tools, respectively). I was reminded of this opinion while reading Find What You're Looking...

Read More

Justifying Digital Security via 10-K Risk Factors

I'm a shareholder in Ball Corporation, thanks to the compensation plan I joined as an employee many years ago. Last week I received the company 10-K in the mail. I thought about my last reference to the form 10-k in my post CIO Magazine 20 Minute Miracles and Real Risks. I wondered if any of the Risk Factors in the 10-K could be used to justify a digital security program?Let's look at each of them. If you're not familiar with Ball, it's mainly...

Read More

Ten Themes from Recent Conferences

I blogged recently about various conferences I've attended. I considered what I had seen and found ten themes to describe the state of affairs and some general strategies for digital defense. Your enterprise has to be of a certain size and complexity for these items to hold true. For example, I do not expect item one to hold true for my lab network since the user base, number of assets, and nature of the assets is so small. Furthermore, I heavily...

Read More

CIO Magazine 20 Minute Miracles and Real Risks

I liked CIO Magazine's article 20 Things You Can Do In 20 Minutes to Be More Successful at Work by Stephanie Overby. Several excerpts follow.Grab the annual 10-K reports that your top competitors have filed with the Securities and Exchange Commission and read the section called "Management's Discussion and Analysis." That's where the CEO (through corporate lawyers) describes what happened to the company in the past year, good and bad.By scanning...

Read More

The Data Center in a Switch

We all know how security has been baked into virtualization projects from day 0. Ok, enough joking. Given our history with virtualization I'm a little scared when I read stories like Dawn of the App Aware Network that show switches becoming giant VM servers. If you didn't think of your routers and switches already as computers, you won't be able to ignore it once they are running such complex applications. I am looking forward to seeing who manages...

Read More

Black Hat DC 2008 Wrap-Up

Better late than never, I suppose. I taught TCP/IP Weapons School at Black Hat DC 2008 last month, and I also attended two days of briefings (many available in the archives). The briefings began with Jerry Dixon from Team Cymru, which appears to now offer commercial services related to large scale Internet monitoring and infrastructure issues. Jerry noted several problems hampering security efforts, including lack of a dedicated security operations...

Read More

Thoughts from Several Conferences

Over the last several months I've accumulated several pages of notes after attending a variety of conferences. I thought I would present a few cogent points here. As with most of my posts, I record thoughts for future reference. If you'd rather not read a collection of ideas, please tune in later.I attended the 28 Nov 07 meeting of the Infragard Nation's Capital chapter. I found the talk by Waters Edge Consulting CEO Jeffrey Ritter to be interesting....

Read More

How Many Burning Homes

I mentioned the idea of host integrity assessment in my post Controls Are Not the Solution to Our Problem. The idea is to sample live devices (laptops, desktops, servers, routers, switches -- anything that runs a network-enabled operating system) to see if they are trustworthy. (They may be trusted, but that does not make them trustworthy.)I described how I might determine trustworthiness, or integrity, in Three Capabilities, Three Companies. ...

Read More

Reactions to Latest Schneier Thoughts on Security Industry

The March 2008 Information Security Magazine features an article titled Consolidation: Plague or Progress, where Bruce Schneier continues his Face-Off series with one of my Three Wise Men, Marcus Ranum. Marcus echoes the point I made in my review of Geekonomics concerning the merits of open source projects:Most of us have had a product suddenly go extinct--to be followed shortly by a sales call from the vendor that fired the fatal shot--in spite...

Read More

Bejtlich Teaching at Black Hat USA Training 2008

Black Hat was kind enough to invite me back to teach TCP/IP Weapons School at Black Hat USA 2008 on 2-3 and 4-5 August 2008, at Caesars Palace, Las Vegas, NV. These are my last scheduled training classes in 2008. I plan to rewrite and augment the class in my off time (late at night, basically!) for these two offerings. The cost for the two-day class is $2200 until 1 May, $2400 until 1 July, $2600 until 31 July, and $2900 starting 1 August. (I...

Read More

Bejtlich Teaching at Techno Security 2008

I've previously spoken at the Techno Security 2005 and Techno Security 2006 conferences, and I taught Network Security Operations at Techno Security 2007. I'll be back at Techno Security 2008 teaching Network Security Operations (NSO) on Saturday 31 May 2008 at the Myrtle Beach Marriott Resort at Grande Dunes, a great family vacation spot.This is the only planned offering of NSO in 2008. I'll attend the conference after the one day class. I can...

Read More

Bejtlich in Access Control and Security Solutions Magazine

Sandra Kay Miller interviewed me for the July 2007 issue of Access Control and Security Solutions magazine, but I forget about it until now. The interview describes my security experiences and my thoughts on working at ...

Read More

Review of Professional Xen Virtualization Posted

Amazon.com just posted my four star review of Professional Xen Virtualization by William von Hagen. From the review:I really enjoyed reading Professional Xen Virtualization (PXV). The book answered exactly the right questions for me, a person who had no Xen experience but wanted to give the product a try. If you are looking for a book on Xen internals, you should read The Definitive Guide to the Xen Hypervisor by David Chisnall. If you are less...

Read More

Network Security Monitoring for Fraud, Waste, and Abuse

Recently a blog reader asked the following:You frequently mention "fraud, waste, and abuse" in your writing (for example), most often to say that NSM is not intended to address FWA. One thing I've been wondering though--why is fraud in there? I can see waste (employee burning time/resources on ESPN.com or Google Video) or abuse (pornography, etc), but Fraud seems to be in a different class. If someone is using the network to commit a crime, why shouldn't...

Read More

Matt Jonkman and Endace on Accelerating Snort

If you missed it last month, you can watch Matt Jonkman's Faster Snorting Webinar at the Endace Web site. Matt posted answers to various questions posed by readers and you can download his slides or whitepapers if interest...

Read More

New Hakin9 Released

The latest issue of Hakin9 has been published. This is a subscription magazine published in Europe. Articles which caught my attention include Programming with Libpcap - Sniffing the network from our own application by Luis Martin Garcia, Reverse Engineering Binaries by Aditya K. Sood aka 0kn0ck, and Writing IPS Rules – Part 4 by Matthew Jonkm...

Read More

Common Interface to Packets

Recently a blog reader asked me an interesting question. He wanted to know if it would be possible to replace the variety of network traffic inspection and analysis products with a single box running multiple applications. He was interested in some sort of common interface to packets that could perform the collection function and make traffic available to other products.There are several ways to look at this issue. First, one can do that already...

Read More

Infrastructure Protection in the Ancient World

In preparation for my career as an Air Force intelligence officer, I earned a bachelor of science degree in history at the Air Force Academy. (Yes, not a bachelor of arts degree. Because of the number of core engineering, math and science classes -- 12 I think? -- the degree is "science". At a civilian school I would have qualified for a minor in engineering, so I was told.) I really enjoy history because anyone who takes a minute to look backwards...

Read More

Must-Read Blog for Networkers

The reason so many security researchers can run their l33t 0-day attacks on Web appz is that they (usually) don't have to worry about the underlying network layers failing them. I've always been more interested in network plumbing, particularly at the WAN and backbone levels. If you sympathize, you must read the Renesys Blog. Posts like Pakistan Hijacks YouTube and Iran Is Not Disconnected are primers on how the Internet works. Those guys ro...

Read More

Best. Quote. Ever.

2003: "IDSs [intrusion detection systems] have failed to provide value relative to its costs and will be obsolete by 2005." (Gartner, "Gartner Information Security Hype Cycle Declares Intrusion Detection Systems a Market Failure")2008: "Our adversaries are very adept at hiding attacks in normal traffic. The only true way to protect our networks is to have an intrusion detection system." (Robert Jamison, Under Secretary of the National Protection...

Read More

This Network Is Maintained as a Weapon System

I've been very busy the last two weeks, and this week is no different. I expect to resume my regular blogging schedule gradually this week and more next week. I'm posting to ask if anyone in the Air Force could send me an image like that posted at left, except taken when trying to visit TaoSecurity Blog. I think it would make a great laptop background if sufficiently large and high-quality. Thank y...

Read More