Episode 7, Richard Beijtlich Interview

PodCast Feed


Links:
Bejtlich.net Interests page
Bejtlich's Top 10 books
Bejtlich's Books
Bejtlich's BlogLine
Bruce Schneier's "Monitoring First"
USENIX Security 2006 in Vancouver
USENIX LISA 2006
Bejtlich's Company
Bejtlich's Blog
Bejtlich's Amazon Reviews
TCP/IP Weapons School
INFORMATION SECURITY MAGAZINE Buy the Book

RYOS, Episode 7 - Richard Bejtlich Interview

Thud: The RunYourOwnServer podcast for July 23rd, 2006.


Thud: In this episode. : An interview with Richard Bejtlich. Mr. Bejtlich is the founder, president, and CEO of Tao Security.

Tao Security was founded to help clients detect, contain, and remediate intrusions using network security monitoring principles.


Thud: Here is Gek with the interview.

Gek: I was fortunate enough to attend the SANS Log summit last week, and I noticed Richard Bejtlich in the audience. I sent him an email and asked him if he would do a short interview with me, and he agreed. This is the recording of that interview. He is the author of "The Tao of Network Security Monitoring - Beyond Intrusion Detection", as well as "Extrusion Detection - Security Monitoring for Internal Intrusions." He regularly gives lessons and talks to security professionals. I follow his blog at taosecurity.blogspot.com and I could not pass up this chance to interview him. Here is how it went.

How do you stay current on the latest security info?

Richard Bejtlich: Well, I've recently become a convert to Bloglines, and I've since learning about Bloglines and deciding that it is OK to look at other people's content through a single source, I've added about 100 different blogs or RSS feeds or ATOM feeds into my Bloglines account. So if you want to see what I look at, you can go to bejtlich.net, and I have an interests pages. On the interests page, you'll see at the very top I've got a Bloglines listing there.

Or I guess if you went to Bloglines and searched for Tao Security you would find it. The other way that I keep up is, there's a certain set of mailing lists that I read and, again, those are posted on my interests page. I would keep in mind that I'm very specific with security and within security I'm very specific to network-centric topics, and by network I mean traffic and packet-oriented type stuff, so you'll see heavy emphasis on that.

Gek: What would you suggest for someone who is being the jack-of-all-trades to help them develop a basic security understanding and some good practices?

Richard: That's a good question. I was asked to provide my favorite ten security books of the last ten years by BookPool last year, and so I put out this list, and of course I couldn't put one of my own books on there to be fair, so I picked ten books of other people that I liked. What I would say is that, I guess we'll provide a link to that, but if you were to pick out a selection of those books, among them would probably be Ed Skoudis' "Counter Hack Reloaded", I think that's probably the single best volume to start you up with understanding of security.

There are several other books on there. I think, for example, anyone who is involved with security should be familiar with the "Hacking Exposed" books. For example, you can just get the fifth edition of "Hacking Exposed" and that'll give you a nice overview of what's out there. I think that would do you pretty well in terms of getting your feet wet.

Gek: How would you like to see people contribute to the security community?

Richard: Well, this is going to sound like and odd request, I think, but I would like to see more disaster stories. In some ways I consider myself a security engineer, although I think the term engineer is widely misused and I shy away from it wherever possible for myself, but in engineering there is an idea of studying failure and as far as digital security goes, we don't spend hardly any time studying failure because no one is willing to talk about what went wrong.

We are starting to see more disclosures of security incidents, mainly due to legislation, and it tends to raise public awareness. But I would like to see the story about when somebody's defenses failed and they were owned and this is what happened. For example, I wrote an article for Information Security Magazine about this, "Engineering Disasters", that there is a wonderful show on I think it's History Channel called "Engineering Disasters", and they go through all these famous engineering problems of history.

It's very easy for someone to notice when a bridge falls down or when a building collapses, there is no way around it, and all the civil engineers and architectural folks and structural engineers, they can see what happened. But when a network fails, most likely no one ever knows about it, or if you do know about, you only get vague details. I don't quite know how to do this, I would be interested in collecting maybe anonymous stories from people with details of what went wrong. I think that would go very far to help promote security.

Gek: What do you think the biggest net insecurity is? What would be the first thing you would examine or deploy to give you protection?

Richard: When I look at security, I take a look at four steps, and I call them "prepare", "resist", "detect", and "respond." You'll notice that I don't use words like "protect", I don't use words like "prevent", although I have, even in some of my earlier writings, used terms like "protect." I've decided that that isn't very accurate because everybody eventually gets owned at some point. So "resist" is a better term. Throughout all four of those stages, though, you have to have an idea of who the threat is, what they are doing to you, and what the state of your security posture is.

So the very first thing I would recommend everyone do is to get some visibility as to what's happening in their enterprise. If you have no idea what's going on in your company, there is no sane way that you can try to deploy defenses. Sure you can follow some standard best practices of implementing access control and defense-in-depth and patching and such, but you could be putting in all these theoretical things that you think are helping, and meanwhile you've got a gaping hole that you just didn't even realize. Connecting a network that you didn't know existed to machines that you didn't know existed.

So in my opinion, the very first thing you have to do is to get visibility of the network. Bruce Schneier, several years ago when he first started Counterpane, wrote an article called "Monitor First", and I really believe in that. When I was in the Air Force we did that in the very early '90s. First thing that the Air Force did when they decided to see the state of the network posture was not to do a vulnerability assessment but to put sensors on the wire and see who was taking advantage of misconfigurations. Once you have that kind of information, you can do a much better job allocating your scarce resources and deciding where to apply countermeasures and such.

Gek: In your book, "The Tao of Network Security - Beyond Intrusion Detection", you talk about how important it is to capture things real-time as well as go back over things and analyze them for anomalies. Can you speak to that a little bit?

Richard: Sure. I've been on both sides of the fence. When I was in the AFCERT, I was in charge of the real-time intrusion detection mission, and obviously through my own work and working at my own MSSP and things like that I've done what we usually call batch detection.

It's been my experience that you never really catch anything that good in a real-time mode, because real-time detection implies that you know exactly what you're looking for, that you're there when it happens, and that you get good data about the incident. Getting all three of those things together at a single point in time is very difficult.

I'm extremely skeptical whenever I see SLAs involving manual security providers that promise 15-minute discovery. Really what they're promising is that within 15 minutes of them discovering the incident, they will notify you. Of course the incident could occur two days earlier, but as soon as they find it, they're going to tell you. I don't really fault them for that because it's extremely difficult to find anything good in real-time.

Some exceptions, I've seen people merrily conduct of the early SQL insertion attacks by hand and I was sitting there watching this guy fumble around with his SQL syntax. But for the most part, anyone who is really good, I mean I'm not talking about a virus or worm or somebody running a pre-canned exploit, anybody who really knows what they're doing is not going to be caught by a real-time system. You have to have a capability to collect data for incidents that you didn't expect and then be able to go back through that data and find things that are interesting.

Gek: Do you want to talk a little bit about the TCP/IP weapon school that you're going to be giving?

Richard: Sure. Currently, my company Tao Security offers a four-day network security operations course, and that course is made for anyone whose responsibilities include detection, monitoring, incident response, forensics, the key security components of running an operation. My requirements for that course are fairly high in the sense that I do a lot of traffic analysis and pattern analysis, but I don't teach any TCP/IP. So some people came to me and said, "Hey Richard, why don't you teach a TCP/IP course?"

I didn't want to teach the standard, global knowledge, boring this is TCP/IP headers and this and that, so what I decided to do was try to come up with a course that was TCP/IP except with a cooler angle. What I did was I decided to start with layer one and work my way up the OSI model and show standard traffic, but then show you ways to fool around with the traffic or to manipulate it. For example, layer one there is really not a whole lot you can do, but I do go through how to set up a fake access point.

Layer 2, though, is when it gets really pretty interesting where we start messing around with ARP, we conduct some VLAN hopping, use tools like Yersenia and Arp-sk, and Ethercap and we talk about some intrusions that have been done with man-in-the-middle attacks. So that kind of stuff is really interesting, and then layer three after that.

Thus far, I've developed the first two days of the class and that's what I'll be teaching at Usenix Security in Vancouver at the end of this month. I'll also be teaching those first two days in Washington DC in December for Usenix for the LISA conference. I do plan, however, to finish off the OSI model, do the other two days, get through layers four through seven and present a full four-day course.

It will probably be a private course because there aren't too many public venues where they would have somebody speak for four days, but if anybody is interested in that four-day course or my other network security operations course, please feel free to contact me.

Gek: I might take you up on that if I can get my company to sponsor it.

Richard: OK, yeah, what we usually do is private courses. Generally it's about an eight-student minimum and they're fun. We do no more than 16 students, and we have a blast.

Gek: Do you hold them in Manassas?

Richard: I'll go anywhere. Well, almost anywhere. I've been to all of the states, Canada, Europe. That's pretty much where I operate.

Gek: OK, cool. All right, was there anything else that you wanted to go over, anything you've been thinking about?

Richard: I don't know, I'd ask people if they're interested in any of these topics to visit my blog, taosecurity.blogspot.com. The things I like to write about in my blog are anything to do with security in FreeBSD. I use FreeBSD for all my security implementations, so I talk about how I set things up, what I use, cool innovations in FreeBSD that might help me. There is a little tiny bit of Debian because I use that whenever I have to use Linux.

On the other side, on the purely surface security discussion side, I try to keep up with what's going on and different security events. Sometimes I try to spur discussions to move things along, get people thinking about what's happening with security. So, anybody who's interested in that sort of thing, come on by, enjoy.

Gek: I have to say, there are only two security blogs that I watch. You've mentioned Bruce Schneier; he is the other one. I only watch your blog and his and that's it.

Richard: That's cool. There is a bigger world out there, but I appreciate it.

Gek: For my purposes, those are the only two I need.

Richard: OK.

Gek: All right, thank you very much, I appreciate you taking the time to sit down with me and answer a few questions.

Richard: You bet. I appreciate you inviting me.

Gek: All right. Take it easy.

Richard: All right.

Gek: Another thing I learned about Richard while preparing for this interview is that he has a large number of Amazon book reviews. I've included a link to his reviews in the show notes.


Thud: For show notes or other details, please visit our website at runyourownserver.org.

If you would like to send us feedback or have questions you would like us to answer on the show, please send an email to podcast att runyourownserver.org.

The intro music, "I Like Caffeine" is by Tom Cote. This song, "Down the Road" is by Rob Costlow. Please visit our website for links to their websites.

This podcast is covered under a Creative Commons license. Please visit our website for more details.


Transcription by CastingWords