If you haven’t heard of Community SANS courses before, I encourage you to have a look at this new format (new outside the US, where it’s been running for years). This is a great way of bringing the popular SANS courses to your local security community at a reasonable cost, especially for those that can’t attend the major events.  It’s worth mentioning that unlike the SANS Mentor  sessions, these are delivered over a six-day period, just like it is at a larger SANS event, including the full set of books and access to audio files. They are just delivered in your own community, in a small classroom setting and at a discounted cost for tuition and travel expenses.

I’ve already described my experience with SANS, both as student and facilitator, so I won’t go over that again. Also, you can find a further detailed description of the Security 503 track on SANS website, an outstanding course that I’ve already described as the “most valuable course I’ve ever taken”. However, I want you to listen to Mike Poor, instructor at the SANS Institute and co-author of this course (along with Judy Novak and Guy Bruneau), describing it on YouTube. Mike Poor is both an amazing professional and a great guy that I had the opportunity to meet at SANS Sydney in 2008, when I took his Penetration Testing class. As Mike would say, this IDS course is simply “awesome”!

You can download it from the following location:
http://distro.ibiblio.org/pub/linux/distributions/security-onion/

The following information is extracted from Doug’s Security Onion blog:

What is it?

The Security Onion LiveCD is a bootable CD that contains software used for installing, configuring, and testing Intrusion Detection Systems.

What software does it contain?

The Security Onion LiveCD is based on Xubuntu 9.04 and contains Snort 2.8.4.1, Snort 3.0.0b3 (Beta), sguil, idswakeup, nmap, metasploit, scapy, hping, fragroute, fragrouter, netcat, paketto, tcpreplay, and many other security tools.

What can it be used for?

-The Security Onion LiveCD can be used for Intrusion Detection. Simply boot the CD and double-click either the Snort-Sguil or SnortSP-Sguil desktop shortcuts. The Snort and Sguil daemons will then start, listening on eth0 for any suspicious traffic and creating alerts in the Sguil console.

-The Security Onion LiveCD can be used to test an Intrusion Detection System. Simply boot the CD and use the included tools (such as nmap, metasploit, idswakeup, scapy, hping, and others) to test your existing IDS or to test the included Snort 2.8.4.1 and Snort 3.0 Beta 3.

-The Security Onion LiveCD can be used to install an Intrusion Detection System. Simply boot the CD and double-click the Install desktop shortcut. For more information about installation, please see the README desktop shortcut.

I haven’t had a chance to download it yet, but I will definitely give it a try over the next few days. I’m very interested in trying out the IDS installation feature and see how it compares to other Sguil installation scripts like NSMnow. I’m currently working on the deployment of a good number of Sguil servers/sensors and NSMnow has reduced significantly the time needed to get them up and running. Hence, any new development on this topic is more than welcome.

I will keep posting my findings on this new exciting tool!

That’s been what I call my ‘SANS itinerary’ since I started this exciting journey back in June 2007. It all started at SANS Secure Europe, in Brussels, where I took my first SANS class with Jess Garcia, CEO of One eSecurity and a good friend of mine. It was SECURITY 508, System Forensics, Investigation & Response, an awesome track created by Rob Lee on one of the most interesting and hot topics of Information Security. It’s been almost two years since then, but now I realize the tremendous positive influence that event had in my career as a security professional.

Early on the first day, I could see that was a different kind of training, far different from all the training sessions I had attended before, including the well-known CISSP bootcamp and vendor specific training like Checkpoint‘s and others I took in the past. Unlike those, this was real hands-on training, with lots of exercises and challenges, including the use of several virtual machines and an arsenal of security tools you can take home with you. Also, the amount of material you receive throughout a 6-day course is awesome. Someone described it like “drinking directly from a fire hose”. Actually, I can’t describe it better.

Add to that a friendly, relaxed but yet professional atmosphere, and the multiple opportunities you get for both networking and sheer knowledge with attendees and instructors and you will understand why Brussels was only the start.

With Carlos Fragoso and Richard Fadul at SANS Secure Europe 2007 in Brussels

Next came London, in December 2007. That time I chose the challenging SECURITY 503: Intrusion Detection In-Depth. I don’t exaggerate if I say this is the most advanced course in network intrusion detection and traffic analysis that has ever been taught, and by far the most valuable course I’ve ever taken. The quality of the material is outstanding (I keep using it as a valuable reference) and the fact that I had Dr. Johannes Ullrich (Chief Research Officer for the SANS Institute and responsible of the Internet Storm Center) as instructor was really a plus. Even if you knew nothing about IDS I guarantee the first thing you will do when you’re back home is setting up a Snort sensor or even deploying a Sguil NSM System!

Last thing I can say about this course is that I actually enjoyed it three times: first at the live event, second when I went through the entire courseware and exercises again to prepare for the GIAC exam, and third, when listened to the mp3 files of Mike Poor teaching the same material in a different venue. Two instructors for the price of one!

The same was true of my third stop, SANS Sydney in November 2008. This time it was SECURITY 560: Network Penetration Testing and Ethical Hacking, delivered by Mike Poor (I was looking forward to meeting him!!) and authored by Ed Skoudis.

While this is described by SANS as “one of the most technically rigorous courses offered by the SANS Institute”, I had some advantage with this one. While my previous experience in areas like Forensics and IDS was limited, I had been doing penetration testing at different professional levels for more than 8 years. Although I was certainly familiar with many topics and tools like Nessus, Nmap, Metasploit and others, there were plenty of advanced tips and tricks that made this course worth the money. I will just tell you that the section on Windows command line kung fu for pentesters and the exercises on password cracking using advanced Netcat relays will leave you breathless!

Ultimate hacking with Damian Grace and Robert Di Pietro at Mike Poor’s class in Sydney!

Then again, I enjoyed listening to Ed Skoudis’ mp3 files while commuting to work for the last couple of months before I took my GPEN exam. Thanks Ed for making traffic jams a lot more bearable!

My GIAC Certs: GCFA, GCIA and GPEN. Watch the 99% score on the last one!

As I said before, so far this journey has given me the opportunity not just to receive top quality training from some of the best security instructors in the world, but also to meet great professionals, colleagues and friends that make you feel part of a unique security community. Some of the people I’ve had the opportunity to meet and even hang out with includes Jess Garcia, Mike Poor, Johannes Ullrich, Raul Siles, David Perez, John Fitzgerald, Pieter Danhieux, Richard Fadul, Carlos Fragoso, Almerindo Graziano, Jonathan Ham, Justin Clarke, Robert Di Pietro, Chris Mewett, Damian Grace, etc… and many others I am fortunate to keep in touch with.

Now, the next stop in my ‘SANS itinerary’ will be Amsterdam in May this year. This time I’m proud to say that I’ve been selected to facilitate at SECURITY 542: Web App Penetration Testing and Ethical Hacking, a new 6-day track written by Kevin Johnson and focused on finding and exploiting web application attack vectors. Seth Misenar will deliver this track at SANS Secure Europe 2009 in Amsterdam.

Best thing this time is that, in addition to attending the course, as a room facilitator I will have the opportunity to work closer with all the instructors (specially with Seth) and other fellow team members.

I look forward to that!

I’m not usually very excited about posting on LinkedIn Discussion Groups. On top of that, I don’t even have the time to blog anything on my own site. However, I could not resist to write a comment on that discussion about what the best IDS system is. Not when I read the following comment:

Actually the idea of an IDS system has been obsolete for a few years now. Given the latest events in the security area, there are plenty of traffic anomalies far more advanced than relatively-simple signatures out there to deal with.

The best approach nowadays is the IPS (Intrusion Prevention Systems) which would not only detect and inform IT management of the attack events but will also apply the necessary countermeasures to them. Most important of all, this must happen at wire-speed with ASIC-based systems.

Ok, I understand that IPS vendors and resellers have the right to claim what they want, but saying that “the idea of an IDS system has been obsolete for a few years now” is simply too much for me.

Just in case you are not registered with LinkedIn, the following is the comment I’ve just added to that discussion:

I respect everyone’s comments and views, but obviously some of the above are clearly biased. It’s not the first time we hear comments like “actually the idea of an IDS system has been obsolete for a few years now”.

Back in 2003, Gartner analyst Richard Stiennon stated, “IDSs have failed to provide value relative to its costs and will be obsolete by 2005″. Well, although I understand that claim (keep reading), many security analysts will tell you that IDS is very much alive and recent findings like those covered in the “Verizon Business 2008 Data Breach Investigations Report” support this (see http://securityblog.verizonbusiness.com/2008/06/10/2008-data-breach-investigations-report).

First thing to know is that IPS and IDS are different things and that they fit in different layers of the Defense In-Depth strategy and in different phases of the well known Assessment-Prevention-Detection-Reaction loop. IPS devices are meant for intrusion prevention and always run “inline”, very much like firewalls, whilst IDSs (whether network or host based) are passive solutions obviously designed for intrusion detection. Both technologies are complementary and should be part of a holistic security strategy. In many scenarios you will not be able to prevent and stop all attacks with a 100% accuracy. Thus, when prevention fails, what else is left? Detection and then reaction.

However, an IDS is not that different to an IPS from a technology point of view. Take Snort as an example, which is the most widely deployed intrusion detection solution in the world and actively used by large organisations like DARPA, GSA, NIST, NSA as well as the US Armed Forces. Get Snort running in inline-mode with active-response enabled and you have an IPS. Same product but different configuration sitting in a different place on your network. So take and IDS, put it inline and get a third party to manage it and there you have your IPS. Now you understand why most vendors will tell you that IDS is dead.

However, I can understand why many people still claim that IDS is dead. Many fail to understand that an IDS is not a “Plug and Play” device. The state of the art of IDS has not yet evolved to a point where they can be plugged and work accurately right out of the box, and it won’t be for a while. It is imperative to have a trained and competent analyst (or team of analysts) tunning, updating, examining and investigating the output from the IDS. Do you have the resources to do that? Well, that should be part of the cost analysis of implementing any IDS/IPS solution. Now, with many IPS devices a big chunk of that work can be externalised on a third-party, namely Managed Security Services Providers (MSSP).

As far as what solution is right for your site, it is a decision that depends on your site configuration, your team skills, your network bandwidth, your budget, organisation’s risk appetite, just to name a few. I would suggest to combine both IPS and IDS solutions, implementing them in different parts of your network as part of a comprehensive Defense in Depth strategy.

Finally, I recommend you have a look at open-source solutions like Snort, Bro (not all IDS are signature-based only) or even more advanced NSM solutions like Sguil (I really like this one), Hex, etc… See if you have the necessary skills and resources to implement and maintain them, as it won’t be easy. Otherwise hire a specialist to help you out with the implementation if you decide to go down that route.

As of commercial IPS solutions I have a very good feedback from Juniper devices. Also check with your firewall vendor, as integrating firewall and IPS management under the same console makes sense.

Feel free to flame me if I’m wrong.

By the way, I thought there was no better place to start my new blog than right from where I am. If you keep reading my blog (thanks for that) you will see there are many things I enjoy. One of those is traveling, and London is one of my favourites places, and other one is technology, specially anything related to Information Security. And yes, that includes Macs! In fact I’m currently typing in one of the new iMacs, and you know how difficult is to find a free one, if you have ever been here.

Well, let’s keep this post short for now. I’m heading to the airport to catch my flight back home. I’ll be posting here soon, so stay tuned.