FloCon 2014: Tutorials

Earn 2.6 CEUs while attending FloCon. The full registration fee to FloCon 2014 includes access to the introductory or advanced tutorial tracks of your choice. The tutorials are taught by members of the SEI technical staff and other network security experts.

The SEI Professional Development Center provides CEUs offered are in the public domain and are granted based on the total class hours. Any organization may award a traditional CEU without requiring any accreditation. Our instructors confirm students' participation in the full course, and students receive credit for the full amount of CEUs.

Monday, January 13, 2014: Morning

Introductory Track 1: Building Large Network Monitoring Systems with Argus
Carter Bullard, QoSient, LLC

Tutorial Description
This will be a half-day tutorial on the meta-data support in argus and argus clients. You should know these as argus labels, which support geolocation tagging, application identification tags, and user-defined labeling of flows and traffic. In this tutorial, Carter Bullard will talk about how to use things like ARGUS_EVENTS to tag flows with the application, user, and process id from the end system; content specific labeling; and advanced analytic tagging.

Presenter Biography
Carter Bullard is the CEO and President of QoSient, LLC, a research and development company focusing on cybersecurity capabilities for large-scale data networks. Bullard has held both academic and industry positions directing and performing research in the areas of network and systems cybersecurity, high-performance assurance, awareness, protection, and optimization; he has worked with U.S. National Laboratories, FFRDCs, the U.S. DoD, Naval Research Laboratory, the U.S. Justice Department, and industry organizations.

Bullard started in cyber security at Georgia Tech in the mid-1980s, when he managed the Georgia Tech networks and the SURAnet portion of the NSFnet backbone. Bullard was directly involved in the response to and analysis of the "Morris Worm" and investigations of the "Legion of Doom," but his cyber career officially started in 1991 at Carnegie Mellon University (CMU), with his involvement in establishing the first research program in network vulnerability analysis and assessment at the organization now known as the CERT Division of the Software Engineering Institute. At CMU, Bullard pioneered the concepts of network vulnerability analysis, network situational awareness, and forensics, developing tools to analyze the network signatures of attacks by Kevin Mitnick and others. Within the networking industry, Bullard developed security architecture and products for ATM and IP, and authored over 20 contributions to the ITU, IETF, and the ATM Forum in the areas of network security and control. Recently, Bullard has focused on cybersecurity and network virtualization, secure cloud architecture, ultra performance assurance, optimization, and awareness for very large-scale distributed systems for the U.S. DoD, federal agencies, and the communications industry.

Introductory Track 2: Skill-Building in Flow Analysis
Ron Bandes and Tim Shimeall, Carnegie Mellon Software Engineering Institute

Tutorial Description
Explore a data set via a series of guided exercises. The goal is to apply various analysis approaches. We will provide a hands-on introduction to SiLK Flow Analysis Tools. There will also be a time for discussion of methods applied, results generated, and insight gained.

Presenter Biographies
Ron Bandes is a Network Security Analyst in the CERT Division at the Software Engineering Institute (SEI) based at Carnegie Mellon University. In addition to analysis, he loves to teach and keeps his hand in software development. He analyzes network issues by day and teaches Information Security at Carnegie Mellon by night. In the past he ran his own consulting business, helping clients to build networks and to establish operations practices. Bandes holds a BA in Computer Science and Psychology from SUNY Potsdam and a master's degree in Information Security, Policy, and Management from Carnegie Mellon University.

Tim Shimeall is the Senior Network Situational Awareness Analyst of the Cyber Threat and Vulnerability Analysis in the CERT Division at the Software Engineering Institute (SEI). The NetSA team is involved in supporting secure decision making at the enterprise level and at higher levels. The work of this team involves substantial collection and analysis of network data, ranging from traffic and application data to incident and vulnerability data. Shimeall's work is highly empirical and often involves application of formal methods to practical problems facing network security and operational personnel.

Before joining the SEI, Shimeall was an Associate Professor at the Naval Postgraduate School in Monterey, CA. He was an active instructor on a variety of topics in software engineering, information warfare, and security, and he supervised more than 30 master's degree theses and 3 Ph.D. theses. Shimeall has taught courses for a variety of educational institutions and private corporations, in both local and distance learning formats.

Monday, January 13, 2014: Afternoon

Advanced Track 1: Bro Crash Course
Seth Hall and Liam Randall, International Computer Science Institute

Description
Bro is a stateful, protocol-aware, open-source, high-speed network monitor with applications as a next-generation intrusion detection system, real-time network discovery tool, historical network analysis tool, real-time network intelligence tool, and dynamic active response tool. Bro was originally developed by Vern Paxson, who now leads the core team of developers/researchers at both the International Computer Science Institute in Berkeley, CA, and the National Center for Supercomputing Applications in Urbana-Champaign, IL.
Bro provides security teams with logs of highly structured data about their networks, a Turing complete scripting language through which they can interact with real-time stateful network events, and flexible open interfaces through which Bro can be programmed. Pragmatically able to interface with the entire network stack, Bro includes support for IPv6, tunneled traffic, SSL, and more. In this training session we present multiple case studies and demonstration sessions and provide an interactive training environment to review:

Bro Introduction: Overview of Events and Logs Beyond signature based IDS; utilizing Bro as a programmatic network monitor to detect events Real time passive network service discovery with Bro on complex traffic links (MPLS/IPv4/ IPv6) TTP & IOCs in Bro- Detecting Common Malware families with Bro IDS Bro Summary Statistics & Streaming Algorithms in Bro.

Presenter Biographies
Liam Randall is a managing partner at Broala. Liam earned a CS degree at Xavier University and has worked as a network administrator on some very large networks in the public and private sector. Liam has spent the last few years setting up internal security teams dealing with a myriad of compliance, regulatory, and technical issues primarily in the banking, telecommunications, and education sectors. Liam volunteers on a number of open source projects, including Bro-IDS and the SecurityOnion IDS Distro. You can follow Liam on Twitter @Hectaman and you can learn more about Bro at www.bro.org.

Seth Hall is a research engineer in the networking group at ISCI and co-founder of Broala. Seth’s primary activity is working on the Bro Intrusion Detection System and promoting its use in various industries under a grant from the NSF in the SDCI program. Seth earned an undergraduate degree in Geography from The Ohio State University. You can follow Seth on Twitter @remor and you can learn more about Bro at www.bro.org.

Advanced Track 2: Advanced SiLK Analysis
Geoff Sanders and Tim Shimeall, Carnegie Mellon Software Engineering Institute

You have installed the NetSA Security Suite, read the Analyst Handbook, and have some hands-on familiarity. What's next? This course will focus on applying the SiLK suite to real-world problems. A general methodology for developing analytics will be introduced, which will then be applied to use cases common to a Security Operations Center (SOC).

Presenter Biographies
Geoffrey Sanders is a member of the technical staff for the CERT® Coordination Center in the CERT Division at the Software Engineering Institute (SEI). As a member of the Network Situational Awareness (NetSA) analysis team, Sanders supports sponsors in multiple areas of network systems security and survivability. His current areas of interest include analytics, big data, and data fusion.

Prior to joining the SEI, Sanders worked as a security architect in the defense industry. His experience includes more than 10 years in systems security engineering, analysis, and vulnerability assessment/penetration testing.

Tim Shimeall is the Senior Network Situational Awareness Analyst of the Cyber Threat and Vulnerability Analysis in the CERT Division at the Software Engineering Institute (SEI). The NetSA team is involved in supporting secure decision making at the enterprise level and at higher levels. The work of this team involves substantial collection and analysis of network data, ranging from traffic and application data to incident and vulnerability data. Shimeall's work is highly empirical and often involves application of formal methods to practical problems facing network security and operational personnel.

Before joining the SEI, Shimeall was an Associate Professor at the Naval Postgraduate School in Monterey, CA. He was an active instructor on a variety of topics in software engineering, information warfare, and security, and he supervised more than 30 master's degree theses and 3 Ph.D. theses. Shimeall has taught courses for a variety of educational institutions and private corporations, in both local and distance learning formats.

 


Connect with FloCon

Find us on Facebook  Follow us on Twitter  Find us on LinkedIn  Send questions to us by email