An Interview with Richard Bejtlich

Recently I had the opportunity to interview Richard Bejtlich by email. Richard is a leader in the Information Security field and I am happy to be able to post the following.

Richard Bejtlich (pronounced bate-lik) is the Director of Incident Response at General Electric Company. He holds his Master of Public Policy (MPP) from Harvard University, and is the author of "The Tao of Network Security Monitoring: Beyond Intrusion Detection" and "Extrusion Detection: Security Monitoring for Internal Intrusions", and is a contributor to many other works. He writes the TaoSecurity blog at http://taosecurity.blogspot.com/. He is married and a father of two.

Chris:
The above is just a start of Richard's accomplishments, so first I'd like to start off by saying wow - you must have 28 hours in every day! Seriously, do you have advice on time management to share? How can you possibly get it all done?

Richard:
I sleep less. Seriously, I try to stick to a defined schedule, waking at 5:30 am and going to sleep between 10:30 and 11:30 pm. I just started running again, so the mornings that I run I only spend an hour reading technical books at my desk. The mornings I don't run I read for an hour and a half. We put the kids to bed between 7 and 8 pm. My wife and I spend some time in front of the TV afterwards, but I've recently started reading a non-technical book during that time -- unless The Office is on. My wife usually spends some time on her PC later, so during that time I return to technical reading or do some work in my lab.

When I read technical books I need to be at my desk. I underline passages that are useful and make some notes in the margins. I also keep a separate sheet with notes for my Amazon.com reviews. I also like to be near my laptop so I can look up software Web sites or interesting concepts. If reading a coding book I try the examples.

Some of you ask if I read entire books, or if I skim them. I addressed this and other reading tips in my 1 Jan 07 post Reading Tips.

I tend to be fairly focused. I try to set goals (which I don't always keep, but I try.) If I am really committed to finishing a book or project by a certain time, I might stay awake until 2 am. That's about my limit as a 36-year-old.

Readers might find it notable that my family does not own a video game console. I hear a lot of people are becoming Guitar Heroes these days, so maybe I have some extra time due to avoiding that game. However, after my shoulder heals (had surgery a few months ago), I intend to return to martial arts. That will decrease my free evening time.

Chris:
You also created the OpenPacket blog (http://openpacket.blogspot.com/) and a related packet repository, but there doesn't seem to be much activity there recently. Is this still a current project, and how can the community help?

Richard:
We are aiming for a formal 1 Feb launch of OpenPacket. It's been a long time since I proposed the idea, but we have a Web developer now who's done an amazing job on the current site. When we have the bugs worked out I expect OpenPacket to be a favorite spot for network security people. Check out the openpacket-devel mailing list for status updates. Once the site is really live I would enjoy seeing people contribute packet captures.

Chris:
Network Security Monitoring (NSM) is a fantastic concept for detecting and responding to attacks. However, the most common criticism I have heard is the (mostly human) resources required to implement it. Do you feel that small and medium business can add NSM in part or in whole? How would you sell NSM to these smaller organizations?

Richard:
I will be addressing some of this in February's Snort Report, so I will defer to that article. I also plan to address issues like this in my next edition of The Tao of Network Security Monitoring. It turns out I get far more questions on "selling NSM" than I do on implementing it. The next book will be more for the person who needs to make the case to his or her manager, or perhaps managers will like to read the book directly.

Chris:
Further, it seems like NSM practices would be a great way for a MSSP to stand out and provide real value. Have you heard of MSSP that are planning or currently offering these services?

Richard:
I do not know of any MSSPs practicing NSM, but that doesn't mean they don't exist. One organization I've seen doing a great job is the US Coast Guard, but they watch their own network. I really don't think it's possible for a MSSP to differentiate using NSM. Customers looking for MSSPs just do not understand the power of NSM vs "keeping the IPS
running." I naively hope to take another crack at that issue in a second edition of Tao. However, if I expected to really make progress I would probably have started another MSSP!

Chris:
I feel that NSM education would be of value to new security practitioners because of it's depth of view - going beyond the alert. Are you aware of any colleges or universities that are implementing NSM related courses?

Richard:
I have seen a few college courses using Tao as a textbook. I do not know of any real NSM courses, however. I would be interested in teaching such a course at some point in my career, in a formal academic setting and not a security conference.

Chris:
NSM can be implemented with Sguil (pronounced sgweel) http://www.sguil.net or with disparate tools like an alert management console (ACID, others), session management (Argus), Packet capture (Snort, daemonlogger), etc. Do you think Sguil or separate tools are more popular with NSM practitioners? Which do you recommend
for someone starting out?

Richard:
A stable Sguil installation is absolutely the best friend any network security analyst could have. Sguil's biggest problem remains its installation. Just today I spoke with Sguil creator and sole developer Bamm Visscher about simplifying installation.

Chris:
For Snort, do you suggest running Sourcefire official rulesets, Bleeding Threats - now Emerging Threats - rulesets, in-house rules, or a combination of the above? What do you use or recommend to manage configurations and rulesets of multiple sensors?
Richard:
I recommend selecting the rules that make sense for your organization. Usually that involves subscribing to Sourcefire's VRT rules and adding Emerging Threats where appropriate. I also strongly encourage writing your own rules. The best Snort management tool is a Sourcefire console. Outside of that you're usually using something home-grown, mixing in Oinkmaster and maybe something else.

Chris:
There are several commercial projects that provide Network Behavioral Anomaly Detection (NBAD) to detect attacks by looking for changes in network behavior. Do you have any experience with these products, and what is your feeling on them?

Richard:
I have some limited experience with some of these commercial products. In some ways the concept is sound, but in other ways their detection models are not helpful at all. For me the biggest drawback is often cost and a closed platform. I can provide really powerful services using a commodity open source platform. I know of an immense military organization that built its own $40,000 "Ultimate NSM Appliance" using open source tools from my first book. It's a trade-off -- you've got to consider internal personnel skill sets, supportability, political issues, organizational culture...

Chris:
You're the expert - anything else you would like to add?

Richard:

I will be incorporating NSM into my TCP/IP Weapons School class at Black Hat DC on 18-19 February. Please register before 8 Feb 08.

http://www.blackhat.com/html/bh-dc-08/train-bh-dc-08-ts.html

If you have more questions, please send them to me and I will address them on my blog or in future Snort Reports.

Thanks again for the chance to speak with your readers!