Friday, October 9, 2020

2020 CyberDefense Summit

My take away from the talks from today:


 ()

Carson Zimmerman 

Keynote: Taking Your Detection Program to the Next Level


Engineering is difficult - stop lying to yourself and others about what the SOC needs to engineer, and 

engineer those items.


()

Don Murdoch

Building the Better Playbook: Techniques to Improve Repeatability


Build your playbooks in a repeatable manner to drive maturity and consistency.


()

Rob van Os

Metrics on Steroids: Improving SOC Maturity using the SOC-CMM


SOC-CMM is an exhaustive model for (self-)assessment of SOC Maturity and Capability. 


()

Steve Turner, Ben Tyminski

XDR - The Hidden Pitfalls of Evaluation and Deployment


XDR deployments have distinct limitations and capabilities. Leverage standard best 

practices while covering new ground.


()

Dan Banker 

And Then There Were None (More False Positives): Writing Better EDR Detections


Dan shreds his guitar - he also has obviously spent many hours eliminating the noise from his signal.



==LUNCH===


()

Peter Luo

Resolve Security Alerts with Adaptive Intelligence and Guided Response


Augmented Intelligence is available for scenarios you frequently encounter.


()

Kristy Westphal

Analysis 101 for Incident Responders


Develop your team's analytical methodology, and be ready to deal with the reality of not always being right.


()

Yochana Henderson, Mark Morowczynski

Hiding in the clouds:How attackers can use applications for sustained persistence and how to find it


"****** [devil|god|good god] is in the details." Flaubert, Mies van der Rohe, proverb... 

Make sure you understand what that configuration (button) does!




()

Ransomware Defense and Response: Minimizing Risk of an Increasing Threat

Gabriel Currie, Will Oram 


The main reasons for ransomware increasing : big money (140M pounds+ in 6 years) and many more leak sites that have driven organizations to pay ransoms.


()

Apurv Singh Gautam

Automating Threat Hunting on the Dark Web and other nitty-gritty things


Deep web? Data you're not allowed to see. Dark web? That's where your adversaries are coordinating their attacks on you and selling their illicit goods.



()

Christopher Lopez

Asking Questions and Writing Effectively


Are you asking the correct questions and capturing the appropriate information? Don't constrain yourself with needless process.


()

Saurabh Wadhwa

Resource Smart Detection with YARA and osquery


Yara : (Chess) If you see a good move, look for a better one.



()

Mark Baggett 

New Tools for your Threat Hunting Toolbox


Do what Mark does - save yourself one command a day, eventually, you'll be bored and start to automate other stuff.

 

 

 

 https://sansgear.com/product-category/cyber-defense-forum/


 

Saturday, May 9, 2020

MY SANS Mentor to Certified Experience


This is a blogpost, and not intended to be a resume / CV quality recollection. So, some of the dates are off by a bit or missing. I went through the GIAC certification page ( https://www.giac.org/certified-professionals/directory/search ) and looked at the dates of certifications there and reconstructed this timeline of SANS classes and certs. I know there are a few missing (like the retired GIAC GSFP Fundamentals of Security Policy) that I took with James Tarala in 2007 (I think).
Rough Draft attendance and GIAC certs


Throughout this time, I was a facilitator for SANS because my employers couldn’t or wouldn’t pay for the classes. I facilitated at many conferences and summits.

I taught several semesters of classes at Tulane University College prior to Hurricane Katrina (August, 2005). The classes were BASH shell programming and Apache web server administration. These were in 2003-2005. I saw SANS as an opportunity to further my education and my interest in teaching on the side.

The first in-person class I took was SEC503 with Mike Poor at Virginia Tech during Spring Break, 2005. The classroom was a large auditorium with a couple hundred people in attendance. There was a funny wifi problem. Randy Marchany went on stage a couple of times asking people to turn off DHCP server in case someone was running one. Finally he went on stage and said, “*Joe Smith* you are running a DHCP server on your laptop. We’ve tracked your MAC address registered via our wifi registration to the DHCP Server serving bad leases. Shut it off now, or we’re going to come find you.”

In 2006, I was all over the place dealing with the aftermath of the disaster recovery from Hurricane Katrina. I was working remotely for Tulane still, I moved from Houston, to Memphis, to Athens, Georgia. Then, permanently to Maryland in the suburbs of DC.

In early 2007, I tried to run a SEC503 local mentor. There was no enrollment. I tried to run it again, maybe one person enrolled: cancelled. I tried again, one person: cancelled. SANS advised me to switch to SEC504. I don’t think they said this expressly, but it was essentially, “it sells much better and people will sign up for it.” Switch. I said no. I’ll do SEC503 first, I assured them.

My first SEC503 mentor session had three students. I ran it at the black rock center for performing arts with their projector. It went great. The three people in the classroom really enjoyed it, and learned a lot. I learned a tremendous amount. On average, I studied the material for about 10 hours for each hour of class time I lead. I spent my spare time learning this content while I was working full time in the cyber security domain. I had left the work from home position and took a position with a government contractor.

I got a call one day from Zoher Anis. “Chris, SANS called me and asked me to pick up a SEC401 that had some problems. I don’t know all the details, but it has to restart next week. I don’t have time to teach all the classes because of some travel I had scheduled. Can you co-teach it with me? I told them I won’t do it unless you co-teach with me. They really want it to run.” Zoher and I had worked for the same company at one point and we knew one another through the SANS community and that company. We had a common interest in security. We started co-mentoring classes. SEC401, SEC560, and SEC504.

“Chris, can you go to Georgia in two weeks to teach SEC560?” Scott Weill was asking me.

“Let me check, Scott. I need to verify I can get the time off work.” I knew my managers supported the SANS work I was doing on the side. But, this was something last minute and out of the ordinary. I was managing a 24x7 monitoring and response team at the time. They approved it. I made arrangements for my backup to deal with the projects I was working on while I was gone.

The class went great. There were folks there from many different companies and agencies. I met Russel Eubanks, who had recently moved to Atlanta.
Talks I've written, download
from: https://mgt517.com/soc

When I returned to work, I had a tough conversation with my customer management. He told me that he liked what I was doing with helping people, but while I was gone, some things had gone poorly. He said, he knew that if I was there, I would have addressed it and there wouldn’t have been any impact. But, my backup wasn’t prepared to deal with the unexpected. He told me that if I was a manager of a team, I needed to assure that things went the same in my absence as when I was present, because I wouldn’t always be present.

When I left full time employment, I arranged with my contractor employer and the customer to stop being the manager, and become an analyst on the team that I had previously managed. Someone else on the team became the manager. 

Eric Conrad had approached me about a project he was working on that would involve travel and development work. SANS had asked me to start teaching SEC401 at the Learning Tree in five days. I asked them for at least ten of these runs in the first year. Ten scheduled, but only six filled. I had basically scheduled myself 150% of the time because I was afraid that my “pipeline” of work wouldn’t come through. I was correct in some ways, but still over subscribed.

(The talks pictured are extra presentations I've written and are publicly available for download from: https://mgt517.com/soc . It's the sort of extra work that needs to be done to continue to develop one's knowledge and community outreach in pursuit of being an independent contractor and SANS instructor.)

I became a Certified Instructor in 2012. “Jul 18, 2012 at 2:44 PM. subject: Promoted to Certified - Chris Crowley.” I was teaching a lot. I was travelling a lot.

I’ve been traveling a lot since 2011. I’ve been home since I returned from Tokyo, Japan on March, 9th 2020. Today is May 9th, 2020. (Update: August 18th, 2020 and I haven't left home for any work travel yet.) I think these two (now five) months are the longest contiguous time period that I’ve stayed at home without work travel in the last ten years. I’m really enjoying it. I’ll be happy to pick up when it’s safe to resume travel.

There’s a new chapter unfolding for me in 2020. I’m really excited to tell you about it, but I can’t yet. It’s going to be a really big surprise, and you won’t guess what it is. Some of you are going to hate it, and some of you are going to be really happy for me. I'm excited! (Update: this has been deferred until 2021, but it is still coming to fruition!)

Monday, June 24, 2019

2019 SOC Summit - Action Items

Slide decks for talks available here:
https://www.sans.org/cyber-security-summit/archives/cyber-defense

Youtube Video (duration: 8:35) of these items: https://www.youtube.com/watch?v=W-GGqx-q_Rg

=-=-=- Day 1 =-=-=-

Keynote: Lessons Learned Applying ATT&CK-Based SOC Assessments
Action Item: Plan for an ATT&CK based assessment to identify coverage, internal or third party.

Use Case Development Utilizing an ARECI Chart
Action Item: Identify Gaps in coverage using ARECI charts built from use cases.

Use Cases Development as a Driver for SOC Maturation
Action Item: Tune down the noise.

A SOC Technology/Tools Taxonomy – And Some Uses for It 
Action Item: Compare your deployed SOC infrastructure to the proposed taxonomy.

Mental Models for Effective Searching
Action Item: Minimize time spent at the blank search bar by developing effective capability.

Managing Security Operations in the Cloud
Action Item: Familiarize yourself with cloud defenses available and integrate into the DevOps cycle to leverage them.

Virtuous Cycles: Rethinking the SOC for Long-Term Success
Action Item: Autonomy, Mastery, Purpose. Skills, Empowerment, Creativity, Growth. Automation->Efficiency->Metrics

2019 SANS SOC Survey Preview: Live Simulcast
Action Item: Download and read the 2019 SOC Survey when it comes out.


=-=-=- Day 2 =-=-=-

How to Disrupt an Advanced Cyber Adversary
Action Item: Focus on Network Awareness, Cyber Hygiene, and proper Device Configuration.

Breach -> ATT&CK -> Osquery: Learning from Breach Reports to Improve Cross-platform Endpoint Monitoring
Action Item: Whatever you choose to instrument your endpoints with, learn the granular differentiation of the host that will made detection and hunting meaningful.

Shared Security Services: How to Adjust to an Ever-growing Landscape of Security Operations Center Responsibilities
Action Item: Tell a good story about your SOC, and your internal collaborators.

The Call Is Coming from Inside the House: How Does Your SOC Respond When Attackers Are On-Site?
Action Item: Make people disappear. Think about how the physical matters.

How to Literally Think Like an Attacker to Become a Better Defender
Action Item: Think

Arming SecOps with a Special Forces Targeting Process
Action Item: Advance your thinking using intelligence

The Case for Building Your Own SOC Automations
Action Item: Automate good capabilities, that you already have or want. SOAR tools not required.

Rapid Recognition and Response to Rogues
Action Item: Know thy network (as much as you can).

This Will Never Work: Tales from Disappointingly Successful Pen Tests
Action Item: Demonstrate weakness to drive improvement. Take time to laugh.


Saturday, June 22, 2019

New Orleans Recommendations

( Updates in 2018-02: Add these to your list: Willa Jean, Mammoth Espresso, Doris Metropolitan, Lattitude 29, Spitfire Coffee, Paloma Cafe  )

Since we're in the CBD, my favorite nearby places Cochon (but I really like butcher, it's less formal), Peche, Compere Lapin, August ($$$), Willa Jean, Juan's Flying Burritto (CBD location), Carmo, Luke on St. Charles, (great happy hour)...

Nearby for coffee: Revelator Coffee
Nearby for wine: Keife & Co, W.I.N.O
Nearby bar for hangout: Lucy's Retired Surfer, Vic's Kangaroo 

Stuff I'm going to check out this trip in the area that has opened recently: Bakery Bar, Espiritu, 

Magazine Street - Starting from Calliope, and running uptown, Magazine is a funky shopping district with lots of interesting independent stores. Check out Juan's Flying Burrito for awesome creole Mexican food. Cheap, filling, and good quality. (And loud music.) Lilette is expensive fine dining near Louisiana Avenue.

If you're uptown, check out Oak Street. Zotz is a cool coffee shop. For dinner, you can try Jacquesimo. It's a little pricy, but decadent new orleans style food. If you want that same type of food for cheap, Crabby Jack's on Jefferson Highway is run by the same guy. My favorite there is     Blackened Gulf fish with crabmeat remoulade sauce. Their Duck & Andouille gumbo is pretty damn good, too. Freret Street between Jefferson and Napoleon has become a culinary wunderbar. Amazing because when I lived there it was dangerous and all boarded up. Breakfast at bearcat cafe is excellent. High hat is New Orleans style. Ancora Pizza is well regarded.

Museums: Ogden (regional folk and outsider art), Museum of Modern Art, Contemporary Arts Center. The     D-Day (WWII) museum is supposedly really good. There's also a civil war museum.

Ride the St. Charles Streetcar line uptown to Audubon park, or go on the Canal Streetcar line to Mid-City for City park and the botanical gardens. If you're in Mid-City go to Angelo Brocado's Italian bakery for cappuccino, gelato, and cookies. It's at Carrollton and Canal Street.

Vietnamese food in NOLA is some of the best you can find in the country.  My favorite is Nine Roses. It's on the west bank (of the Mississippi) and a little hard to find, but we have big family style meals with between 5 to 20 people. It's an amazing feast, and ends up being about $25 per person.

For nice quarter restaurants, I suggest Bayona, NOLA (Emeril's place), Pelican Club, Mr. B's, or Palace Cafe. They're all fairly expensive. Tujaque's is old school New Orleans. Have lunch at Napoleon house. Definitely go to K-Paul's (Paul Prudhomme's cajun restaurant).  Find Cochon Butcher (butcher is the cafe style, Cochon is fine dining style) in the CBD (other side of Canal) for lunch. Any of Donald Link's restaurants are great. My current favorite restaurant in New Orleans is Restaurant August.

In the Treme (on the edge of the french quarter) check out Lil Dizzies for great New Orleans fare.

Check out Frenchmen Street. You can go to Snug harbor for burgers and a Jazz show. But, most people go to port of call on Esplanade for burgers. There are several good clubs on frenchmen St.: Maison, DBA, Yuki, etc.

The Bywater has several excellent places. Maurepas Cafe (update: CLOSED), Bacchanal on Poland Ave. Satsuma's for breakfast or lunch, Cake Cafe for breakfast  /lunch.

You can get good coffee at Cafe du Monde, but also Envie at Barracks and Decatur. For excellent espresso drinks, I like Velvet across from Whole Foods on Magazine. There's now a HiVolt uptown also on Magazine by Whole Foods. 

There's the original Hi-Volt on Sophie Wright place(near Magazine in Garden District near that Juan's), Mammoth Espresso and Spitfire in the CBD & Quarter.  Hi-Volt also great breakfast / brunch and baked goods, but they're much better at Sophie Wright location.

Try chickory coffee.

Go to Jean Lafitte's blacksmith shop on lower bourbon St. (go away from Canal St. past all the big clubs like Pat O'Briens and Cat's Meow, and past the gay dance clubs. ) Speaking of Pat O'Brien's, lots of people go there. 

Also, be sure to get to Preservation hall Jazz club before you start drinking one night to enjoy old style New Orleans Jazz. Probably the only place where you'll hear authentic old style.

If you still have time and money, you can check out the bywater. Look at going to Vaughn's. Take a cab, and take a cab back to the quarter / CBD. I would walk or bike from the quarter, but you don't know the area and it is not always safe. The bywater is very funky. May or may not be your thing.

St. Roch Market is a great food stall and has excellent happy hour cocktails.

If you want good beer, go to DBA on Frenchmen Street. 

There's actual Absinthe at the place on Pirate's Alley between the cabildo and the cathedral off of Jackson Sq.

For a good breakfast, go to Cake Cafe in the Marigny (past elysian fields from canal). I think it is on Decatur, but I don't recall. There's also Elizabeth's out in the bywater.

Tipitina's is a famous music club.  

There are a few things in there that didn't involve eating or drinking to do during the day.  Some people still want to go on the disaster tourist stuff.  If you want to rent bikes, go to my friend Bicycle Michael's on Frenchmen St.  Tell him you know me.  He'll probably say something like, a lot of people know Chris.  ;-)

Tune in to WTUL, 91.5FM.  It is Tulane's college radio station.  They've got club and event listings hourly, and you can win tickets pretty easily from them for shows.  Also check out WWOZ, 90.7 IIRC.  They are NOLA cultural station.  They also have club and event listings.


Wednesday, May 15, 2019

How Do I Get Started in Pen Testing?

Intro

I teach several different classes at the SANS Institute. Sometimes students are just starting out, and they're looking at how to apply the tools and skills they just learned. I'm writing this blog to provide guidance on the next steps. I'm going to try to be agnostic across the SANS curriculum, since that separation doesn't exist in most people's workplaces.

Practice At Work

First, be careful about just doing things at work. Some of the tools and skills we teach in SANS classes might not be appropriate for your job role. Instrumenting a computer network with a sniffer and monitoring traffic is a valuable defensive technique and capability. But, it might also be considered a wiretap in the United States (and most other countries). This potential violation of federal and state laws could get you fired and charged with a crime if done without permission. Same goes for penetration testing or unauthorized collection and inspection of digital evidence.
Solution: Get written permission from someone with the authority to give that permission to install monitoring or do forensics, or penetration tests.

Practice Outside of Work

If you don't have a chance to apply the lessons at work, what's another path?  I advise you to do three things. First, find some additional practice opportunities. Second, find an organization who could use your assistance and volunteer for them. Third, start to moonlight as a contractor.

Additional Practice Opportunities
There are a number of websites out there that give you a chance to practice your skills. Here are a few lists of freely available challenges:
https://www.amanhardikar.com/mindmaps/PracticeUrls.html

https://hack.me/c/CHALLENGE

https://apsdehal.in/awesome-ctf/


Volunteer Opportunities

After you're confident in your ability to do simulate work, then it is time to move on to a real world circumstance. Truth is, you're probably not experienced enough to go right into the contracting and delivery. So this next step is a middle ground. Find an organization that you care about. This might be your church, your school, or your child's school. It could be your friend's small business or your neighborhood association. Select an organization that you're willing to contribute your time for free. 

Offer this organization the service you intend with an actual proposal. This will be a written agreement, and you're treating it like it is a business engagement.

My suggestion for how to think about the scope is to review this fantastic resource:

It's a bit older, but is an exhaustive list of the potential attack surface for a pen test or vulnerability assessment. There are a couple of template documents available as well. The primary artifact you'll be producing from your work is a report. Here are a large number of example reports:


Deliver the report, provide advice on how to fix it, and check in six months down the road to see how they've progressed on the proposed changes. You'll probably see that they haven't made much progress at all. ;) It's ok. Look for ways to help solve those issues.

Keep working with that organization and apply a different scope for another engagement, or find another organization to help.

Start a Small Business

Once you've done a small number of engagements for free, you're probably ready to start to charge for your services. Don't quit your day job quite yet. :)

Register an LLC with your state.

Develop the appropriate sort of contracts, usually  Master Service Agreement (MSA) and Statement of Work (SOW). One example MSA:

Buy liability insurance and potentially errors and omissions for your business, you may also need workers compensation for some organizations you contract with (even if you don't have any employees):
https://www.fundera.com/blog/small-business-insurance

Find customers, deliver value, and grow your business!

Conclusion

That's a quick opinion on how you might proceed to develop your skills. You could also just have fun doing capture the flags and Netwars challenges from SANS.  If you have additional resource links that you think people should review for any of the above areas I've linked to, please include them in the notes. I'll add really good links back into the text of the post.

Tuesday, April 2, 2019

Instrumenting OS for Per Process DNS Query Inspection



Background information

Last night at #SANS2019 I attended Jason Fosen’s talk on process hacker and it reminded me of something I forgot to finish several years ago. I’m finalizing and posting now (several years later). This work was originally done on a windows 8 system.
Years ago, really way too long ago, I wrote a post about how to use DNS query logs to create a daily delta report to identify anomalies and novel connections: https://pen-testing.sans.org/blog/2015/07/10/dns-anomaly-analysis-tips-did-you-put-a-new-cover-sheet-on-that-ddd-report/


What's Doing That?
One of the things that I saw during review of the data was a weird DNS request.


Weird unqualified DNS requests. The unqualified version would be followed by the same random string in the search domain of the computer. Usually one or two queries with qualification. Something like biuivlhobb, then biuivlhobb.montance, then biuivlhobb.montance.local, as an example.
I looked into it via some online searches, and it was pretty clearly Google Chrome doing the queries. But, that wasn’t confirmed. So I dug deeper. I started thinking about how I could see inside of a system that a specific process made a DNS query. The OS was handling the query on behalf of a process. So, how could I see which process asked the OS to make that query?
My inquiry lead me to discover that the windows method for making a DNS request is getaddrinfo. The application would use this system call to do the lookup. https://docs.microsoft.com/en-us/windows/desktop/api/ws2tcpip/nf-ws2tcpip-getaddrinfo

So, I lauched process monitor to attempt to review what was actually making the calls.
Process Monitor : https://technet.microsoft.com/en-us/sysinternals/bb896645.aspx






There were two potential files of interest:
               C:\Windows\System32\dnsrslvr.dll
               C:\Windows\System32\dnsapi.dll
              
But, Process Monitor didn't show the details of the actual calls, so looked into APIMonitor:
http://www.rohitab.com/apimonitor

I set the filter to just look at getaddrinfo and related requests in case I missed something.

Killed existing chrome, started again, was able to identify the getaddrinfo requests:


Cool! chrome.dll verified as the source!




Monday, April 1, 2019

Security Operations Class Status


Summary

SANS MGT517 was cancelled and will not return. I will release the material in several ways over the next year: as an online resource (https://soc.montance.com), as an online class, as in person training, and in a project plan book.

Brief Background

I wrote the course that became SANS Management 517 because the two-day course I was a course author of, MGT535 – Managing Incident Response, didn’t seem to fulfill many of the questions that people were asking about. Namely, “How do I interface my incident handling capability to the Security Operations Center?”

Secondarily, there were always questions about the related disciplines of what I eventually called “Self-Assessment Function” within the SOC. How do I use, create, or mature my vulnerability assessment program? How can I convince the IT department to help us by getting a good baseline in place?

Additionally, there was a gap that several people echoed. There were several documents that identified various aspects of Security Operations Centers (SOC), but there was no single reference that said exactly what a SOC was. Carson Zimmerman’s book, and David Nathan’s book were great, but no one had publicly defined capabilities, staffing, the technology involved, and the things that a SOC ingested and what its output was.

What became MGT517 was my attempt to define a reference model around security operations centers (SOC) for organizations to consider. About 500 students attended MGT517 when it was available through SANS. These students were from countries around the world, and from every sector: from manufacturers of goods you use in your home; the companies who make the computers you use; companies who operate the largest cloud infrastructures in the world; companies who build the software that runs most major businesses; security software firms; financial firms; healthcare entities; representatives of governments. Each time I taught the class, there was a chorus of “Thank you.” I can take this back to my organization and say here’s how we should do this. There was a common theme of there not being any other resource or class which covered this topic. There was usually also constructive criticism and valuable insight shared by attendees.

I am disappointed that SANS chose to cancel the class. But what SANS didn’t cancel is my commitment to continue to develop the material. The SOC, and security operations in general is a critical capability for organizations around the world.

I previously mentioned an Analysis of Competing Hypotheses (ACH) write up on why MGT517 was cancelled. It is still underway. It’s going very slowly, but will be published eventually. That matters less than what I’m going to do next, so what follows is that information.

Crowley Motivations

Material Access and Community Value

I want people to see the information I wrote. I think it provides tremendous value because it puts forward a reference model. You’re welcome to disagree with it. In fact, I would say that you must at least consider that the model may not be a good match for your organization.  I’ve tried to envision and account for every possibility. So, the tailoring to your organization is certainly present in such an abstracted and generalized model.

In addition to the security operations class, I am writing a book to provide a project plan for building a SOC. This should provide a very low-cost option for organizations to access the concepts expressed in these various forums and provide a project plan for the organization to build a SOC.

Business Development

I want to work on interesting SOC projects. I’m only a single person, and I won’t have a team of people working for me. Why not? Because I’m not interested in building a company at this time. That takes away from my ability to focus on the subject matter. But that means that I can’t delegate tasks to people and help lots of companies simultaneously.

It means my ability to get involved in projects is very limited if I want to keep my quality level high. My SANS teaching and course development has consumed a large amount of my time for the last three years. I’m taking the time I was exerting for MGT517 course development and shifting it to course development for an online version and an onsite version outside of SANS. I will have time for no more that 3 or 4 contract customers at any given time, if I continue to teach for SANS and try to run a class independently. There’s a risk in attempting to do all of this, as SANS may see this effort as competitive and choose not to ask me to instruct classes. Setting up courses live takes a lot of time and effort, and marketing the classes is a massive uphill battle. Enrollment, payment systems, and onsite logistics are expensive. Life’s a risk.

Actions Planned

Web Resource

I paid a developer to build a website for me to have a forum for SOC discussion by vetted individuals. I haven’t been able to get back to that effort due to so many different things going on. I’ve tried to find an intern to help me to populate content onto the site. If you’re interested in helping me with the initial deployment of material, please let me know. You wouldn’t be writing anything, just populating material into the website. This will be about a 3 month effort. Twitter is the best avenue to start this conversation: @CCrowMontance.

I have a lot of material buried in slide decks that aren’t accessible to people. My intention is to rescue that information from the powerpoints I’ve build and move it to a forum for people to review and for knowledgeable people to have meaningful discussions. My intention is to vet the people who can discuss, but have the discussions be public. I think this is the best way to produce high quality content. Even without community participation, it will be a place where I can share the research and analysis I have done.

Online Class

The easiest way to get access to the material will be an online version available through NetworkDefense.io. The price will be affordable and the material will be adjusted to an online format. Once done, this will run perpetually and will be available on your schedule.

Live Class

This will probably be a three day event, limited to 25 participants. I’ll go to locations that are good options for me and where I think people want the event to run. This will be very much of a DIY effort, and if you’re interested in helping me to run the class or want it as part of your conference, I’ll certainly consider it. Also, private onsite runs are available with a focus on your organization’s specific implementation.

Tentative Scheduled Events & Locations

This list is ambitious, and I suspect several of these classes will not run, but I’ll try to make them all happen.

·        Online: Expected date of initial availability : November 1, 2019
·        December 2-4, 2019 : Washington, DC Area : Security Operations Class – Public Enrollment
·        January 8-10, 2020 : New York City, NY : Security Operations Class – Public Enrollment
·        March, 2020 : Macau or Hong Kong : Security Operations Class – Public Enrollment
·        June, 2020: Europe or Middle East, TBD
·        August, 2020 : Las Vegas : Security Operations Class – Public Enrollment
·        November, 2020: Melbourne, Australia : Security Operations Class – Public Enrollment

I look forward to seeing you there.