Man On A Mission

Jul 1, 2007 12:00 PM, By SANDRA KAY MILLER

It's a name you might not be able to pronounce, but anyone involved in network security has seen it: Richard Bejtlich. He wrote The Tao of Network Security Monitoring: Beyond Intrusion Detection, and Extrusion Detection: Monitoring for Internal Intrusions, as well as Real Digital Forensics. He is also a contributor for other titles often found on IT bookshelves (Incident Response: Computer Forensics 2nd Edition and Hacking Exposed 4th Edition”). Bejtlich is also a frequent presenter at security conferences such as USENIX, RSA, SANS and Black Hat.

“All three books have been picked up by schools as their class books so it is really exciting to see a whole new generation of security analysts who are using books that I wrote as their textbooks,” Bejtlich says.

Bejtlich's success is rooted in the experience that is the basis for his knowledge, which he shares through his writing and speaking. After graduating from the United States Air Force Academy, he went on to Harvard University's Kennedy School of Government to earn a master's degree in public policy, focusing on economics and national security. Bejtlich then trained as an intelligence officer in the U.S. Air Force.

While serving, Bejtlich was attached to the Air Intelligence Agency and worked on projects such as evaluating communications networks in Bosnia-Hertzogovinia, and he later became a member of the Air Force Computer Emergency Response Team (AFCERT) based in San Antonio, Texas. As part of the team, Bejtlich worked with a variety of intrusion detection tools and technologies, both commercial and military. As his expertise grew, he moved into an instructional role, teaching mission analysts about intrusion detection system (IDS) signature interpretation, network reconnaissance techniques and advanced TCP/IP protocols. Eventually, Bejtlich stepped into a leadership role at AFCERT, supervising more than 60 military and civilian security analysts.

When Bejtlich left the Air Force in 2001, his skills rapidly translated into the civilian world where he wet his feet at Ball Aerospace and continued to train and manage personnel as well as provide technical services to government, commercial and academic institutions.

The following year, Bejtlich joined Foundstone, Mission Viejo, Calif., one of the top network security consulting practices in the country and moved to the Washington, D.C. area where he continues to live with his family today. At Foundstone, Bejtlich honed his security skills, responding to security incidents at Fortune 100 companies and tier-one Internet Service Providers who were more frequently falling victim to security breaches, including attacks by organized crime, corporate espionage and hackers.

For Bejtlich, the ultimate for any incident response is to catch a person in the act of illegal activity at a keyboard so there is an airtight case against them. “I've worked on cases like that where I've gotten indications that bad things were happening. We tied it to an individual, contacted human resources and building security and instructed them to go to a particular desk, look over their shoulder at what they were typing, grab them — literally pull them out of their chair — so that there would be complete proof of illegal activity.”

At Foundstone, Bejtlich also continued to teach cutting-edge classes including “Ultimate Hacking,” “Ultimate Hacking Expert” and “Incident Response.”

When Foundstone was acquired by McAfee, Santa Clara, Calif., in 2004, Bejtlich worked briefly for another security consultancy before stepping out on his own to form his own company, TaoSecurity. He continued to provide security services, focusing on protection, detection and incident response along with teaching classes about network security and writing. His goal was to aid organizations in detection, containment and remediation of intrusions through his experience with network security, incident response and forensics.

In addition to his books and presentations, Bejtlich is a prolific blogger (http://taosecurity.blogspot.com/) with a dedicated following of security professionals, including Grady Summers, the CISO at General Electric, Fairfield, Conn., who offered him a job. “After reading my blog for several months, he sent me an e-mail and said ‘I see you like to talk about these issues and obviously, you consult on them. Would you be interested in doing them full-time for me at GE?’ Given that GE is such a large company and the challenges associated, it seemed like it was an opportunity I couldn't pass up,” Bejtlich explains.

“The one part of security I really like is incident response. It's always been my favorite activity to deal with bad guys who are at the other end of a keyboard. I don't really like to deal with worms and viruses, but going up against a guy who could be sitting somewhere else, maybe even in another country trying to do harm to your organization and you can catch that guy and get enough evidence that he could be apprehended, to me, that's pretty exciting.”

Looking back to his time in the Air Force, Bejtlich recalls that the physical aspects of security were everywhere. The initial way that people protected data was by guarding access to the computers that stored the data. “I think that people who didn't grow up in that environment and now they're tasked with protecting data sort of forget about that relationship. For me, it doesn't matter if the data walks out the door in my shoe or I've printed it out or if I e-mail it somewhere or I install a back door on the machine, all of it results in the theft of information,” Bejtlich says.

“It doesn't matter what form the data takes, at some point I think we're just going to be talking about data and we're going to have to think about how you could actually do something with that data. People need to think in terms of data — not whether it's physical or electronic. Security isn't neatly packaged into an electronic or physical form, it crosses both areas.”

Pulling from his experience and looking ahead, Bejtlich sees a growing disillusionment within security. “People are spending a lot of money on security and not seeing much improvement. Whether it's firewalls, intrusion detection, intrusion prevention or security information management systems, people are still wondering why they are being hacked,” he says. His advice is for organizations to have a firm understanding of their weaknesses and what is actually happening in regard to their environment before they ever start to deploy security systems or processes.

However, Bejtlich is positive about his new position since his boss and the Chief Security Officer, retired Air Force Brig. Gen. Frank Taylor, work closely together. Bejtlich pointed out that at GE, Taylor's portfolio of security runs the gamut of just about every security threat possible for a global entity, including sites in many politically unstable locations. As a result of the working relationship between digital and physical security, Bejtlich views GE's security posture as becoming stronger and looks forward to contributing his expertise.

Ahead in the next few years for Bejtlich are second editions of Real Digital Forensics and The Tao of Network Security Monitoring along with Hacking TCP/IP Illustrated.

---

Bejtlich, along with his wife and two daughters, lives just outside of Washington, D.C. He enjoys ice hockey and martial arts.

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

This month in Access Control

• Opening Up About Door Closers
• An Enterprise Approach
• The Framework For Open Systems
• On A Higher Plane
• More from April's issue