About Security Onion

Security Onion is a Linux distro for intrusion detection, network security monitoring, and log management. It's based on Ubuntu and contains Snort, Suricata, Bro, Sguil, Squert, Snorby, ELSA, Xplico, NetworkMiner, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes!

For more about Security Onion, please see:
http://securityonion.net/

About the Course and Instructor

"I started Security Onion in 2008 to provide a comprehensive platform for intrusion detection, network security monitoring, and log management. Today, Security Onion has over 100,000 downloads and is being used by organizations around the world to help monitor and defend their networks. This class is the culmination of 6 years of lessons learned while building Security Onion and best practices developed while deploying Security Onion to real networks and doing real incident response with it."

-- Doug Burks

For more about Doug Burks, please see:
http://www.linkedin.com/pub/doug-burks/1b/a2b/858

What do previous students say about the class?

"I highly, HIGHLY recommend attending this class. I attended the class in Houston and it was excellent.

Doug is very knowledgeable and has an informal style of instruction that keeps the class interesting and encourages interaction with the students, and is not simply a 16 hour lecture.

I also met many interesting people and made some new contacts. All in all, if this class comes anywhere near me again ... I'll be going if I have to host a bake sale to get there."

"I appreciated the mixture of Doug's obvious significant real world experience, paired with his deep knowledge of security onion. I felt like the class not only helped me understand the tools but also helped me understand how I might best apply those tools."

"I liked the depth of each tool Doug covered each day in class. I enjoyed learning in an environment where you get to follow along with hands on, and get to ask questions about some of the things that will help you, individually, when you get back to your specific Security Onion implementation. I really appreciated the time Doug spent going thru real world investigations, where he presented his thought process and how each and every tool can be used to benefit us in our investigations."

What do students get?

• 4 days of classroom instruction from the lead developer of Security Onion
• over 100 pages of course material
• Certificate of Completion

When is the class?

Monday, August 10, 2015 through Thursday, August 13, 2015

8:00 AM - 5:00 PM (Eastern) each day

Where is the class being held?

Odenton MD. Students will receive further details upon registration.

What is the registration deadline?

The last day to register for class is Wednesday, August 5.

What hardware will be required for the class?
Students will need a laptop that is capable of running a 64-bit VM with at least 3GB RAM allocated to the VM (4GB RAM or more for the VM is highly recommended).

PLEASE NOTE! Just because your laptop has a 64-bit processor does NOT necessarily mean that you can run 64-bit VMs. Your 64-bit processor must support virtualization and virtualization must be enabled in the BIOS.

VMware Workstation/Fusion is highly recommended.

What do students need to do prior to class?
Students should ensure that their laptop is fully capable of running a 64-bit VM by downloading the Security Onion ISO image and verifying that it runs AND installs in their VM. Please see our Installation guide:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Installation

Which version of Security Onion will we be using?
We'll be using the new Security Onion 12.04.5.2 ISO image that was released on 7/6:
http://blog.securityonion.net/2015/07/security-onion-120452-iso-image-now.html

What do students need to bring to class?
Students need to bring the following:

• this Eventbrite ticket
• laptop as described above
• Security Onion 12.04.5.2 ISO image

What skills/knowledge should students have before attending this course?

Students should have a basic understanding of networks, TCP/IP, and standard protocols such as DNS, HTTP, etc. Some Linux knowledge/experience is recommended, but not required.

What's the refund policy?

You may log into your Eventbrite account and request a refund up until the last day of ticket sales. Please use the "Request a Refund" button as shown here:
http://www.eventbrite.com/t/how_to_request_refund

What topics are covered in this class?

- Network Security Monitoring (NSM) methodology

- Security Onion Installation

- Configuration
Setup Phase 1 - Network configuration
Setup Phase 2 - Service configuration
Quick Setup vs Advanced Setup
Verifying services

- Analyzing Alerts
Replaying traffic
4 primary interfaces:
Snorby
Squert
Sguil
ELSA
Pivoting between interfaces
Pivoting to full packet capture

- Hunting
Using ELSA to slice and dice logs

- Bro

Introduction
Bro Programming Language
Bro-IDS
Bro Logs
Bro Scripts
ShellShock Detector Module
Bro Intel Framework

- Production Deployment
Advanced Setup
Master vs sensor
sosetup.conf
Architectural recommendations
Sensor placement
Hardening
Administration
Maintenance

- Tuning
Using PulledPork to disable rules
BPFs to filter traffic
Spinning up additional Snort/Suricata/Bro workers to handle higher traffic loads

- Case Studies
(2) Case Studies on Day 1
(2) Case Studies on Day 2
(2) Case Studies on Day 3
Final Case Study on Day 4

- Wrapup/Q&A