Design Your Network to Aid Forensic Investigation

Although security and related tools have improved over the years, all too often the first signs of a compromise appear in the form of a trouble ticket or problem report. Even though many monitoring methods are available, when deployed, security teams quickly find themselves buried in data or very busy with the care and feeding of such tools. This course will review network design and monitoring with the intent of identifying and providing adequate compromise detection, developing appropriate security response to suspicious “events�, and increasing readiness for forensics investigation. We will do this by identifying and setting security goals, applying simple, but adequate, monitoring methods to meet those goals, and developing some response methods for investigating and mitigating specific attacks. A production network architecture, including "lessons learned" during its development and maintenance, will serve as a case study for facilitated discussion.