Introducing FlowBAT, the Flow Analysis GUI

October 13th, 2014 No comments

flowbat_web_logoI’m really excited to announce the release of FlowBAT, a new web-based flow analysis GUI designed by analysts, for analysts. You can read the full blog post aboutFlowBAT here, or download the tool at

MIRCon 2014 Slides: Applied Detection and Analysis with Flow Data

October 13th, 2014 No comments

I recently had the opportunity and pleasure to speak at MIRCon 2014. The topic of the presentation was “Applied Detection and Analysis with Flow Data.” We had a great time talking about effective ways to use flow data for NSM, as well as introducing the world to FlowBAT.


You can view the slides from this presentation here:

BSides Augusta 2014 Slides and Video – Defeating Cognitive Bias and Developing Analytic Technique

October 13th, 2014 No comments

I recently gave a presentation at BSides Augusta on the topic “Defeating Cognitive Bias and Developing Analytic Technique”.


At the center of many defensive processes is human analysis. While we spend a lot of time performing analysis, we don’t spend nearly enough time thinking about how we perform analysis. The human mind is poorly wired to deal with most complex analysis scenarios effectively. This can be attributed to the inherent complexity of solving technical issues where so many uncertainties exist, and also to the cognitive and unmotivated biases that humans unknowingly apply to their analysis. All of these things can diminish our ability to get from alert to diagnoses quickly and effectively.

In this presentation, I plan to discuss the mental challenges associated with technical defensive analysis by leveraging research associated with traditional intelligence analysis. I will discuss how complexity can overwhelm analysis, how cognitive bias can negatively influence analysis, and techniques for recognizing and overcoming these limiting factors. This will include a few fun mental exercises, as well as an overview of several strategic questioning techniques including analysis of competing hypothesis, red cell analysis, and “what if” analysis. Finally, I will discuss several structured analysis techniques, including two different techniques that can be used specifically for NSM analysis: relational investigation and differential diagnosis.


The video for this presentation can be found here:

The slides for this presentation can be found here:

Practical Packet Analysis 3rd Edition Research

August 11th, 2014 No comments

Practical Packet AnalysisAfter a lot of demand, I’ve started researching content for Practical Packet Analysis, 3rd edition. There is no timeline for release yet, but for those of you who have read either of the previous editions, what would you like to see in a third edition? Specific scenarios? Additional protocols? Let me know in the comments here, or e-mail me directly at Thanks!


Applied NSM Blog Post: The NSM Analyst’s Notebook

March 13th, 2014 No comments

Today I published a new article on the Applied Network Security Monitoring blog titled “The NSM Analyst’s Notebook“.