Friday, August 07, 2009

SANS Incident Detection Summit in DC in December

Last month I blogged about the SANS Forensics and Incident Response 2009 Summit Round-Up. I am pleased to announce that I will be working with SANS to organize a two day SANS Incident Detection Summit in DC in December. I am working on a preliminary agenda that includes two major themes: network-centric detection and host-centric detection. The Summit will include keynotes, practitioner briefings, tool briefings, vendor briefings, and panels.

As we develop the content I will report it here. I am excited about this event and look forward to seeing you in December. My goal is to "bring detection back", since we all know that detection never really died!

If there are topics you'd like to see at the Summit, feel free to share them here. Thank you.

Update: 9-10 December are the days for the Summit.

13 comments:

CyberG said...

My 2 cents
- Realtime detection of memory based malware that never touches the disk. We have the tools to investigate it after the fact, but that is after the damage has been done. Maybe clear documentation of what occurs when process injection happens at the Native API level and how we can alert on it.

- Detecting tunneled, possibly encrypted traffic buried in http, ssl, dns, etc.

Martin said...

Richard,

maybe at the summit you can comment on why the DOD thinks HIPS will solve all thier problems and the reality that it won't..

Anonymous said...

Don;t forget the obligatory "Management" track. /grin/ SANS could call its the "Management Incident Handling/Response" track. /grin/ And maybe EdS will keynote that track.

Anonymous said...

Hi Richard,

Would be great if you can afford time to do some training.

Look forward.

Regards,
SC

Rob Lee said...

Would love to see a presentation or a panel on utilizing Indicators of Compromise (IOC) lists to perform a Threat Identification Assessment of an enterprise organization. It is another way to detect the Advanced Persistent Threat or Financial Attacks? How can you do this efficiently in an organization beyond network based indicators? Also, should we publicize a known IOC list. How would that be shared? What is preventing that from being shared now?

Christena said...
This comment has been removed by a blog administrator.
Ryan said...
This comment has been removed by the author.
Ryan said...

Would be a great venue to talk more about your 5/30/09 post on Cyber Security!

With Melissa Hathaway resigning and many security experts stating they are ready to step up to the plate if called upon, why do you think the position of Cyber Security Coordinator is still vacant?

What would it take to appoint someone of your stature or similar credentials and personality to this position and do you think the politics of D.C. ready for this pro-active change?

The political side of security is such a mind draining and in-efficient way of doing business. Winning over mid-level politics seems to be lost cause unless someone higher is holding management's feet to the fire.

What better way to affect change than at the White House level pushing from the top-down national level priorities and accountability.

There are a lot of great security minds being squashed with mid-level politics all over the U.S. If we are going to win the war of the digital age, we cannot wait until a national level cyber security disaster happens for the right people to start listening.

Security specialists seem to be ready for their call to arms when called upon, but it seems the right people at the top are not hearing them loud enough.

Dremspider said...

Who is saying HIPs is going to solve everything? To me it is a perfert defense in depth strategy. It isn't perfect but I think for what it does it is a great idea. I do think that it will become better over time.

Anonymous said...

Hi Richard,

maybe a session about how to best detect routing/BGP threats?

Anonymous said...
This comment has been removed by a blog administrator.
wan said...

I think we need to define the acceptable Framework for any security monitoring deployment since as far as i know there is no standard guidelines for example build up SOC

Anonymous said...

I'm interested in how best to scale incident detection on DoD networks.