Tuesday, October 27, 2009

Wednesday is Last Day for Discounted SANS Registration

In my off time I'm still busy organizing the SANS WhatWorks in Incident Detection Summit 2009, taking place in Washington, DC on 9-10 Dec 09. The agenda page should be updated soon to feature all of the speakers and panel participants. Wednesday is the last day to register at the discounted rate.

I wrote the following to provide more information on the Summit and explain its purpose.

All of us want to spend our limited information technology and security funds on the people, products, and processes that make a difference. Does it make sense to commit money to projects when we don’t know their impact? I’m not talking about fuzzy “return on investment” (ROI) calculations or fabricated “risk” ratings. Don’t we all want to know how to find intruders, right now, and then concentrate on improvements that will make it more difficult for bad guys to disclose, degrade, or deny our data?

To answer this question, I’ve teamed with SANS to organize a unique event -- the SANS WhatWorks in Incident Detection Summit 2009, on 9-10 December 2009 in Washington, DC. My goal for this two-day, vendor-neutral, practitioner-focused Summit is to provide security operators with real-life guidance on how to discover intruders in the enterprise. This isn’t a conference on a specific commercial tool, or a series of death-by-slide presentations, or lectures by people disconnected from reality. I’ve reached out to the people I know on the front lines, who find intruders on a regular, daily basis. If you don’t think good guys know how to find bad guys, spend two days with people who go toe-to-toe with the worst intruders on the planet.

We’ll discuss topics like the following:

  • How do Computer Incident Response Teams and Managed Security Service Providers detect intrusions?

  • What network-centric and host-centric indicators yield the best results, and how do you collect and analyze them?

  • What open source tools are the best-kept secrets in the security community, and how can you put them to work immediately in your organization?

  • What sources of security intelligence data produce actionable indicators?

  • How can emerging disciplines such as proactive live response and volatile analysis find advanced persistent threats?


Here is a sample of the dozens of subject matter experts who will pack the schedule:

  • Michael Cloppert, senior technical member of Lockheed Martin's enterprise Computer Incident Response Team and frequent SANS Forensics blogger.

  • Michael Rash, Senior Security Architect for G2, Inc., author of Linux Firewalls and the psad, fwsnort, and fwknop security projects.

  • Matt Richard, Malicious Code Operations Lead for the Raytheon corporate Computer Emergency Response (RayCERT) Special Technologies and Analysis Team (STAT) program.

  • Martin Roesch, founder of Sourcefire and developer of Snort.

  • Bamm Visscher, Lead Information Security Incident Handler for the General Electric CIRT, and author of the open source Sguil suite.


Ron Gula is scheduled to do one keynote and I'm working on the second. We'll have guest moderators for some panels too, such as Mike Cloppert and Rocky DeStefano.

I look forward to seeing you at the conference!

2 comments:

Anonymous said...

This will definitely be a 'must attend' for the season...

Really looking forward to the investigation of the issues involved.

Best,
Hal

Chris said...

I think a three effective and probably underutilized and overlooked ways to determine if hosts in your network are compromised are asset vulnerability and detection/protection signature reference correlation, monitoring of online attack databases and monitoring of outbound web proxy logs.

First, performing your own vulnerability analysis against your hosts using host and network-based enumeration and vulnerability scanning and then to correlate this with IDS and anti-virus alerts. If you have an alert for an attack to a particular host but you know that host is already patched for that particular CVE or you know you have specific anti-virus/IPS signature protection or not then you can have reasonable assurance about the success of an attack.


A Second way is to monitor online databases such as SANS Dshield to see if any IPs from your public netblocks show up. If others on the internet are reporting attacks from hosts in your network then it's very likely your host is compromised. Setting up an automated process to monitor and alert on several of these online attack databases would be another good layer in your defense-in-depth approach to incident detection.

Third and last, is assuming your company has a restrictive outbound firewall policy and forces users through a content filtering web proxy, you should monitor that proxy log for suspicious activity such as request failures, requests to domains in a black list like Maleware Domain Blocklist or IPs in DShield and to organization or countries that don't make sense for your companies business needs.