Friday, December 18, 2009

Favorite Speaker Quotes from SANS Incident Detection Summit

Taking another look at my notes, I found a bunch of quotes from speakers that I thought you might like to hear.

  • "If you think you're not using a MSSP, you already are. It's called anti-virus." Can anyone claim that, from the CIRTs and MSSPs panel?

  • Seth Hall said "Bro is a programming language with a -i switch to sniff traffic."

  • Seth Hall said "You're going to lose." Matt Olney agreed and expanded on that by saying "Hopefully you're going to lose in a way you recognize."

  • Matt Olney also said "Give your analyst a chance." ["All we are sayyy-ing..."]

  • Matt Jonkman said "Don't be afraid of blocking." It's not 2004 anymore. Matt emphasized the utility of reputation when triggering signatures, for example firing an alert when an Amazon.com-style URL request is sent to a non-Amazon.com server.

  • Ron Shaffer said "Bad guys are following the rules of your network to accomplish their mission."

  • Steve Sturges said "Snort 3.0 is a research project."

  • Gunter Ollmann said "Threats have a declining interest in persistence. Just exploit the browser and disappear when closed. Users are expected to repeat risky behavior, and become compromised again anyway."


Thanks again to all of our speakers!

1 comment:

Michael Cloppert said...

"If you think you're not using a MSSP, you already are. It's called anti-virus." Can anyone claim that, from the CIRTs and MSSPs panel?

That'd be mine!

Gunter Ollmann said "Threats have a declining interest in persistence. Just exploit the browser and disappear when closed. Users are expected to repeat risky behavior, and become compromised again anyway."

Gunter had a lot of good information to contribute. With all due respect, though, I disagree with this point for targeted attacks. Persistence is always desired and rarely missing as an attribute of such attacks in my experience. However, adversaries are learning to function more effectively in environments where persistence may not be possible due to architectural decisions such as decreased user rights.