I wrote the following to provide more information on the Summit and explain its purpose.
All of us want to spend our limited information technology and security funds on the people, products, and processes that make a difference. Does it make sense to commit money to projects when we don’t know their impact? I’m not talking about fuzzy “return on investment” (ROI) calculations or fabricated “risk” ratings. Don’t we all want to know how to find intruders, right now, and then concentrate on improvements that will make it more difficult for bad guys to disclose, degrade, or deny our data?
To answer this question, I’ve teamed with SANS to organize a unique event -- the SANS WhatWorks in Incident Detection Summit 2009, on 9-10 December 2009 in Washington, DC. My goal for this two-day, vendor-neutral, practitioner-focused Summit is to provide security operators with real-life guidance on how to discover intruders in the enterprise. This isn’t a conference on a specific commercial tool, or a series of death-by-slide presentations, or lectures by people disconnected from reality. I’ve reached out to the people I know on the front lines, who find intruders on a regular, daily basis. If you don’t think good guys know how to find bad guys, spend two days with people who go toe-to-toe with the worst intruders on the planet.
We’ll discuss topics like the following:
- How do Computer Incident Response Teams and Managed Security Service Providers detect intrusions?
- What network-centric and host-centric indicators yield the best results, and how do you collect and analyze them?
- What open source tools are the best-kept secrets in the security community, and how can you put them to work immediately in your organization?
- What sources of security intelligence data produce actionable indicators?
- How can emerging disciplines such as proactive live response and volatile analysis find advanced persistent threats?
Here is a sample of the dozens of subject matter experts who will pack the schedule:
- Michael Cloppert, senior technical member of Lockheed Martin's enterprise Computer Incident Response Team and frequent SANS Forensics blogger.
- Michael Rash, Senior Security Architect for G2, Inc., author of Linux Firewalls and the psad, fwsnort, and fwknop security projects.
- Matt Richard, Malicious Code Operations Lead for the Raytheon corporate Computer Emergency Response (RayCERT) Special Technologies and Analysis Team (STAT) program.
- Martin Roesch, founder of Sourcefire and developer of Snort.
- Bamm Visscher, Lead Information Security Incident Handler for the General Electric CIRT, and author of the open source Sguil suite.
Ron Gula is scheduled to do one keynote and I'm working on the second. We'll have guest moderators for some panels too, such as Mike Cloppert and Rocky DeStefano.
I look forward to seeing you at the conference!