Wednesday, July 14, 2010

Brief Thoughts on SANS WhatWorks Summit in Forensics and Incident Response 2010

Last week I spoke at the third SANS WhatWorks Summit in Forensics and Incident Response in DC, organized and led by Rob Lee. As usual, Rob did a wonderful job bringing together interesting speakers and timely topics. I thought my presentation on "CIRT-level Response to Advanced Persistent Threat" went well and I enjoyed participating on the "APT Panel Discussion."

I wanted to share a few thoughts from the event.

  • This is just the sort of event I like to attend. It's almost more about the participants than the presentation content. I found plenty of peers interested in sharing leading practices. I hope to continue a relationship with several other CIRT leaders I met (or saw again) at SANS.

  • Props to Kris Harms and Nick Harbour for starting their talk with a printed handout as reference for an in-class IR exercise, during a 1 hour talk! I kid you not. What a great way to make a point about the need for OpenIOC. Kevin Mandia called existing IR report writing "the state of caveman art" and I agree. Expect to hear more from me about OpenIOC in the future.

  • I heard Harlan Carvey say something like "we need to provide fewer Lego pieces and more buildings." Correct me if I misheard Harlan. I think his point was this: there is a tendency for speakers, especially technical thought and practice leaders like Harlan, to present material and expect the audience to take the next few logical steps to apply the lessons in practice. It's like "I found this in the registry! Q.E.D." I think as more people become involved in forensics and IR, we forever depart the realm of experts and enter more of a mass-market environment where more hand-holding is required?

  • Developing people was a constant theme. I liked what Mike Cloppert said: "Be ready to hire someone who isn't perfect for your open role, but could grow into the role. Alternatively, when you don't have an open role, but someone perfect becomes available, you must hire that person."

  • I sent a lot of thoughts via Twitter at the summit, so you can check out what I wrote through @taosecurity.

Finally, I'd like to remind everyone that I will begin planning my second SANS WhatWorks in Incident Detection and Log Management Summit, which will be held again in DC, on 8-9 December 2010. If you liked last year's Summit, you will love this new one. I'll have more to say as we get closer to registration.


Anonymous said...


Any updates on the Incident Detection and Log Management Summit?

Richard Bejtlich said...

Hi Anonymous,

I had hoped to plan a second event, the 2010 SANS Incident Detection and Log Management Summit, for DC in December. However, after several weeks of negotiation, I could not come to terms with SANS. SANS picked a new organizer, and I have nothing to do with the event or SANS now.

I am working with FIRST for an alternative free event for FIRST members and those they sponsor. You can expect to see some details from me shortly.