SANS 2010 Orlando Wrapup

Having just come back from the SANS Institute Orlando security conference, I want to share some random thoughts.

  • SANS Instructors and speakers are top rate
  • The invited vendors were pertinent to the conference and added to the experience
  • SANS @ Night and special conferences were very much worth it and provided up to date actionable material.
  • Lots of senior technical personnel from military, industrial, public and commercial interests rounded out the experience.

The standout speakers were Lenny Zelster, Jason Fossen and Ed Skoudis. Their talks all brought unique insight, usable knowledge and were superb speakers. Eric Conrad was an enjoyable instructor, he provided no nonsense feedback on what worked for him in his various jobs.

Network security monitoring and extrusion detection have really gained in the general mindset. As there are no silver bullets, the intruders will gain a foothold and only well varied system and network indicators can highlight anomalous behaviour that can permit a response. It is also clear that response now needs to be more coordinated and all encompassing to lockdown a site before advanced intruders react to partial measures and deploy more advanced malware or burrow deeper.

Main attack vectors where directed Spear-fishing and combination’s of drive-by exploits or business document exploits. For local attacks, any shared layer 2 network is a sitting duck to MiTM attacks which impress by their breadth, variety and tool automation.

On the SIEM side of things, Qradar, LogRythm and Splunk* all had products that were well received by various network and security administrators. (ed. Splunk is an analytical tool and does not have a state machine like a SIEM, I see it as complimentary to a SIEM)

On the NSM side of things, Sourcefire had a compelling commercial solution that is similar to SGUIL but with more setup automation and polished approach.