Having just come back from the SANS 2013 Orlando security conference, I want to share some random thoughts.
- SANS Instructors and speakers are top rate (once again)
- The invited vendors were pertinent to the conference and added to the experience
- SANS @ Night and special conferences were very much worth it and provided up to date actionable material.
- Lots of senior technical personnel from military, industrial, public sector, critical infrastructure and commercial interests bring great depth to the discussions in class and out of class.
- NetWars, how awesome is that stuff!! Sign me up for next time.
The standout speakers were Dr. Eric Cole, Joshua Wright, Mike Poor and Rob Lee. Their talks all brought unique insight, usable knowledge and were entertaining as well. Special props go out to Alissa Torres from Mandiant on Finding Unknown Malware, she dished out a no holds barred great presentation, you rocked. (You did not have to be stressed, things worked out. :-)
Dr. Eric Cole was a real treat as an instructor, he knows what he is talking about and has real knowledge of how to handle incidents. David Hoelzer was a super instructor and delivered a well rounded course and good insight. He even threw in some custom Net Wars for the class, awesome stuff.
In a few words:
- Identify your critical assets
- Identify the systems and data
- Identify how to monitor them
Prevention is good, but detection is king. Also, make sure that behavioural and anomaly detection are key components of the detection in addition to traditional signature/known-bad based detection.
This gave me some ideas for new statistical rules to implement with flow based analysis and SIEM type correlation rules. I really focus on NSM (Network Security Monitoring) approaches which should also be combined with data access monitoring to really highlight bad behaviours. Data access monitoring is a new field that I will be exploring.