SecurityCertified

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Wednesday, July 14, 2010

Brief Thoughts on SANS WhatWorks Summit in Forensics and Incident Response 2010

Posted on 7:13 PM by Unknown
Last week I spoke at the third SANS WhatWorks Summit in Forensics and Incident Response in DC, organized and led by Rob Lee. As usual, Rob did a wonderful job bringing together interesting speakers and timely topics. I thought my presentation on "CIRT-level Response to Advanced Persistent Threat" went well and I enjoyed participating on the "APT Panel Discussion."

I wanted to share a few thoughts from the event.

  • This is just the sort of event I like to attend. It's almost more about the participants than the presentation content. I found plenty of peers interested in sharing leading practices. I hope to continue a relationship with several other CIRT leaders I met (or saw again) at SANS.

  • Props to Kris Harms and Nick Harbour for starting their talk with a printed handout as reference for an in-class IR exercise, during a 1 hour talk! I kid you not. What a great way to make a point about the need for OpenIOC. Kevin Mandia called existing IR report writing "the state of caveman art" and I agree. Expect to hear more from me about OpenIOC in the future.

  • I heard Harlan Carvey say something like "we need to provide fewer Lego pieces and more buildings." Correct me if I misheard Harlan. I think his point was this: there is a tendency for speakers, especially technical thought and practice leaders like Harlan, to present material and expect the audience to take the next few logical steps to apply the lessons in practice. It's like "I found this in the registry! Q.E.D." I think as more people become involved in forensics and IR, we forever depart the realm of experts and enter more of a mass-market environment where more hand-holding is required?

  • Developing people was a constant theme. I liked what Mike Cloppert said: "Be ready to hire someone who isn't perfect for your open role, but could grow into the role. Alternatively, when you don't have an open role, but someone perfect becomes available, you must hire that person."

  • I sent a lot of thoughts via Twitter at the summit, so you can check out what I wrote through @taosecurity.


Finally, I'd like to remind everyone that I will begin planning my second SANS WhatWorks in Incident Detection and Log Management Summit, which will be held again in DC, on 8-9 December 2010. If you liked last year's Summit, you will love this new one. I'll have more to say as we get closer to registration.
Email ThisBlogThis!Share to XShare to Facebook
Posted in sans | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • DojoCon Videos Online
    Props to Marcus Carey for live streaming talks from DojoCon . I appeared in my keynote , plus panels on incident response and cloud secur...
  • Bejtlich Speaking at TechTarget Emerging Threats Events in Seattle and New York
    I will be speaking at two events organized by TechTarget , for whom I used to write my Snort Report and Traffic Talk articles. The one-da...
  • SANS WhatWorks Summit in Forensics and Incident Response
    I wanted to remind everyone about the SANS WhatWorks Summit in Forensics and Incident Response in DC, 8-9 July 2010. The Agenda looks gre...
  • Sguil 0.7.0 on Ubuntu 9.10
    Today I installed a Sguil client on a fresh installation of Ubuntu 9.10. It was really easy with the exception of one issue I had to troubl...
  • Microsoft Updates MS09-048 to Show XP Vulnerable to 2 of 3 CVEs
    Microsoft published a Major Revision of MS09-048 to show that Windows XP Service Pack 2 and Windows XP Service Pack 3* are now Affected So...
  • BeyondTrust Report on Removing Administrator: Correct?
    Last week BeyondTrust published a report titled BeyondTrust 2009 Microsoft Vulnerability Analysis . The report offers several interesting ...
  • Human Language as the New Programming Language
    If you've read the blog for a while you know I promote threat-centric security in addition to vulnerability-centric security. I think ...
  • DNI Blair Leads with APT as a "Wake-Up Call"
    AFP is one of the few news outlets that correctly focused on the key aspect of testimony by US Director of National Intelligence Dennis Bla...
  • SANS Forensics and Incident Response 2009
    The agenda for the second SANS WhatWorks Summit in Forensics and Incident Response has been posted. I am really happy to see I am speakin...
  • NYCBSDCon 2010 Registration Open
    Registration for NYCBSDCon 2010 is now open. As usual George and friends have assembled a great schedule ! If you're in the New York...

Categories

  • afcert
  • Air Force
  • analysis
  • announcement
  • apt
  • attribution
  • bestbook
  • blackhat
  • books
  • breakers
  • bro
  • bruins
  • certification
  • china
  • cisco
  • cissp
  • cloud
  • clowns
  • commodore
  • conferences
  • controls
  • correlation
  • counterintelligence
  • cybercommand
  • cyberwar
  • dfm
  • education
  • engineering
  • feds
  • fisma
  • freebsd
  • GE
  • ge-cirt
  • hakin9
  • history
  • impressions
  • information warfare
  • ipv6
  • law
  • leadership
  • malware
  • mandiant
  • microsoft
  • mssp
  • nsm
  • offense
  • oisf
  • packetstash
  • philosophy
  • pirates
  • powerpoint
  • press
  • psirt
  • reading
  • redteam
  • reviews
  • russia
  • sans
  • sec
  • sguil
  • snorby
  • spying
  • threat model
  • threats
  • Traffic Talk
  • training
  • tufte
  • tv
  • ubuntu
  • usenix
  • verizon
  • vulnerabilities
  • wisdom
  • writing

Blog Archive

  • ►  2013 (16)
    • ►  September (1)
    • ►  August (1)
    • ►  June (2)
    • ►  April (2)
    • ►  March (1)
    • ►  February (3)
    • ►  January (6)
  • ►  2012 (60)
    • ►  December (4)
    • ►  November (5)
    • ►  October (3)
    • ►  September (10)
    • ►  August (2)
    • ►  July (6)
    • ►  June (6)
    • ►  May (4)
    • ►  April (2)
    • ►  March (9)
    • ►  February (6)
    • ►  January (3)
  • ►  2011 (108)
    • ►  December (3)
    • ►  November (7)
    • ►  October (11)
    • ►  September (9)
    • ►  August (18)
    • ►  July (10)
    • ►  June (5)
    • ►  May (4)
    • ►  April (13)
    • ►  March (17)
    • ►  February (2)
    • ►  January (9)
  • ▼  2010 (193)
    • ►  December (14)
    • ►  November (11)
    • ►  October (6)
    • ►  September (16)
    • ►  August (15)
    • ▼  July (26)
      • Time Issues in Libpcap Traces
      • Review of Digital Forensics for Network, Internet,...
      • Review of Virtualization and Forensics Posted
      • Review of Digital Triage Forensics Posted
      • Dell Needs a PSIRT
      • Review of The Watchman Posted
      • Review of The Fugitive Game Posted
      • Review of At Large Posted
      • Review of The Cuckoo's Egg Posted
      • Review of Code Version 2.0 Posted
      • Review of Crypto Posted
      • Review of The Illusion of Due Diligence Posted
      • Human Language as the New Programming Language
      • Brief Thoughts on WEIS 2010
      • Brief Thoughts on SANS WhatWorks Summit in Forensi...
      • Network Forensics Vendors: Get in the Cloud!
      • Gartner on CSIRTs
      • My Article on Advanced Persistent Threat Posted
      • A Little More on Cyberwar, from Joint Pub 1
      • Thoughts on "Application SOC" and New MSSPs
      • Ponemon Institute Misses the Mark
      • Joint Strike Fighter -- Face of Cyberwar?
      • Cyberwar Is Real
      • Security Is Never Free -- Ask DNSSEC
      • Lessons from NETOPS vs CND
      • Secunia Survey of DEP and ASLR
    • ►  June (15)
    • ►  May (15)
    • ►  April (15)
    • ►  March (16)
    • ►  February (19)
    • ►  January (25)
  • ►  2009 (123)
    • ►  December (10)
    • ►  November (17)
    • ►  October (21)
    • ►  September (13)
    • ►  August (20)
    • ►  July (21)
    • ►  June (21)
Powered by Blogger.

About Me

Unknown
View my complete profile