RSA Conference Day 4 - Friday
We are at RSA Conference in San Francisco this week, keeping current with the latest developments in the information security industry. With 40,000 attendees, this is one of the biggest annual events focused on security. We'll be summarizing the developments here in daily blogs, as well as live-tweeting the high points at our Twitter account @Path2Protection
We caught several good talks Friday morning to wrap up the conference.
“The Seven Most Dangerous New Attack Techniques, and What's Coming Next” - SANS Panel
Slides: https://www.rsaconference.com/writable/presentations/file_upload/exp-t09r_the_seven_most_dangerous_new_attack_techniques-final2.pdf
Ed Skoudis - Lead, SANS Pen Testing program ( @edskoudis )
Dr. Johannes Ullrich - Director, SANS ISC
Mike Assante - ICS Director, SANS ( @assante_michael )
As always, the big brains at SANS put out all kinds of great info. However, a lot of this was not all that new, and there was not a ton of specific, practical guidance given. Key points made:
“The Pivot” - Jonathan Trull, VP for Information Security, Optic ( @jonathantrull )
Slides: https://www.rsaconference.com/writable/presentations/file_upload/air-f02-the-pivot.pdf
The idea that we need to move beyond just perimeter protection and do better on detection of and response to ongoing intrusions is a repeated theme in the industry over the past several years. Many organizations are still not really implementing this, though, or implementing it well.
This was a great talk with lots of good practical ideas for defense that are implementable my mid-sized organizations. See the notes for specific technical details, but the key points are:
“IOCs are Dead - Long Live IOCs!” - Ryan Kazanciyan
Slides: https://www.rsaconference.com/writable/presentations/file_upload/air-f03-iocs_are_dead_-_long_live_iocs.pdf
Ryan Kazanciyan, Chief Security Architect, Tanium ( @ryankaz42 )
Co-Author, Incident Response & Computer Forensics https://ir3e.com/
I’ve always been skeptical of the threat intel (really mostly threat data) trend. It’s not a bad idea, but it seems like really just a new analogue to signature-based detection; it can only help detect something that someone else has already detected someplace else.
Ryan shares my concerns with the use of threat data, and gives some other reasons why its use is problematic. Not only is the data by definition incapable of deleting truly NEW threats, but it is inconsistent and often of dubious use even for its intended purpose(s). He gives some good ways to make better use of such data, as well as some methods of scouring your own systems for high-value threat data.
“The Seven Most Dangerous New Attack Techniques, and What's Coming Next” - SANS Panel
Slides: https://www.rsaconference.com/writable/presentations/file_upload/exp-t09r_the_seven_most_dangerous_new_attack_techniques-final2.pdf
Ed Skoudis - Lead, SANS Pen Testing program ( @edskoudis )
Dr. Johannes Ullrich - Director, SANS ISC
Mike Assante - ICS Director, SANS ( @assante_michael )
As always, the big brains at SANS put out all kinds of great info. However, a lot of this was not all that new, and there was not a ton of specific, practical guidance given. Key points made:
- Think beyond what would traditionally be considered useful info for attackers to pilfer; the bad guys are finding use for more and more varieties of information.
- Pick a good list of key security controls to implement: CIS Twenty Critical Controls (https://www.cisecurity.org/critical-controls/), NSA IAD Top 10 (https://www.sans.org/security-resources/IAD_top_10_info_assurance_mitigations.pdf), ASD Top 4 (http://www.asd.gov.au/infosec/top-mitigations/top-4-strategies-explained.htm)
“The Pivot” - Jonathan Trull, VP for Information Security, Optic ( @jonathantrull )
Slides: https://www.rsaconference.com/writable/presentations/file_upload/air-f02-the-pivot.pdf
The idea that we need to move beyond just perimeter protection and do better on detection of and response to ongoing intrusions is a repeated theme in the industry over the past several years. Many organizations are still not really implementing this, though, or implementing it well.
This was a great talk with lots of good practical ideas for defense that are implementable my mid-sized organizations. See the notes for specific technical details, but the key points are:
- Don’t just go with default logging settings on devices and security tools.
- Central logging and analysis is key.
- Develop a strategy of specific indicators to look for to make that central logging and analysis effective.
“IOCs are Dead - Long Live IOCs!” - Ryan Kazanciyan
Slides: https://www.rsaconference.com/writable/presentations/file_upload/air-f03-iocs_are_dead_-_long_live_iocs.pdf
Ryan Kazanciyan, Chief Security Architect, Tanium ( @ryankaz42 )
Co-Author, Incident Response & Computer Forensics https://ir3e.com/
I’ve always been skeptical of the threat intel (really mostly threat data) trend. It’s not a bad idea, but it seems like really just a new analogue to signature-based detection; it can only help detect something that someone else has already detected someplace else.
Ryan shares my concerns with the use of threat data, and gives some other reasons why its use is problematic. Not only is the data by definition incapable of deleting truly NEW threats, but it is inconsistent and often of dubious use even for its intended purpose(s). He gives some good ways to make better use of such data, as well as some methods of scouring your own systems for high-value threat data.
Comments
Post a Comment