RSA Conference Day 4 - Friday

We are at RSA Conference in San Francisco this week, keeping current with the latest developments in the information security industry. With 40,000 attendees, this is one of the biggest annual events focused on security. We'll be summarizing the developments here in daily blogs, as well as live-tweeting the high points at our Twitter account @Path2Protection

We caught several good talks Friday morning to wrap up the conference.

The Seven Most Dangerous New Attack Techniques, and What's Coming Next” - SANS Panel
Slides: https://www.rsaconference.com/writable/presentations/file_upload/exp-t09r_the_seven_most_dangerous_new_attack_techniques-final2.pdf

Ed Skoudis - Lead, SANS Pen Testing program ( @edskoudis )
Dr. Johannes Ullrich - Director, SANS ISC
Mike Assante - ICS Director, SANS ( @assante_michael )

As always, the big brains at SANS put out all kinds of great info. However, a lot of this was not all that new, and there was not a ton of specific, practical guidance given. Key points made:

The Pivot” - Jonathan Trull, VP for Information Security, Optic ( @jonathantrull )
Slides: https://www.rsaconference.com/writable/presentations/file_upload/air-f02-the-pivot.pdf

The idea that we need to move beyond just perimeter protection and do better on detection of and response to ongoing intrusions is a repeated theme in the industry over the past several years. Many organizations are still not really implementing this, though, or implementing it well.

This was a great talk with lots of good practical ideas for defense that are implementable my mid-sized organizations. See the notes for specific technical details, but the key points are:
  • Don’t just go with default logging settings on devices and security tools.
  • Central logging and analysis is key.
  • Develop a strategy of specific indicators to look for to make that central logging and analysis effective.

IOCs are Dead - Long Live IOCs!” - Ryan Kazanciyan
Slides: https://www.rsaconference.com/writable/presentations/file_upload/air-f03-iocs_are_dead_-_long_live_iocs.pdf

Ryan Kazanciyan, Chief Security Architect, Tanium ( @ryankaz42 )
Co-Author, Incident Response & Computer Forensics https://ir3e.com/

I’ve always been skeptical of the threat intel (really mostly threat data) trend. It’s not a bad idea, but it seems like really just a new analogue to signature-based detection; it can only help detect something that someone else has already detected someplace else.

Ryan shares my concerns with the use of threat data, and gives some other reasons why its use is problematic. Not only is the data by definition incapable of deleting truly NEW threats, but it is inconsistent and often of dubious use even for its intended purpose(s). He gives some good ways to make better use of such data, as well as some methods of scouring your own systems for high-value threat data.

Comments

Post a Comment

Popular posts from this blog

Weekly Infosec News Brief: 14-20 March

Image
Major Media Websites Caught up inNew Malicious Advertising Attacks Last week multiple major advertising networks, including Google's DoubleClick, AppNexus, Rubicon, and AOL were abused by attackers to serve up malicious advertisements on major media sites. These malicious advertisements were redirecting to the "Angler" exploit kit, which uses multiple means to attempt to compromise a browser and install malware. While such malicious ads are common on smaller websites, they are not unheard-of on major media sites. This outbreak, however, was unusually large and long-lived, lasting at least the better part of two days. Given how common malicious web ads are, some security experts are recommending the use of ad blocking technology in web browsers. http://www.computerworld.com/article/3044565/security/advertising-based-cyberattacks-hit-bbc-new-york-times-msn.html Malicious Macros in Word Documents Used to Install Malware with No Files Needed Everything old is new a
Read more

Weekly Infosec News Brief 20-26 July

Image
FBI Sees Massive Increase in Espionage, Including Industrial Espionage, Against the US The FBI on Thursday issued a press release discussing what they believe is an increasing threat of economic espionage against US companies. They estimate that such espionage may cost the US as much as "hundreds of billions" of dollars a year. This espionage is not just directed against large industrial companies, but any place where trade secrets and innovations might be found, including third-party organizations (e.g. business partners, vendors, consultants, lawyers, etc.) affiliated with targeted companies. A key take-away is that the threat is more widespread than most people think, and that few organizations are immune. https://www.fbi.gov/news/pressrel/press-releases/fbi-announces-economic-espionage-awareness-campaign http://www.cnn.com/2015/07/24/politics/fbi-economic-espionage/ Microsoft Releases Out-of-Cycle Patch for Critical Font Driver Bug A flaw uncovered in connecti
Read more

Weekly Infosec News Brief: 22-28 February

Image
Ransomware Observed to Jump from One Device to Another via the Cloud Researchers described last week an incident where they observed malicious "ransomware" propagating from one device to another via cloud-based file synchronization. When the ransomware encrypted files on one machine that synchronized files to a specific folder, it spread to other PCs that synchronized to that same folder. This type of phenomenon is simply another reason for organizations to serious consider limiting or eliminating the use of such file-synchronizing software within their networks. http://www.scmagazine.com/researchers-confirm-cases-of-ransomware-encryption-jumping-devices-via-cloud-apps/article/479572/ New OpenSSL Patches Soon to Come The OpenSSL project team announced last Thursday that they are working on patches to fix at least two "high" severity vulnerabilities in OpenSSL. This is the software that powers the cryptographic security layer of many web servers, browser
Read more