I wasn’t at the SANS Cyber Defense Summit (full agenda – pdf) last month but found some of the presentations interesting as you might expect. No videos have been released as far as I know but here’s a quick link to the slides. My favorite decks included “OODA Security” by Kevin Fiscus, “Developing Cyber Threat Intelligence” by Adrien de Beaupre, and “Delivering Security from the Cloud” by John Pescatore.
Kevin’s slides on the OODA loop started with some basic material but quickly expanded into emphasizing how defenders actually have the significant advantage on our own turf. This is especially true when we speed up our perspective with “triggers” that alert us to abnormalities. It even comes with a few command line examples to run your own mini-honeypot triggers — nc –l –p 80; date >> trigger.txt — as well as a host of other tricks (e.g., common but unlinked webpages, fake administrator accounts, or important sounding documents).
With threat intelligence getting all the hype recently I didn’t anticipate much but Adrien’s slides exceeded my expectations. The slides nicely categorized the different types of data sources (i.e., free and commercial matrixed with internal and external) and suggested specific sites and services for each group. The free resources (e.g., your own infrastructure, SANS ISC, SRI, MalwareDomains.com, Team Cymru, various CERTs, Twitter, AV blogs [Avert, TrendLabs, Kaspersky, and F-Secure], BugTraq, MSRC, MMPC, MR&D, etc.) were especially helpful for those just getting started. Threat intel is so much more than just those expensive external commercial offerings. Adrien closed his talk with architectures and free platforms for aggregating and correlating all that data (e.g., CIF, MANTIS, MISP, and CRITS) with the goal of making it actionable.
Finally, John’s material covered how the cloud can be used to ironically reduce risk by taking advantage of managed security services. Beyond some standard cloud foundation material, the slides covered how we can use current services to quickly stand up a security infrastructure (e.g., DDoS mitigation, email security, vulnerability assessments, and web security gateways) to protect cloud services without all the costly upfront investment in equipment, licenses, and expertise. Essentially, use the cloud to protect the cloud. Some interesting growth services that John mentioned included CipherCloud (StorageaaS), Incapsula (WAFasS), and Citadel (SIEMaaS). For many organizations using these services reduces risk since they are “doing” security for their cloud deployments rather than not because of the tremendous initial investment.
Here’s a rundown of the remaining presentations for those interested in investigating some of the other talks.
- Accelerate Your SOC Development – Holly Ridgeway
- Antivirus Is Not Dead – Mike Murr
- Back to Basics – Five Steps to a Secure Future – Dr Eric Cole
- Cyber Exploits – Improving Defenses Against Penetration Attempts – Mark Burnette
- Identifying Targeted Attacks – 6 Telltale Signs – Matt Hastings
- Incident Response – How to Fight Back – Alissa Torres
- It’s All About the Money – Peter Kuper
- Mind the Gap – Building a Bridge from Intrusion to Detection – Bart Hopper
- Prevent Detect Respond – A Framework for Effective Cyber Defense – Dr Eric Cole
- Security Awareness Metrics – Measuring Human Behavior – Lance Spitzner
- Will the REAL Next Generation Security Please Stand Up – Pescatore, Hartig, Kallhoff, Petersen
What were your favorite slide decks? Let us know in the comments below. Today’s post pic is from SANS.org. See ya!