Video presentation from Lawrence Orans of Gartner, describing how Network Behavioral Analysis (NBA/NBAD) can detect advanced, targeted threats.
The last installment of drawing lessons from the Shoe Bombing attack in Network Security is focusing on the actions and response following threat detection.
One thing we learned from the Shoe Bomber, Richard Reid is that not all attackers are the same. In this installment we examine the differences in cyber attackers.
Applying the lessons on surveillance we learned from physical security in stopping the Shoe Bomber to network and informaiton security.
In the second installment of this Network Security 101 series, the differences between attack payloads are examined.
Comparing how physical security caught the shoe bomber to how we go about catching network threats.
Behavioral analysis of NetFlow can alert to policy violations as well as suspicious and anomalous activity concerning protected data such as card holder (PCI), patient records (HIPAA) as well as PII and trade secrets.
Download the deck from SANS DFIR Summit 2013 on "Hunting Attackers with Network Audit Trails." Tom Cross & I delivered this in Austin, TX.
The quest for the (non-existent) Holy Grail of InfoSec: the "single pane of glass." Discussion on why we want it, what it will take to get it and what to do in the interim.
How intelligent NetFlow analysis can ease the pain associated with adding networks gained from mergers and acquistions.
Using NetFlow for Information Security has some unique challenges that NETOPS tools don't have to deal with. I put Splunk head to head against StealthWatch and lay out methodolgies for testing other tools.
How to combine user authentication data with NetFlow audit trails to investigate user behavior.
How NetFlow can quickly reveal application-layer denial of service.
Don't trust your firewalls and NAC without validation. NetFlow is a great way to determine if they are doing what they are supposed to be doing (and alerting you when they are not.)
NetFlow can provide an efficient way of monitoring traffic moving laterally across a network.
APT is a word that means different things to different audiences. It's important to be concise in defining terms and using the correct words to avoid unnecessary conflict and misunderstanding.
Pseudo-code proof that network behavioral anomaly detection (NBAD) of threats is the superior evolution of signature based detection.
Great investigators know the importance of details but often we go too deep, too quickly. An organized approach to incident response will allow more actionable intelligence to be created in less time.
What distributed denial of service (DDoS) is and how NetFlow can give situational awareness when it happens to your network.
Vendors and Analysts want to have conversations around products. Organizations want to talk about their business problems. Vendors rename their products "solutions" and Organizations start evaluating the products and forget about their business problems. Here is an open letter to both sides.
An average organization will lose more than $10M to cyber crime this year in detectable losses and much more in un-quantifiable damages as trade secrets, customer data and financial records are stolen without detection. It's time to re-evaluate the need for advanced security teams in organizations that want to stay afloat in an age of rampant, sophisticated corporate espionage from attackers ranging from organized crime to nation-states.
NetFlow when effectively stored makes a great basis for analyzing indicators of compromise (IOC) like those provided in Mandiant's APT1 report.
The systematic problems the Mandiant APT1 report revealed in enterprise surveillance efforts.
How the importance of physical surveillance throughout human history teaches us why we are failing at network security and how we can fix it.
