YouTube video recording of my "Looking for the Weird: Detecting Bad Traffic and Abnormal Network Behavior" webinar for Lancope. This was given on 9/24/2014.
Vendors like to create an ocean of alarms in their products so they can dogpile after an event and claim that "they caught it." This article goes through the dangers of false positives in incident response and how to address them.
The most dangerous and difficult risk to detect to an organization is insider threat. When a trusted asset decides to betray the trust of his benefactor for the sake of ideology, greed or extortion the organization can suffer long lasting damage. This article outlines the nature and strategies of handling insider threat.
Threat data contained in Indicators of Compromise (IOC) can be applied against the data stored in StealthWatch to look for markers of historical breach. This entry outlines the steps in performing this analysis.
Thanks to the Grand Rapids chapter of the ISSA for hosting me today. My deck can be downloaded here.
The difficulty in controlling user behavior makes spear phishing a "no-brainer" for attackers. Network surviellance can detect the attack at different parts of the kill chain.
The last installment of drawing lessons from the Shoe Bombing attack in Network Security is focusing on the actions and response following threat detection.
Download the deck from SANS DFIR Summit 2013 on "Hunting Attackers with Network Audit Trails." Tom Cross & I delivered this in Austin, TX.
The quest for the (non-existent) Holy Grail of InfoSec: the "single pane of glass." Discussion on why we want it, what it will take to get it and what to do in the interim.
Don't trust your firewalls and NAC without validation. NetFlow is a great way to determine if they are doing what they are supposed to be doing (and alerting you when they are not.)
