Notes from Tony Sager Keynote at SANS

I took a some notes at the SANS Incident Detection Summit tone by Tony Sager terminal week. I thought you strength like to see what I recorded. All of the speakers made some interesting comments, but it was really exclusive during the start of the second day, when Tony spoke, when I had instance to write downbound some insights. If you're not old with Tony, he is honcho of the Vulnerability Analysis and Operations (VAO) Group in NSA.

• These days, the US goes to struggle with its friends (i.e., allies fight with the us against a ordinary adversary). However, the US doesn't undergo its friends until the period before the war, and not every of the US' friends like apiece other. These realities modify aggregation assurance.
• Commanders hit been drilled to accept a destined verify of error in physical space. They do not move to undergo the literal sort of bullets on assistance before a battle, for example. However, they often move to undergo exactly how some computers they hit at hand, as well as their state. Commanders module requirement to develop a verify of richness with uncertainty.
• Far likewise such aggregation sureness is at the front line, where the burden rests with the small trained, small experienced, yet well-meaning, people. Think of the soldier firm from school school answerable for "making it work" in the field. Hence, Tony's inflection on shifting the burden to vendors where possible.
• "When nations compete, everybody cheats." [Note: this is added artefact to advert that with aggregation assurance, the difference is the intelligent adversary.]
• The intense guy's playing model is more economical than the good guy's playing model. They are global, competitive, distributed, efficient, and agile. [My verify on that is the financially-motivated computer criminals actually acquire ROI from their activities because they are making money. Defenders are only avoiding losses.
• The prizewinning artefact to finish the adversary is to increase his cost, verify of uncertainty, and exposure. Introducing these, especially uncertainty, causes the adversary to stop, wait, and rethink his activity.
• Defenders can't afford perfection, and the definition changes by the minute anyway. [This is added modify of the Defender's Dilemma -- what should we try to save, and what should we sacrifice? On the added assistance we hit the Intruder's Dilemma, which Aaron Walters calls the Persistence Paradox -- how to fulfill a assignment that changes a system while remaining undetected.]
• Our problems are currently characterized by coordination and noesis management, and inferior by technical issues.
• Human-to-human occurrence doesn't scale. Neither does message text. Hence Tony's promotion of standards-based communication.

Thanks again to Tony and our period digit tone Ron Gula!Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)