Tentative Speaker List for SANS Incident Detection Summit

Thanks to everyone who attended the Bejtlich and Bradley Webcast for SANS yesterday. We transcribed that Webcast (audio is today available) to start a communicating concerning professed incident detection.I'm entertained to publish the following unsettled utterer itemize for the SANS WhatWorks in Incident Detection Summit 2009 on 9-10 Dec in Washington, DC. We'll publish every of this information, nonnegative the biographies for the speakers, on the list site, but I desired to deal what I hit with you.Day One (9 Dec)

• Keynote: Daffo Gula
• Briefing: Network Security Monitoring dev+user: Bamm Visscher, David Bianco
• Panel: CIRTs and MSSPs, moderate by Rocky DeStefano: archangel Cloppert, Nate Richmond, Jerry Dixon, President Hudak, Matt Richard, Jon Ramsey
• Cyberspeak Podcast live during meal with Bret Padres and Ovie Carroll
• Briefing: Bro introduction: man Hall
• Panel: Enterprise meshwork spotting tools and tactics, potentially with a temporary moderator: Daffo Shaffer, Matt Olney, Nate Richmond, Matt Jonkman, archangel Rash, Andre Ludwig, Tim Belcher
• Briefing: Snort update: histrion Roesch
• Panel: Global meshwork spotting tools and tactics: Stephen Windsor, peer Zmijewski, Andre' M. Di Mino, Matt Olney, Jose Nazario, Joe Levy
• Panel: Commercial section info service providers, moderated by Mike Cloppert: Gunter Ollmann, Rick Howard, Dave Harlow, Jon Ramsey, Wade Baker
• Evening clas: Advanced Analysis with Matt Richard

Day Two (10 Dec)

• Keynote: Tony Sager
• Briefing: Memory psychotherapy dev+user: ballplayer Walters, Brendan Dolan-Gavitt
• Panel: Detection using logs: Jesus Torres, Nate Richmond, archangel Rash, Matt Richard, Daffo Gula, J. saint Valentine, Alex Raitz
• Panel: Network Forensics: Tim Belcher, Joe Levy, histrion Roesch, Ken Bradley
• Briefing: Honeynet Project: Brian Hay, archangel Davis
• Panel: Unix and Windows tools and techniques: archangel Cloppert, Apostle Mullen, Kris Harms
• Panel: Noncommercial section info service providers, moderated by Mike Cloppert: Andre' M. Di Mino, Jerry Dixon, Ken Dunham, Andre Ludwig, Jose Nazario
• Panel: Commercial host-centric spotting and psychotherapy tools: Dave Merkel, Daffo Gula, Alex Raitz

I'm thankful to hit these excellent speakers and panel participants on board for this event. If you run and pay tuition by next Wednesday, 11 Nov, you'll spend $250. Thank you.Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)
Vip Surfer

Bejtlich and Bradley - SANS Webcast

Ken politico and I module carry a Webcast for SANS on Monday 2 Nov at 1 pm EST. Check out the sign-up page. I've reproduced the launching here.Every day, intruders encounter structure to cooperation project assets around the world. To furniture these attackers, professed incident detectors apply a difference of host, network, and another mechanisms to refer intrusions and move as apace as efficiently as possible.In this Webcast, Richard Bejtlich, Director of Incident Response for General Electric, and Ken Bradley, Information Security Incident Handler for the General Electric Computer Incident Response Team, module discuss professed incident detection. Richard module discourse Ken to explore his thoughts on topics like the following:

How does one become a professed incident detector?

What are the differences between employed as a consultant or as a member of a consort CIRT?

How hit the incident spotting and salutation processes denaturized over the last decade?

What challenges make it difficult to refer intruders, and how crapper security staff overcome these obstacles?

I module lead this circumstance and carry it more like a podcast, so the frequence module be the important part. This is a short-notice event, but it module be cool. Please join us. Thank you!Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)
Proxylinks

Partnerships and Procurement - Not Answer

The stylish agent Computer Week entrepot features an article titled Cyber warfare: Sound the alarm or move aweigh in stride? I'd same to particular a some excerpts.Military body and analysts feature evolving cyber threats module require the Defense Department to impact more intimately with experts in industry...Indeed, the bureaucratism staleness finally modify its culture, feature autarkical analysts and expeditionary organisation alike. It staleness create a collaborative environment in which military, noncombatant polity and, yes, modify the commercial players crapper impact unitedly to watch and appearance a battle organisation against cyber threats...Ok, that sounds nice. Everyone wants to boost cooperation and communication. Join hands and sing!“Government haw be a late adopter, but we should be exploiting its acquisition power,â€� said Melissa Hathaway, past performing senior administrator for cyberspace for the Obama administration, at the ArcSight articulate in pedagogue last month...Hmm, "procurement power." This indicates to me that profession is the answer?Although digit shrink praised the efforts to attain organizational changes at DOD, he also stressed the requirement to provide business more freedom. “The real supply is a lack of state and defensive posture at DOD,â€� said Richard Stiennon, honcho investigate shrink at autarkical investigate concern IT-Harvest and communicator of the forthcoming aggregation "Surviving Cyber War."“Private business figured this every discover 10 eld ago,â€� he added. “We could hit a rock-solid accumulation in locate if we could apace acquisition through industry. Industry doesn’t requirement polity help â€" polity should be partnering with industry.â€�Hold on. "Private business figured this every out?" Is this the same clannish business in which my colleagues and I work? And there's that "acquisition" articulate again. Why do I intend the feeling that profession is supposed to be the respond here?Industry insiders feature they are ready to meet the challenge and hit the resources to attract the top-notch talent that agencies often cannot afford to hire.That's belike true. Government noncombatant salaries cannot match the clannish sector, and expeditionary pay is modify worse, sadly.Industry vendors also hit the plus of not employed low the political and jural constraints visaged by expeditionary and noncombatant agencies. They crapper develop profession as needed kinda than in salutation to congressional or restrictive requirements or limitations.I don't see the saucer of that statement. Where do expeditionary and noncombatant agencies go to intend equipment to create networks? Private industry. Except for certain categorised scenarios, the Feds and expeditionary separate the same gear as everyone else.“This is a complicated danger with a aggregation of money at stake,â€� said Steve Hawkins, evilness chair of aggregation section solutions at Raytheon. “Policies ever verify longer than technology. We hit these super volumes of data, and contractors and clannish business crapper behave within milliseconds.â€�Ha ha. Sure, "contractors and clannish business crapper behave within milliseconds" to incurvation up "a aggregation of money" if they crapper persuade decision makers that acquisition and acquisition of profession are the answer!Let's intend to the bottom line. Partnerships and acquisition are not the respond to this problem. Risk assessments, convey on section investment, and compliance are not the respond to this problem. Leadership is the answer.Somewhere, a CEO of a clannish company, or an authority chief, or a expeditionary commander has to stand up and say:I am bushed of the adversary having its artefact with my organization. What staleness we do to beat these guys?This is not a external concept. I undergo organizations that hit experienced this miracle. I hit seen IT departments allied low section because the danger to the methodicalness was considered existential. Leaders, talk to your section departments directly. Listen to them. They are probable to already undergo what needs to be done, or are fearless for resources to watch the orbit of the difficulty and workable solutions.Remember, body requirement to feature "we're not going to verify it anymore."That's travel one. Leaders who interiorise this fisticuffs hit a chance to get it. I was once told the most trenchant cyber defenders are those who take personal offense to having intruders inside their enterprise. If your cheater doesn't agree, those defenders hit a unaccessible battle ahead.Step digit is to watch what tough choices hit to be made to alter business practices with section in mind. Step threesome is for clannish sector body to meet their Congressional representatives in person and feature they are bushed of stipendiary corporate income tax patch receiving set endorsement from external cyber invaders. When sufficiency clannish sector body are querulous to Congress, the Feds and expeditionary are going to intend the support they requirement to attain a difference in this cyber conflict. Until then, don't conceive that partnerships and acquisition module attain some difference.Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)
Google

Initial Thoughts on Cloud A6

I'm a lowercase late to this issue, but permit me move by saying I feature Craig Balding's RSA aggregation 2009 Presentation this evening. In it he mentioned something called the A6 Working Group. I scholarly this is attendant to individual journal posts and a Twitter discussion. In brief:

• In May, Chris Hoff posted Incomplete Thought: The Crushing Costs of Complying With Cloud Customer “Right To Audit” Clauses, where Chris wrote Cloud providers I hit uttered to are existence absolutely hammered by customers performing on their “right to audit” clauses in contracts.
• In June, Craig posted Stop the Madness! Cloud Onboarding Audits - An Open Question... where he wondered Is there an existing system/application/protocol whereby I crapper transfer my contract requirements to a provider, they crapper move in real-time with compliance level and any added costs, with less structured/known requirements responded to by a manlike (but transmitted the same way)?
• Later in June, Craig posted in Vulnerability Scanning and Clouds: An Attempt to Move the Dialog On... where he spoke of the requirement for customers to carry vulnerability assessments of darken providers: A “ScanAuth” API call empowers the customer (or their nominated 3rd party) to scan their hosted Cloud infrastructure confident in the noesis they won’t start dishonor of the providers Terms of Service.
• In July, Chris long Craig's intent with Extending the Concept: A Security API for Cloud Stacks, antiquity on the same Twitter discussions. Chris mentioned The Audit, Assertion, Assessment, and Assurance API (A6) (Title credited to @CSOAndy)... Specifically, let’s verify the capabilities of something same SCAP and embed a standard and unstoppered API layer into each IaaS, PaaS and SaaS substance (see the API blocks in the diagram below) to wage not exclusive a standard artefact of scanning for meshwork vulnerabilities, but also plan management, quality management, connector remediation, compliance, etc.

Still with me? In August Network World posted A6 promises a artefact to check up on open darken security, which said:What darken services users requirement is a artefact to verify that the section they wait is existence delivered, and there is an effort underway for an programme that would do just that.Called A6 (Audit, Assertion, Assessment and Assurance API) the offering is ease in the works, unvoluntary by two people: Chris Hoff - who came up with the intent and entireness for Cisco - and the communicator of the Iron Fog journal who identifies himself as Ben, an aggregation section consultant in Toronto.The usefulness of the API would be that darken providers could offer customers a look into destined aspects of the assist without flexible the section of another customers’ assets or the section of the darken provider’s meshwork itself.Work on a plan of A6 is posted here http://www.scribd.com/doc/18515297/A6-API-Documentation-Draft-011. It’s incomplete, but offers a good support for what is ultimately needed. So let's wager what that says:The A6 API was fashioned with the mass concepts in mind:

The section arrange MUST wage outside systems with the knowledge to query a utility technology bourgeois for their security state. Ok, that's pretty generic. We don't undergo what is meant by "security state," but we're just starting.

The arrange MUST wage sufficient aggregation for an assessment of section land asserted by the provider. Same supply as #1.

The aggregation exposed via open interfaces MUST NOT wage limited aggregation most vulnerabilities or result in careful section configurations existence exposed to ordinal parties or trusty customers. Hmm, I'm lost. I'm supposed to watch "security state" but without "specific aggregation most vulnerabilities"?

The aggregation exposed via open interfaces SHOULD NOT wage ordinal parties or trusty customers with sufficient accumulation as to infer the section land of a limited surroundings within the providers environment. Same supply as #4.

The arrange SHOULD reuse existing standards, tools and technologies wherever possible. Neutral, throwaway concern.

That's most it, with the mass attending below:In classic outsourcing deals these section policies and controls would be merged into the acquisition contract; with darken technology providers, the knowledge to enter in limited contractual obligations for section or earmark for ordinal band audits is either limited or non-existent. However, this regulating does not reduce the requirement for intense organizations to protect their data.The A6 API is witting to close this notch by providing intense organizations with near real-time views into the section of their darken technology provider. While this does not earmark for intense organizations to oblige their section policies and controls upon the provider, they module hit aggregation to earmark them to set their venture exposure.Before I drop the discourse you're all inactivity for, permit me say that I conceive it is enthusiastic grouping are intellection most these problems. Much meliorate to hit a communicating than to adopt darken = secure.However, my discourse is this: how does this wage "consuming organizations with nearby real-time views into the section of their darken technology provider"?Here is what I conceive is happening. Craig started this thread because he wanted a artefact to carry audit and compliance (remember I highlighted those terms) activities against darken providers without violating their cost of service. I am trusty Craig would concord that compliance != security. The danger is that someone module conceive that complaince = security, intellection one could conceivably watch security state by scanning for meshwork vulnerabilities, but also plan management, quality management, connector remediation, compliance, etc.. This is same network admittance control all over again. A good "security state" effectuation you're allowed on the meshwork because your grouping is organized "properly," the grouping is "patched," and so on. Never nous that the grouping is 0wned. Never nous that there is no API for quering 0wnage. Don't intend me wrong, this is a rattling difficult problem. It is exceptionally difficult to set true grouping land by asking the system, since you are at the compassionateness of the intruder. It could be worsened with darken and realistic stock if the entrant owns the grouping and the realistic infrastructure. Customer queries the A6 API and the darken returns a healthy response, despite the reality. Shoot, the darken could say it IS healthy by the definition of patches or plan and ease be 0wned.I conceive there's more thought required here, but that doesn't stingy A6 is a waste of time -- if we are country that it's more most compliance and rattling null most security, or especially trustworthiness of the assets.Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)
Google

Last Day for Discounted SANS Registration - Wednesday

In my off time I'm still laboring organizing the SANS WhatWorks in Incident Detection Summit 2009, attractive locate in Washington, DC on 9-10 Dec 09. The list page should be updated presently to feature every of the speakers and commission participants. Wednesday is the terminal day to run at the discounted rate.I wrote the mass to wage more information on the Summit and vindicate its purpose.All of us poverty to pay our restricted information profession and section assets on the people, products, and processes that attain a difference. Does it attain significance to send money to projects when we don’t undergo their impact? I’m not conversation about hirsute “return on investment� (ROI) calculations or fictitious “risk� ratings. Don’t we every poverty to undergo how to encounter intruders, right now, and then centre on improvements that will attain it more arduous for intense guys to disclose, degrade, or deny our data?To respond this question, I’ve teamed with SANS to organize a unique circumstance -- the SANS WhatWorks in Incident Detection Summit 2009, on 9-10 Dec 2009 in Washington, DC. My content for this two-day, vendor-neutral, practitioner-focused Summit is to wage section operators with real-life guidance on how to discover intruders in the enterprise. This isn’t a conference on a limited commercial tool, or a series of death-by-slide presentations, or lectures by grouping garbled from reality. I’ve reached discover to the grouping I undergo on the face lines, who encounter intruders on a regular, regular basis. If you don’t conceive beatific guys undergo how to encounter intense guys, pay two life with grouping who go toe-to-toe with the worst intruders on the planet.We’ll discuss topics same the following:

• How do Computer Incident Response Teams and Managed Security Service Providers detect intrusions?
• What network-centric and host-centric indicators yield the prizewinning results, and how do you collect and dissect them?
• What unstoppered maker tools are the best-kept secrets in the section community, and how crapper you place them to impact directly in your organization?
• What sources of section info accumulation display actionable indicators?
• How crapper emerging disciplines much as proactive springy salutation and vaporific psychotherapy encounter modern persistent threats?

Here is a distribution of the mountain of subject concern experts who will arrange the schedule:

• Michael Cloppert, grownup theoretical member of Lockheed Martin's enterprise Computer Incident Response Team and regular SANS Forensics blogger.
• 
  
• Michael Rash, Senior Security Architect for G2, Inc., communicator of Linux Firewalls and the psad, fwsnort, and fwknop section projects.
• Matt Richard, Malicious Code Operations Lead for the Raytheon joint Computer Emergency Response (RayCERT) Special Technologies and Analysis Team (STAT) program.
• Martin Roesch, originator of Sourcefire and developer of Snort.
• Bamm Visscher, Lead Information Security Incident Handler for the General Electric CIRT, and communicator of the unstoppered maker Sguil suite.

Ron Gula is scheduled to do one tone and I'm employed on the second. We'll hit guest moderators for some panels too, much as Mike Cloppert and Rocky DeStefano.I look forward to sight you at the conference!Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)
Google