Dreaming of IoCs: Adding Time Context to Threat IntelligenceSpeaker: Travis Smith (@MrTrav), Senior Security Research Engineer, Tripwire, Inc. Travis Smith, a Senior Security Research Engineer here at Tripwire, discussed the importance of context when gathering security data. Many organizations today collect this data from systems, applications, and network devices as a way to get alerts of abnormal behavior. However, Smith noted that security data is more than big data – it’s morbidly obese data – and the more data we collect, the more noise it collects. This is where time context and threat intelligence proves extremely helpful. Smith gave an overview of the various forms of threat intelligence sources, as well as their pros and cons. He went on to introduce TARDIS – an open-source framework he developed, which helps perform historical searches using attack signatures. TARDIS covers threat analysis, reconnaissance, and data intelligence systems by taking the data of Indicators of Compromise (IoCs) and looking at historical logs for signs of exploitation. By adding valuable time context to threat intelligence, Smith said organizations can pinpoint exactly when a breach occurred, as well as gain other critical forensic analysis information. See his presentation slides here.
Avoid Epic Fails: Elements of Successful Breach Notification and ResponseSpeakers:
- Heidi Shey (@heidishey), Senior Analyst, Forrester Research
- Bo Holland (Bo Holland), CEO, AllClear ID
- Lisa Sotto (@lisasotto), Partner, Hunton & Williams
- Matt Prevost (@Prevost2121), Vice President, Cyber & Technology Product Manager, Chubb
“If customers feel like you have their back, they are actually quite forgiving and willing to come back,” said Bo Holland.Furthermore, there are several cases where being in front of the media and showing preparedness turned out to be a a good thing. Everything is about trust, stressed Lisa Sotto. Be honest, contrite and forthright. Other key takeaways from this session included:
- Don’t notify too early – It’s better to wait until you have all the facts.
- Show evidence of due diligence – Use data flow maps, interviews, and ongoing monitoring.
- Ensure employees are aware of what is going on – If a customer knows more than they do, it’s not a good thing.
Tracking Hackers on Your Network with Sysinternals SysmonSpeaker: Mark Russinovich (@markrussinovich), Chief Technology Officer, Microsoft Azure, Microsoft (Craig Young, attendee): In this session, the Azure CTO and sysinternals author explained how the sysmon tool from this suite can be used to identify malicious activity on a Windows PC or server. Through demonstration and documentation, steps were shown for identifying activity typical of malware, tracking the source of malware, and providing enhanced forensic collection from compromised hosts. In one example, Russinovich showed how he was able to find that his mother's computer was repeatedly getting infected via a signed binary, which had slipped past Microsoft Security Essentials and found its way to be added as a scheduled task. Other features included detecting direct disk access commonly used to steal password hashes as well as alerting on thread injection, timestamp modification and network socket activity. Perhaps of greatest interest to me, however, was learning about the so-called detonation chamber Microsoft uses to identify malicious content in Outlook 365 attachments as well as 0-day Internet Explorer exploits. This second use of the detonation chamber involves having automated IE sessions browsing the web while monitoring for processes created by IE. An example was shown of an exploit identified with sysmon in December. If you missed the session and are an administrator or simply a user of Windows systems, it is worth looking into sysmon and the other sysinternals tools if you are not already using them.
The (Inevitable?) Decline of the Digital Age…Speaker: Mark McLaughlin (Mark McLaughlin), Chairman, President and CEO, Palo Alto Networks In his keynote presentation, Palo Alto Networks CEO Mark McLaughlin stressed that organizations need to be more concerned about consumers losing digital trust. He mentioned several new challenges for security today: the fact that physical and cyber are more and more blending together, how data is massively aggregated and available, and that computing power is limitless.
"These things combined mean that security goes way beyond technology – it transcends," he said. He made the analogy that security is like fabric – you can’t fix it without tearing it.McLaughlin then stressed that the industry needs to work on maintaining and restoring trust because a lot of it has been lost already. Lastly, he addressed the importance of threat sharing and organizations cooperating and collaborating for the greater good.
"The security industry should not compete with what we know, we should compete with what we can do with it."Are you attending RSA this year? If you are, please visit us at Booth #3301 to learn about all the exciting things Tripwire has planned for this year’s conference. In the meantime, please stay tuned for more coverage of RSA Conference 2016!