2009 IANS Mid-Atlantic Forum Summary

This week I was able to participate in the IANS Mid-Atlantic Information Security Forum in Washington DC.  It was a whirlwind of activity - from stepping off the plane and arriving just in time as the “Security Operations” session track with Marcus Ranum (which I’m honored to be a co-facilitator) was being introduced to dashing off to the airport yesterday afternoon every moment was consumed with interesting and important conversations about security operations and incident response.  In two days I was able to have solid conversations with folks like Chris Hoff, Peter Kuper, Nick Selby, Glen Sharlun, Aaron Turner, Ron Gula, Raffy Marty and Richard Bejtlich and so many more who really don’t like their names publicized smile

Some of my takeaways from several of the sessions and offline conversations:

Log Data Session Notes:
No surprises in this session but it was certainly clear.
1. IPS Inline and Active is the normal deployment mode now.
2. Log Management is pretty easy and folks are fairly happy with their tools.  They eat, store and regurgitate as expected.
3. SIEM/SIM/SEM is not so well received by some.  It requires the right set of processes, great people and day to day care and feeding to make it work.
4. In order to continue to justify the expenditures (new or maintenance renewal periods) The vendors need to do more to make it easy for the clients to use the systems and provide a real value propisition on both an immediate basis and on a consistent basis over the life cycle of the product.

Incident Response Session Notes:
I’m excited by the commitment of so many organizations to formalize their Incident Response capabilities.
1. Many organizations are still in the growing into a formalized operational organization stage, very few are fully mature.
2. There seems to be a great need for sharing best practices (standard operating procedures, etc).
3. There is a real want (maybe need?) for better bi-directional information sharing with Law Enforcement.

From Greg Shipley’s session:
The attackers are extraordinarily sophisticated and organized and our defense is antiquated and ill-focused.  Not a new concepts we’ve been saying the same thing for 15 years, but it was nice to hear it presented with some interesting numbers about how effective current “primary controls” really are against the attackers.  One of his comments was related to Vulnerability assessment tools and his numbers seemed to indicate that even the best of these tools really identified about 60% of the problem and even worse to even get to that high of a number those tools required using administrator level credentialed scans.  A quick survey of the audience revealed that very few are (or are willing to admit) using credentials scans on a consistent basis.  His point was simple - Why is vulnerability assessment a primary control when it should be a secondary or even tertiary control measurement.

From Peter Kuper’s session:
1. Peter took time to explain to the attendees how they could try to turn security into a marketable entity within the organization and protect their careers even in this incredibly difficult economic environment.
2. Peter also gave great advice on how to take advantage of this time to both consumers and vendors.  Partnerships are the key to long-term success.  Neither can be successful by just buying the cheapest product - you need to extract the most value out of your investments.  Push the vendors to work harder and don’t accept inflexibility.
3. He also made a interesting point about Public/Private Companys - They are all in trouble.  Don’t exclude a private company just because they are small / private use your peers and organizations like IANS to help you figure out who is going to be around for the long-haul. Look for that companies that you are going to be able to partner with and from which you can extract the most value.

Other interesting even if not Incident Response related tidbits:
1. From Hoff:  As stupid as it sounds I honestly had no idea Fusion supported OSX as a guest OS - I am going to have to test that out!
2. I’m amazed at how many people are interested in Data Visualization even if they don’t have any idea how to apply it in their environment.  It seems there needs to be even more organized thought (Raffy’s book is a good start) around how to “operationalize” visualization techniques.
3. Intelligence and/or Offensive Operations is an area that is going to get a lot of my brain power of the next few weeks.  The conversations I had around this were eye-opening from both the optimists and pessimists.  Hoff threw a softball out during the Q/A to Shipley that he bunted, but the follow-on “offline” conversations on this topic were amazing.  I need to spend more time here thinking and looking into activities of other interesting organizations.  See more from Hoff here - http://rationalsecurity.typepad.com/blog/2009/03/incomplete-thought-offensive-computing-the-empire-strikes-back.html

A very sincere thank you to everyone who took time from their incredibly busy schedules to spend a few minutes with me during the event.  I look forward to catching up with even more of you at SOURCE Boston next week or at RSA in the Spring.

If you haven’t previously participated in these events I would serious encourage you to take a look.  Allan Carey and B.K. Delong do a great job recruiting awesome facility and the IANS team does an even better job of putting together the right set of Delegates from all verticals/industries and the conversations are always enlightening.

As I was writing my recap I noticed that Richard already blogged about some of his thoughts on the conference (Don’t you ever sleep?) - http://taosecurity.blogspot.com/2009/03/cyber-stress-cases.html

Rocky

Posted by Rocky on 03/05 at 11:26 AM
Commenting is not available in this weblog entry.

Next entry: SIEM Best Practices: Combined Log Management and SIEM Architecture Benefits

Previous entry: SIEM Best Practices: Evaluation Criteria