Agenda: The WhatWorks in Incident Detection Summit 2009

Be sure and check back for updates to the Agenda!

Tuesday, December 8, 2009

5:00pm - 8:00pm

Early Registration

Wednesday, December 9, 2009

6:30am - 8:00am

Registration

8:00am - 8:30am

Welcome and Introduction

In his day one briefing, Summit organizer Richard Bejtlich will compare the 2009 Summit to the last SANS event of a similar nature, the 2002 Real World Intrusion Detection Workshop. Richard will explain the theme of the Summit as well: detecting incidents in the enterprise.

Richard Bejtlich, General Electric

8:30am - 9:20am

Keynote

Ron Gula, Chief Executive Officer and Chief Technical Officer of Tenable Network Security, will provide the day one keynote. Ron will describe how detecting incidents has changed in the last 7 years, and give his perspective on how unified security monitoring provides the best chance to detect intrusions in the enterprise.

Ron Gula, Tenable Network Security

9:20am - 10:20 am

Expert Briefing: Network Security Monitoring dev+user

Bamm Visscher, author of Sguil and Lead Information Security Incident Handler for GE-CIRT, and David Bianco, Information Security Incident Handler for GE-CIRT, will explain Network Security Monitoring. Bamm will focus on Sguil as an open source tool to conduct NSM. David will explain how NSM can be used to detect intruders in the enterprise. Lessons from this "developer plus user" briefing can be applied to other tools and techniques, and are not limited strictly to Sguil. Those practicing "network forensics" will likely find common ground with NSM practitioners. This briefing will introduce attendees to the theme of day one: using the network to detect incidents.

Bamm Visscher, General Electric; David Bianco,General Electric

10:20am - 10:40am

Break

10:40am - 11:40am

Panel: CIRTs and MSSPs moderated by Rocky Destefano

Computer Incident Response Teams (CIRTs) and Managed Security Service Providers (MSSPs) both help secure the enterprise. CIRTs are internal resources while MSSPs are external actors. In this panel moderated by Decurity founder Rocky Destefano, attendees will learn how inhouse and outsourced teams detect intrusions. Participants will also learn what sorts of activities are best left to CIRTs and which can be trusted with MSSPs.

Moderator: Rocky Destefano, EMC/RSA

Panelists: Michael Cloppert, Lockheed Martin; Nate Richmond, US Coast Guard; Jerry Dixon,Team Cymru; Tyler Hudak, General Electric; Matt Richard, Raytheon; Jon Ramsey, SecureWorks

11:40am - 12:50pm

Lunch & Cyberspeak Podcast

12:50pm - 1:40pm

Briefing: Bro Introduction

Bro, the open source intrusion detection system developed by Vern Paxson, is one of the most powerful network traffic inspection suites available today. In this briefing, long-time Bro user and contributor Seth Hall will explain how he uses Bro to detect to anomalous activity in his enterprise. Attendees will learn how to quickly deploy a basic Bro capability, as well as more advanced ways Bro might be used in production.

Seth Hall, Ohio State University

1:40pm - 2:40pm

Panel Enterprise Network Detection Tools and Tactics moderated by Stephen Windsor

Tools and techniques to detect incidents in the enterprise are different from those that focus on a single system or small group of systems. In this panel, speakers with large- scale experience will share their tools and tactics for identifying suspicious and malicious activity. Participants include the founder of the Emerging Threats project and Open Information Security Foundation, Matt Jonkman, as well as other experienced incident detection experts.

Moderator: Stephen Windsor, Booz Allen Hamilton

Panelists: Ron Shaffer, Booz Allen Hamilton; Matt Olney, Sourcefire; Nate Richmond, US Coast Guard; Matt Jonkman, Emerging Threats; Michael Rash, G2 Inc.; Andre Ludwig, Consultant; Tim Belcher, NetWitness

2:40pm - 3:00 pm

Break

3:00pm - 3:50pm

Briefing: Snort Update

Snort is probably the most well-known incident detection platform in the world. In this briefing, Snort creator and Sourcefire founder and Chief Technology Officer Marty Roesch will describe how Snort and Sourcefire have evolved since 2002. Marty will also explain what users can expect from Snort 3.0.

Marty Roesch, Founder & CTO Sourcefire

3:50pm - 4:40pm

Panel: Global Network Detection Tools and Tactics

Detecting incidents can be done using multiple tools and tactics. Before this talk, the Summit has focused on instrumenting the enterprise to detect suspicious and malicious activity. In this panel, participants will explain other locations where detection can be applied, and other ways the enterprise can be attacked, outside its borders. Attendees will hear from global Border Gateway Protocol (BGP) experts like Earl Zmijewski from Renesys and botnet hunters like Gunter Ollmann from Damballa.

Stephen Windsor, Booz Allen Hamilton; Earl Zmijewski, Renesys; Andre' M. DiMino, Shadowserver; Matt Olney, Sourcefire; Jose Nazario, Arbor Networks; Joe Levy, Solera Networks; Gunter Ollman, Damballa

4:40pm - 5:30 pm

Panel: Commercial Security Intelligence Service Providers moderated by Michael Cloppert

Commercial security intelligence service providers employ researchers and operators to keep tabs on underground, criminal, and other malicious activity. In this panel, participants will explain what they are seeing, how they detect incidents, and how attendees can engage them to better protect their organizations.

Moderator: Michael Cloppert, Lockheed Martin

Panelists: Gunter Ollman, Damballa; Rick Howard, iDefense; Dave Harlow, Symantec Corp.; Jon Ramsey, SecureWorks; Wade Baker, Verizon Business

5:30pm - 7:30pm

Reception, Podcast, and other Evening Activities

During the evening activity, Summit attendees will have opportunities to network with each other. We are also organizing bonus activities, so stay tuned!

Thursday, December 10, 2009

6:30am - 8:00am

Registration and Breakfast - Sponsored by Allen Corp/McAfee

8:00am - 8:30am

Introduction

In his day two briefing, Summit organizer Richard Bejtlich will summarize the lessons learned from day one and preview day two.

Richard Bejtlich, General Electric

8:30am - 9:20am

Keynote

The day two keynote will likely be a senior official from a military organization. This organization faces challenges similar to many other large, distributed enterprises.

Tony Sager, National Security Agency

9:30am - 10:30am

Briefing: Memory Analysis dev+user

In this briefing, attendees will learn how memory analysis can be used to identify intruders. Proactive system integrity assessment combined with live response techniques are likely to be popular topics. This briefing will introduce attendees to the theme of day two: focusing on hosts to detect incidents.

Aaron Walters, Volatile Systems LLC; Brendan Dolan-Gavitt, Georgia Institute of Technology

10:20am - 10:40am

Break

10:40am - 11:40am

Panel: Detection Using Logs

The logs panel will describe how enterprise incident detectors use platform, operating system, and application logs to detect intrusions. Security Information Management and log aggregation and search systems will be discussed.

Jesus Torres, Booz Allen Hamilton; Nate Richmond, US Coast Guard; Michael Rash; Matt Richard, Raytheon; Ron Gula, Tenable Network Security; J. Andrew Valentine, Verizon Business; Alex Raitz, Splunk

11:40am - 12:50pm

Lunch & Learn - Sponsored by NetWitness

12:50pm - 1:50pm

Briefing: Network Forensics

Tim Belcher, NetWitness; Joe Levy, Solera Networks; Martin Roesch, Sourcefire; Ken Bradley, Mandiant

1:50pm - 2:40pm

Briefing: Honeynet Project

Experts from the long-running Honeynet Project will update attendees on the latest advances in honeypot and related tools and tactics. Options for deploying and operationalizing honeypots will be explained.

Brian Hay, University of Alaska Fairbanks; Michael Davis, Savid Technologies Inc.

2:40pm - 3:00pm

Break

3:00pm - 3:50pm

Panel: Unix and Windows Tools and Techniques

This panel will provide attendees with a variety of tools and techniques used and practiced by experience incident detectors. The goal is to provide Summit attendees with multiple "quick wins" to apply to their host and potentially network-based information stores in order to determine their security posture.

Michael Cloppert, Lockheed Martin; Patrick Mullen, @stake; Kris Harms, Mandiant

3:50pm - 4:40pm

Panel: Noncommercial Security Intelligence Service Providers moderated by Michael Cloppert

Nonommercial security intelligence service providers employ researchers and operators to keep tabs on underground, criminal, and other malicious activity. In this panel, participants will explain what they are seeing, how they detect incidents, and how attendees can engage them to better protect their organizations. In contrast to the commercial panel on day one, this event focuses on providers who do not charge for their services.

Moderator: Michael Cloppert, Lockheed Martin

Panelists: Andre' M. DiMino, Shadowserver; Jerry Dixon, Team Cymru; Ken Dunham, iSIGHT Partners; Andre Ludwig, Consultant; Jose Nazario, Arbor Networks

4:40pm - 5:30pm

Panel: Commercial Host-centric Detection and Analysis Tools

In the final Summit session, this panel will explain how host-centric commercial tools can be used to detect intruders. Rather than focusing on how to "prevent" intrusions, this event will recognize that not all intruders can be stopped by defense mechanisms. Rather, other means must be applied to handle sophisticated intruders who are familiar with standard host-centric defenses.

Dave Merkel, Mandiant; Ron Gula, Tenable Network Security; Alex Raitz, Splunk