Network Security 2012

Las Vegas, NV | Sun, Sep 16 - Mon, Sep 24, 2012

Intrusion Detection is Dead

  • Dr. Johannes Ullrich
  • Wednesday, September 19th, 7:15pm - 8:15pm

Intrusion Detection Systems are still widely operated in a "black list mode", meaning that signatures and anomaly detection modules are searching vast amounts of traffic for known bad activity. The current threat landscape however doesn't provide us with the luxury of easy identifiable well known exploits. Instead, we are hunting covert channels in standard protocols like HTTP that are hard to parse and identify. This talk will present an alternate approach to Intrusion Detection: Network Traffic Whitelisting. Whitelisting has become a widely accepted replacement for another failing and meaningless protection, Anti Virus. One of its most difficult hurdles to overcome has been the administrators lack of knowledge as to what binaries are supposed to be on a system. Similar, applying whitelisting techniques to network traffic, we first have to understand what traffic we are supposed to have on our network. This talk will first demonstrate some simple evasion techniques that are successful against most modern IDSs (not all of them will involve IPv6. I promise). Next, we will walk through a white listing methodology. In this talk, you will first learn how to become utterly disappointed by the money and effort you have spent configuring your IDS, only to later turn around and walk out smiling after understanding what this big expensive box can do for you instead of just saying "bing".

Bonus Sessions

The following bonus sessions are open to all paid attendees at no additional cost. There are many different types of events that fall into these categories:

  • SANS@Night: Evening presentations given after day courses have ended. This category includes Keynotes.
  • Special Events: SANS-hosted events and other non-technical recreational offerings. This category includes, but is not limited to, Receptions and Information Tables.
  • Vendor: Events hosted by external vendor exhibitors.
  • Lunch & Learn: Short presentations given during the lunch break.
Monday, September 17
Session Speaker Time Type
General Session - Welcome to SANS Dr. Eric Cole Monday, September 17th, 8:15am - 8:45am Special Events
Forescout Monday, September 17th, 12:30pm - 1:15pm Lunch and Learn
Infogressive/Fortinet Monday, September 17th, 12:30pm - 1:15pm Lunch and Learn
Fidelis Security Systems, Inc. Monday, September 17th, 12:30pm - 1:15pm Lunch and Learn
Tenable Network Security Monday, September 17th, 12:30pm - 1:15pm Lunch and Learn
The SANS360: The Security Crystal Ball Rob Lee, Moderator Monday, September 17th, 7:15pm - 8:30pm Special Events
GIAC Program Overview Jeff Frisk, GIAC Director Monday, September 17th, 8:30pm - 9:30pm Special Events
Tuesday, September 18
Session Speaker Time Type
Vendor Sponsored Lunch Session Tuesday, September 18th, 12:00pm - 1:30pm Vendor Event
Vendor Expo Tuesday, September 18th, 12:00pm - 1:30pm
Tuesday, September 18th, 5:00pm - 7:00pm
Vendor Event
Vendor Welcome Reception Tuesday, September 18th, 5:00pm - 7:00pm Vendor Event
Please Keep Your Brain Juice Off My Enigma: A True Story Ed Skoudis & Josh Wright Tuesday, September 18th, 6:45pm - 7:45pm SANS@Night
New Legal Methods for Collecting and Authenticating Cyber Investigation Evidence Ben Wright Tuesday, September 18th, 7:15pm - 8:15pm SANS@Night
Securing The Kids Lance Spitzner Tuesday, September 18th, 7:15pm - 8:15pm SANS@Night
Evolving Threats Paul Henry Tuesday, September 18th, 8:15pm - 9:15pm SANS@Night
Securing The Human Lance Spitzner Tuesday, September 18th, 8:15pm - 9:15pm SANS@Night
Gone in 60 Minutes David Hoelzer Tuesday, September 18th, 8:15pm - 9:15pm SANS@Night
Wednesday, September 19
Session Speaker Time Type
PhishMe Wednesday, September 19th, 12:30pm - 1:15pm Lunch and Learn
Open Mic Night Untrusted Input Wednesday, September 19th, 7:00pm - 11:00pm Special Events
Intrusion Detection is Dead Dr. Johannes Ullrich Wednesday, September 19th, 7:15pm - 8:15pm SANS@Night
Malware Analysis Essentials using REMnux Lenny Zeltser Wednesday, September 19th, 7:15pm - 8:15pm SANS@Night
SANS Technology Institute Master's Presentation Aron Warren Wednesday, September 19th, 7:15pm - 7:55pm Special Events
What's New in Windows 8 and Server 2012? Jason Fossen Wednesday, September 19th, 8:15pm - 9:15pm SANS@Night
Thursday, September 20
Session Speaker Time Type
Netwars Competition at SANS Network Security 2012 Ed Skoudis Thursday, September 20th, 6:30pm - 9:30pm Special Events
SANS Technology Institute Open House Dr. Ray Davidson, Professor of Practice Thursday, September 20th, 7:15pm - 8:15pm Special Events
Linux Forensics for Non-Linux Folks Hal Pomeranz Thursday, September 20th, 7:15pm - 8:15pm SANS@Night
Windows Exploratory Surgery with Process Hacker Jason Fossen Thursday, September 20th, 7:15pm - 8:45pm SANS@Night
Everything They Told Me About Security Was Wrong John Strand Thursday, September 20th, 8:15pm - 9:15pm SANS@Night
Ninja Assessments: Stealth Security Testing for Organizations Kevin Johnson Thursday, September 20th, 8:15pm - 9:15pm SANS@Night
Friday, September 21
Session Speaker Time Type
Netwars Competition at SANS Network Security 2012 Ed Skoudis Friday, September 21st, 6:30pm - 9:30pm Special Events
Practice - Practice - Practice Neal Bridges Friday, September 21st, 7:15pm - 8:15pm SANS@Night