SANS Institute: Reading Room

Analyst Papers

Featuring 441 Papers as of September 14, 2020

To download the Analyst Papers, you must be a member of the SANS.org Community. Upon joining the community, you will have unlimited access to Analyst Papers and all associated webcasts, including the ondemand version where you can download the slides.

2020 SANS Enterprise Cloud Incident Response Survey by Chris Dale - September 14, 2020
- Associated Webcasts: 2020 SANS Enterprise Cloud Incident Response Survey Results 2020 SANS Enterprise Cloud Incident Response Survey: A Panel Discussion
- Sponsored By: Cisco Systems Inc. RSA InfoBlox Gigamon ExtraHop
Our 2020 Enterprise Cloud Incident Response Survey investigated the data sources and services that organizations are leveraging to detect, respond to and remediate incidents in the multi-cloud world. This report on the survey focuses less on which cloud service organizations are using, and more on what data sources they are taking advantage of, what services they find useful, and what methods are working in their programs.
Detecting Malicious Activity in Large Enterprises by Matt Bromiley - September 8, 2020
- Associated Webcasts: Detecting Malicious Activity in Large Enterprises
- Sponsored By: Chronicle
As they grow, organizations need to detect threats amid an alarming assortment of unexpected and complex conditions, often with a blend of legacy and current technologies. This paper explores options for advanced threat detections at enterprise scale.
How to Create a Comprehensive Zero Trust Strategy by Dave Shackleford - September 2, 2020
- Associated Webcasts: How to Create a Comprehensive Zero Trust Strategy
- Sponsored By: Cisco Systems Inc.
To implement zero trust effectively, organizations must consider critical controls, such as network access and inspection controls, as well as the roles that visibility, vulnerability and discovery play in their least privilege strategies. SANS analyst Dave Shackleford explains how to build a microsegmentation access control model that addresses common business drivers, implements capabilities critical to microsegmentation, and applies microsegmentation and zero trust initiatives in ways that positively impact industry compliance requirements.
Enabling NIS Directive Compliance with Fortinet for Operational Technology by Jason D. Christopher - September 1, 2020
- Associated Webcasts: Aligning Your Security Program with the NIS Directive
- Sponsored By: Fortinet, Inc.
The NIS Directive, adopted by the European Parliament in 2016, addresses the security of network and information systems within the EU. It also sets forth best practices to encourage better cyberrisk mitigation and incident identification and notification. This whitepaper examines how Fortinet solutions can help comply with the NIS Directive.
How to Improve Threat Detection and Hunting in the AWS Cloud Using the MITRE ATT&CK Matrix by Dave Shackleford - August 31, 2020
- Associated Webcasts: How to Improve Threat Detection and Hunting in the AWS Cloud Using the MITRE ATT&CK� Matrix
- Sponsored By: AWS Marketplace
To build threat detection and hunting capabilities that are more effective, understanding adversary tactics and techniques based on real-world observations is critical. SANS senior instructor and cloud security expert Dave Shackleford discusses how to apply the MITRE ATT&CK Matrix to the AWS Cloud to classify and understand cloud-based techniques and leverage threat intel in order to maintain a strong security posture.
Firewalls in the Modern Enterprise: A New SANS Survey by Matt Bromiley - August 31, 2020
- Associated Webcasts: Firewalls in the Modern Enterprise: A New SANS Survey
- Sponsored By: Palo Alto Networks
From cloud computing to the growing use of containers and virtualized systems, the modern IT enterprise offers constant security challenges. This evolution in enterprise infrastructure has changed the way security professionals think about their security appliances, often finding solace in traditional devices like the firewall or proxy. SANS recently surveyed practitioners about their use and perceptions of firewalls within modern enterprises. This paper explores survey results, and provides insight into how firewalls can help.
All for One, One for All: Bringing Data Together with Devo by Matt Bromiley - August 19, 2020
- Associated Webcasts: All for One, One for All: Bringing Data Together with Devo
- Sponsored By: Devo Technology Inc.
Many organizations have an assortment of security tools that have been cobbled together over the years. In this review, SANS instructor Matt Bromiley examines a solution to the problem of bringing multiple tools together: Devo Security Operations. He puts Security Operations through its paces as a tool that provides enterprisewide insight, seamless investigation and hunting, automated data correlation and enrichment, and more so that analysts can get back to business of responding to threats.
Intuitive Endpoint Security: A SANS Review of Morphisec by Matt Bromiley - August 18, 2020
- Associated Webcasts: Intuitive Endpoint Security: A SANS Review of Morphisec
- Sponsored By: Morphisec
Endpoint security can be a tricky topic for organizations. In many cases, security teams utilize endpoint security products that are bulky and cumbersome, barely effective and only make their jobs more difficult. Furthermore, many security products rely so heavily on detecting an incident after the fact that they hardly seem effective in preventing cyber incidents. This leaves the security team constantly chasing alerts through the network, rather than implementing preventative techniques. In this paper SANS instructor Matt Bromiley reviews the Morphisec platform, which reverses much of this approach. Morphisec is geared toward the prevention of malicious activity through the careful morphing of process memory.
Aligning Your Security Program with the NIS Directive by Matt Bromiley - August 16, 2020
- Sponsored By: Fortinet, Inc.
The NIS Directive, adopted by the European Parliament in 2016, addresses the security of network and information systems within the EU. It also sets forth best practices to encourage better cyberrisk mitigation and incident identification and notification. This whitepaper explores various measures of the NIS Directive and how to align your organization�s security posture with those measures.
Improving the Bottom Line with Effective Security Metrics: A SANS Survey by Barbara Filkins - August 10, 2020
- Associated Webcasts: Improving the Bottom Line with Effective Security Metrics: A SANS Survey Real-World Use Cases of Metrics That Demonstrate Effective Security Practices
- Sponsored By: Cisco Systems Inc. ThreatConnect Code42
In SANS surveys, CISOs consistently report their major obstacle is the inability to obtain management commitment to increase cybersecurity resources and investment. This paper explores the results of the 2020 SANS Security Metrics Survey with both quantitative results about the overall state of metrics across cybersecurity operations, as well as interview-based qualitative results detailing success stories and best practices of security teams who have been collecting and presenting business-relevant security metrics.
Show Business Benefit by Moving to Risk-Based Vulnerability Management by John Pescatore - August 10, 2020
- Associated Webcasts: How to Show Business Benefit by Moving to Risk-Based Vulnerability Management
- Sponsored By: Tenable
This paper provides SANS advice for actionable steps to enable security managers to reduce risk and demonstrate business value by increasing the maturity and effectiveness of their vulnerability management processes and controls. It also suggests key questions to ask of product and service providers to select the best approach for an organization.
How to Protect All Surfaces and Services in the AWS Cloud by Dave Shackleford - July 28, 2020
- Associated Webcasts: How to Protect All Surfaces and Services in the AWS Cloud
- Sponsored By: AWS Marketplace
Multiple layers of defense are required to protect your AWS environment, and it's essential to use advanced controls and develop more dynamic and continuous processes to evaluate security conditions. Learn how to reduce your overall attack surface to reduce exposure; apply configuration management, real-time assessment and access control mechanisms; and implement automation for monitoring and continuous protection.
Browser Isolation: A SANS Review of Cyberinc's Isla by Matt Bromiley - July 28, 2020
- Associated Webcasts: Browser Isolation: A SANS Review of Cyberinc\'s Isla
- Sponsored By: Cyberinc
The browser is an integral part of users' day-to-day activities, providing access to internal resources, sensitive data and third-party services. Via the use of webmail and malicious links, it is also an integral piece of the entry vector for attackers. In this product review, Matt Bromiley reviews Cyberinc's Isla, a browser isolation platform that addresses this common incident entry vector by getting in front of browser-borne threats and effectively rendering them harmless.
Implementation Guide for Vendors and Integrators Working in NERC-CIP Environments by Tim Conway - July 27, 2020
- Associated Webcasts: How to Use NERC CIP: An Overview of the Standards, Their Deployment and How to Use Fortinet Products for Compliance
- Sponsored By: Fortinet, Inc.
This paper examines some of the essential NERC CIP Standards for third-party organizations to understand as well as how the requirements affecting third-party products and services may vary from site to site or organization to organization.
Closing the Critical Skills Gap for Modern and Effective Security Operations Centers (SOCs) by John Pescatore and Barbara Filkins - July 24, 2020
- Associated Webcasts: Closing the Critical Skills Gap for Modern and Effective Security Operations Centers (SOCs): Survey Results Closing the Critical Skills Gap for Modern and Effective Security Operations Centers (SOCs): Panel Discussion
- Sponsored By: Cisco Systems Inc. LogRhythm Anomali ThreatConnect Reversing Labs Swimlane Awake Security ExtraHop
SANS surveys have shown that the skills of the people are the prime prerequisite to enable organizations to define critical SOC processes; create use cases, hypotheses and plans; architect effective security solutions; and efficiently deploy, operate and maintain security systems. In this whitepaper, SANS author and Director of Emerging Security Trends John Pescatore explores the results of this year’s SAN SOC Survey, with advice from Barbara Filkins, SANS Analyst Program Research Director.
Measuring and Improving Cyber Defense Using the MITRE ATT&CK Framework by John Hubbard - July 17, 2020
- Associated Webcasts: Measuring and Improving Cyber Defense Using the MITRE ATT&CK� Framework Measuring and Improving Cyber Defense Using the MITRE ATT&CK� Framework: A SANS Panel Discussion Understanding and Leveraging the MITRE ATT&CK� Framework: A SANS Roundtable
- Sponsored By: Cisco Systems Inc. LogRhythm Anomali Reversing Labs ThreatQuotient Swimlane Awake Security ExtraHop
Through the ATT&CK framework, MITRE has generated a gold mine of information about the most important tactics and techniques used by attackers and how the blue team can detect and prevent these actions. Blocking atomic attack indicators such as domain names and IP addresses might work in the short term, but understanding the higher-level tactics in ATT&CK helps the blue team identify and anticipate attacker activity at a higher level of abstraction. In this white paper, SANS author and dedicated blue team member John Hubbard explores how ATT&CK slows attackers down and gives defenders a fighting chance.
Making and Keeping Work-at-Home Operations Safe and Productive by John Pescatore - July 8, 2020
- Associated Webcasts: Making and Keeping Work at Home Operations Safe and Productive Insights on Remote Access Cybersecurity and Workplace Flexibility - A SANS Whitepaper
- Sponsored By: InfoBlox Menlo Security Pulse Secure BlackBerry Cylance
Workforce mobility, endpoint security and data protection risks have amplified since the COVID-19 pandemic. Organizations have had to address a variety of remote worker challenges including security teams working from home (WFH). While secure remote access capacity and cloud usage for business continuity has accelerated, business are now realizing productivity and operational advantages -- projecting a shift towards increased remote workplace flexibility and permanence.
Using Zero Trust to Enable Secure Remote Access by Dave Shackleford - July 7, 2020
- Associated Webcasts: Using Zero Trust to Enable Secure Remote Access
- Sponsored By: BlackBerry Cylance
Many tools and controls can help monitor internal workloads and data moving between hybrid cloud environments. The zero trust model may be the most important when designing a dynamic security architecture.
Securing Assets Using Micro-Segmentation: A SANS Review of Guardicore Centra by Dave Shackleford - June 29, 2020
- Associated Webcasts: Securing Assets Using Micro-Segmentation: A SANS Review of Guardicore Centra
- Sponsored By: Guardicore LTD
Organizations are taking advantage of digital transformation in their quest to boost agility and shrink infrastructure costs. However, this transformation often comes at a cost: a larger, more complex security attack surface. Guardicore Centra aims to provide a simpler, faster way to reduce attack surfaces and prevent lateral movement in an IT environment via micro-segmentation security policies. In this product review, SANS analyst Dave Shackleford shares his experience of putting Centra through its paces.
ICS Asset Identification: It's More Than Just Security by Mark Bristow - June 24, 2020
- Associated Webcasts: ICS Asset Identification: It\'s More Than Just Security: A SANS Report ICS Asset Identification: It�s More Than Just Security: A SANS Panel Discussion
- Sponsored By: Cisco Systems Inc. Tenable Palo Alto Networks PAS
Historically, asset identification has been associated with time-consuming and costly cybersecurity efforts. In this new SANS report, Mark Bristow, SANS ICS Active Defense and Incident Response certified instructor, explores critical resources needed to start an asset identification program. The author also explains how asset Identification can enhance ROI through such benefits as improved maintenance, reduced mean-time-to-repair, and increased availability.
How to Use NERC-CIP: An Overview of the Standards and Their Deployment with Fortinet by Tim Conway and Ted Gutierrez - June 17, 2020
- Associated Webcasts: How to Use NERC CIP: An Overview of the Standards, Their Deployment and How to Use Fortinet Products for Compliance
- Sponsored By: Fortinet, Inc.
This paper is a unique review of a few key Fortinet products and how those products align with existing NERC CIP regulation requirements. It also examines how those products might aid an organization in the process of maintaining compliance and explores the product features that will help defend the organization's program during an audit.
Remote Workers Poll by Heather Mahalik - June 3, 2020
- Associated Webcasts: How Are Remote Workers Working? A SANS Poll
- Sponsored By: InfoBlox Menlo Security Pulse Secure ExtraHop
Remote work has quickly become the "new normal" with the COVID-19 pandemic. Organizations have been forced to rethink how they will get work done with their employees mandated to stay home. How are organizations handling working from home? How well were companies prepared for remote work? How have technological needs changed with this shift? How are teams communicating? How are devices and communications being secured? When a time like this does not allow for the mission to halt, employees and employers have scrambled to keep the work going. Ensuring that teams are equipped, communicating, and are safe at home is key during this time. This webinar, led by Heather Mahalik SANS Senior Instructor, Author and Senior Director of Digital Intelligence at Cellebrite, covers how companies have adjusted to this new landscape as a workforce. How have things changed and how are we coping and keeping the ball rolling forward from home.
Factoring Enterprise IoT Devices into Detection and Response by Matt Bromiley - May 27, 2020
- Associated Webcasts: Factoring IoT Devices into Detection and Response: A SANS Whitepaper
- Sponsored By: ExtraHop
With the advent of the cloud, corporate networks are becoming more complex. There is a constant state of change with new types of devices installed daily. To keep pace, you will need an approach to threat detection and response that enables your team’s full visibility so it can quickly adapt and include enterprise IoT devices in its response plans. This paper explores the growth of enterprise IoT devices inside corporate networks and how they change the shape of incident detection and response. The enterprise device landscape is dynamic; it’s prudent for your information security team to track changes to understand the effects on your network.
Is Your Threat Hunting Working? A New SANS Survey for 2020 by Mathias Fuchs - May 26, 2020
- Associated Webcasts: Is Your Threat Hunting Effective? A New SANS Survey
- Sponsored By: Cyborg Security
Although threat hunting has become a mandatory task to establish an acceptable level of security, the demand for skilled hunters far exceeds the number of available specialists. In this new research, SANS queried organizations about how they approach threat hunting, the barriers to success and how they measure their efforts. This paper explores what exactly leads to the shortage of suitable personnel and how it affects security organizations’ capabilities to utilize threat hunting teams.
Responding to Incidents in Industrial Control Systems: Identifying Threats/Reactions and Developing the IR Process by Don C. Weber - May 21, 2020
- Associated Webcasts: Responding to Incidents in Industrial Control Systems (ICS): Identifying Threats, Reactions and Developing the IR Process
- Sponsored By: Honeywell International
Threats, attacks and incidents are not decreasing. Industrial control systems (ICS) have become increasingly vulnerable as cyber criminals discover that OT environments are viable targets. This paper outlines the incident response process in OT environments, and provide examples of the pitfalls of being unprepared.
How to Implement a Software-Defined Network Security Fabric in AWS by Dave Shackleford - May 18, 2020
- Associated Webcasts: How to Implement a Software-Defined Network Security Fabric in AWS
- Sponsored By: AWS Marketplace
Maintaining control and visibility of network assets in hybrid networks creates many security challenges. In this paper, you'll learn proven strategies such as building a control stack of cloud-native and third-party controls to ensure confidentiality and availability of assets; using SD-WAN and cloud security-as-a-service to provide edge security in a unified network fabric; and leveraging infrastructure-as-code for automation and management of infrastructure.
2020 SANS Automation and Integration Survey by Don Murdoch - May 18, 2020
- Associated Webcasts: SANS 2020 Automation and Integration Survey Results
- Sponsored By: CloudPassage DomainTools ThreatConnect Siemplify Swimlane Devo Technology Inc. SIRP
This year's Automation and Integration Survey aimed to quantify automation experiences and more concretely understand how organizations are able to maximize their security investment and improve operations through automation efforts. This paper explores what automation activities have been successful, why they have been successful, and how organizations set up their automation activities to achieve meaningful results.
All Roads Lead to the Browser: A SANS Buyer's Guide to Browser Isolation by Matt Bromiley - May 6, 2020
- Associated Webcasts: All Roads Lead to the Browser: A SANS Buyer\'s Guide to Browser Isolation
- Sponsored By: Cyberinc
As organizations move to the cloud, browser dependency becomes more prevalent. That's why we say the browser is the new endpoint. By limiting the impact a browser can have on a victim system, organizations can prevent web code from reaching the endpoint. Find out how browser isolation works, key factors to consider when evaluating, implementing and testing solutions, and how to integrate browser isolation into your security posture to stop attacks earlier.
Transforming Detection and Response: A SANS Review of Cortex XDR by Matt Bromiley - May 4, 2020
- Associated Webcasts: Transforming Detection and Response: A SANS Review of Cortex XDR
- Sponsored By: Palo Alto Networks
To help their teams detect and respond to the ever-growing list of security threats, many organizations have turned toward endpoint detection and response (EDR) platforms within their environment. This product review explores the intuitive and insightful security platform Cortex XDR, provided by Palo Alto Networks. A platform designed to help decrease the time an organization needs to detect and respond to threats, Cortex XDR brings multiple data sources together, including network, endpoint and cloud, to assist analysts in performing enterprise investigations.
SANS Top New Attacks and Threat Report by John Pescatore - April 27, 2020
- Associated Webcasts: SANS Top New Attacks and Threat Report
- Sponsored By: Cisco Systems RSA Unisys InfoBlox Anomali DomainTools Verodin Cyberinc
SANS instructors presented their analysis of new attack techniques currently in use and shared their projections for future exploits at the annual 2020 RSA Conference in San Francisco. In this paper, SANS Director of Emerging Security Trends John Pescatore highlights key themes from that report and other sources.
How to Design a Least Privilege Architecture in AWS by Dave Shackleford - April 23, 2020
- Associated Webcasts: How to Design a Least Privilege Architecture in AWS
- Sponsored By: AWS Marketplace
A least privilege architecture reduces risk and minimize disruptions by allowing only the minimum required authority to perform tasks. This architecture should include authentication and authorization controls, network access and inspection controls, and monitoring/enforcement controls for both the network and workloads. Learn what it takes to create a granular security environment that provides strong attack resistance.
Zero Trust: What You Need to Know to Secure Your Data and Networks by Dave Shackleford - April 20, 2020
- Associated Webcasts: Zero Trust: What You Need to Know to Secure Your Data and Networks
- Sponsored By: Gigamon
In the ongoing movement toward increasingly hybrid software-based environments, enterprises are designing dynamic security architecture models to start adopting an overarching theme: one of "zero trust." The core elements of a well-rounded zero trust model are still in the development stage but this paper explores the critical missing element to securing your data and network in a zero trust architecture.
2020 SANS Network Visibility and Threat Detection Survey by Ian Reynolds - March 31, 2020
- Associated Webcasts: Network Visibility and Threat Detection: A SANS Survey
- Sponsored By: ExtraHop
Organizations have untapped opportunities to strengthen the way they analyze network data and increase visibility. Visibility brings increased situational awareness, allowing for rapid threat identification and investigation for faster resolution of internal performance issues and security breaches. Investing time in understanding how and where to capitalize on these opportunities will bring real and measurable benefits.
Implementer's Guide to Deception Technologies by Kyle Dickinson - March 17, 2020
- Associated Webcasts: Using Deception Technologies to Defend Against Active Directory and Ransomware Attacks
- Sponsored By: Fidelis Cybersecurity
Deception technologies significantly improve security teams' capabilities to quickly and accurately detect attackers that intentionally avoid looking malicious. But how do these cyber technologies work to address key security concerns? This paper explores how to collect threat intelligence and attack attribution information associated with malicious behaviors that fly under the radar in an attempt to carry out Active Directory and ransomware attacks, phishing and credential hijacking, vulnerable applications, and more.
Women in Cybersecurity: Spanning the Career Life Cycle by Heather Mahalik - March 16, 2020
- Associated Webcasts: Women in Cybersecurity: A SANS Survey Women in Cybersecurity: A SANS Survey Panel Discussion
- Sponsored By: Cisco Systems LogRhythm ThreatConnect ThreatQuotient
In this paper, survey author and SANS instructor Heather Mahalik explores key results of our survey of successful women in varied roles within the cybersecurity community and draws on experiences of such women to provide practical advice to women all along their career life cycle.
Knock, Knock: Is This Security Thing Working? by Matt Bromiley - March 10, 2020
- Associated Webcasts: Knock, Knock: Is This Security Thing Working?
- Sponsored By: VMWare, Inc
Is our current state of information security working? Is it possible the "same old way" of doing things is simply making us feel secure...until the next breach proves us wrong? This paper explores how the movement toward virtualized data centers has removed obstacles to a long-held goal for information security: the concept of intrinsic security.
How to Leverage Endpoint Detection and Response (EDR) in AWS Investigations by Justin Henderson - March 9, 2020
- Associated Webcasts: How to Leverage Endpoint Detection and Response (EDR) in AWS Investigations
- Sponsored By: AWS Marketplace
Endpoints are moving past EC2 virtual machines, and it is imperative for EDR solutions to evolve and support this evolution. This paper illustrates how to leverage endpoint detection and response (EDR) in Amazon Web Services (AWS) to achieve a higher standard of security while simplifying management overhead. Discover how to use EDR solutions to add thousands of host-based observables for threat hunting, auto-scale threat detection across cloud endpoints and integrate a cloud access security broker (CASB) to extend protection to cloud apps.
Cybersecurity in the Age of the Cloud by Frank Kim - February 21, 2020
The hand-selected resources in this eBook provide a well-rounded look at cybersecurity considerations and practices in the age of the cloud. Each report in the collection touches on different parts of the five functions of the NIST Cybersecurity Framework - identify, protect, detect, respond, and recover. The collection is rounded out by the recent SANS 2019 Cloud Security Survey to provide a snapshot of today's cloud security environment and associated concerns.
Implementer's Guide to Deception Technologies by Kyle Dickinson - February 18, 2020
- Associated Webcasts: Real-World Implementation of Deception Technologies
- Sponsored By: Acalvio Technologies, Inc.
Deception technologies can significantly improve an organization's capability to quickly and accurately detect attackers that intentionally avoid looking malicious. At the same time, deception technologies can collect threat intelligence and attack attribution information to improve response effectiveness. Implemented as network-accessible resources, on endpoints and even in cloud implementations, deception technologies can cover major attack surfaces to assist with attack malicious behaviors like account hijacking, phishing, vulnerable applications, and more.
How to Improve Security Visibility and Detection/Response Operations in AWS by Dave Shackleford - February 12, 2020
- Associated Webcasts: How to Improve Security Visibility and Detection/Response Operations in AWS
- Sponsored By: AWS Marketplace
Security teams handle a sizable stream of alerts, creating noise and impairing their ability to determine which incidents to prioritize. Used together, logging and event monitoring, along with automation strategies and tools, can enable teams to build an effective and efficient continuous cloud security monitoring strategy. By implementing large-scale analytics processing, integrating SIEM solutions that improve detection and investigation of potential threats, and leveraging SOAR technologies to auto-remediate events, security teams have the power to create more signal and less noise for actionable responses.
Using Illusive Networks' Attack Surface Manager to Enhance Vulnerability Management by Dave Shackleford - February 11, 2020
- Associated Webcasts: Discover and Eliminate Cyberattack Pathways to Critical Assets with Illusive Networks Attack Surface Manager
- Sponsored By: Illusive Networks
Illusive Networks' Attack Surface Manager (ASM) takes a unique approach to identify vulnerabilities within the network. SANS reviewed ASM and learned how it continuously discovers assets in the environment and monitors systems for artifacts, allowing it to pinpoint attack paths that could be exploited by adversaries who have gained initial access to an environment. The product can then map these paths to show whether important assets are vulnerable to attack, and can remediate issues on systems within the attack path.
Boosting IAM and Privilege Control Using Illusive Networks� Attack Surface Manager by Dave Shackleford - February 11, 2020
- Associated Webcasts: Discover and Eliminate Cyberattack Pathways to Critical Assets with Illusive Networks Attack Surface Manager
- Sponsored By: Illusive Networks
Illusive Networks' Attack Surface Manager (ASM) takes a unique approach to identify vulnerabilities within the network. SANS reviewed ASM and learned how it continuously discovers assets in the environment and monitors systems for artifacts, allowing it to pinpoint attack paths that could be exploited by adversaries who have gained initial access to an environment. The product can then map these paths to show whether important assets are vulnerable to attack, and can remediate issues on systems within the attack path.
2020 SANS Cyber Threat Intelligence (CTI) Survey by Robert M. Lee - February 10, 2020
- Associated Webcasts: 2020 SANS Cyber Threat Intelligence (CTI) Survey Results 2020 SANS Cyber Threat Intelligence (CTI) Survey Panel Discussion 2020 SANS Cyber Threat Intelligence (CTI) Survey Results 2020 SANS Cyber Threat Intelligence (CTI) Survey Results 2020 SANS Cyber Threat Intelligence (CTI) Survey Panel Discussion
- Sponsored By: Sophos Inc. InfoBlox Anomali DomainTools RecordedFuture ThreatConnect ThreatQuotient EclecticIQ
Over the past several years, SANS has seen a gradual maturation of cyber threat intelligence (CTI) and its applications in information security. This paper, based on results from the 2020 SANS CTI Survey, provides guidance on how organizations of all types can get the most out of CTI.
Implementer's Guide to Deception Technologies by Kyle Dickinson - February 5, 2020
- Associated Webcasts: Implementer\'s Guide to Deception Technologies
- Sponsored By: Fidelis Cybersecurity Attivo Networks Acalvio Technologies, Inc.
Deception technologies can significantly improve an organization's capabilities to swiftly and accurately detect attackers, while at the same time collect sufficient threat intelligence and attack attribution information to improve response effectiveness. By deploying decoy lures, misdirections, and systems to attract and snare attackers, organizations can take back the advantage on today's digital battlefield. All it takes for the attacker to touch one deceptive resource.
Spends and Trends: SANS 2020 IT Cybersecurity Spending Survey by Barbara Filkins and John Pescatore - January 28, 2020
- Associated Webcasts: Spends and Trends: Results of the SANS 2020 Cybersecurity Spending Survey Spends and Trends: SANS 2020 Cybersecurity Spending Survey Panel Discussion Spends and Trends: SANS 2020 Cybersecurity Spending Survey Panel Discussion 2020 SANS Cyber Threat Intelligence (CTI) Survey Results
- Sponsored By: Gigamon ExtraHop Netskope
CISOs and security operations managers need information on the areas of security in which their peers plan to increase or decrease their investment. This paper explores what organizational leaders are emphasizing as they budget for and procure security tools and services to support their businesses amid evolving technologies and threats.
Security by Design: A Systems Road Map Approach by Barb Filkins - January 16, 2020
- Associated Webcasts: Securing ICS Using the NIST Cybersecurity Framework and Fortinet: Best Practices for the Real World
- Sponsored By: Fortinet, Inc.
This implementation guide has been designed to help organizations use the NIST Cybersecurity Framework to establish a security program that spans both the information technology (IT) and operational technology (OT) domains. This guide outlines a five-step approach and contains a wealth of specific takeaways, graphs and charts, as well as action items for more effective security.
This guide is a companion paper to "Effective Implementation of the NIST Cybersecurity Framework with Fortinet".
Effective Implementation of the NIST Cybersecurity Framework with Fortinet by Don Weber - January 16, 2020
- Associated Webcasts: Securing ICS Using the NIST Cybersecurity Framework and Fortinet: Best Practices for the Real World
- Sponsored By: Fortinet, Inc.
This product overview looks at one approach to updating an OT network, commonly referred to as a control network, by leveraging a combination of the National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF), the SANS ICS410 Reference Architecture model and Fortinet Security Fabric technologies. It examines how to effectively support and implement the NIST CSF and explores how some of Fortinet�s product line can assist with an organization�s OT security evolution.
This product overview is a companion paper to "Security by Design: A Systems Road Map Approach".
Threat Hunting and Discovery: A SANS Review of Vectra Cognito by Dave Shackleford - January 15, 2020
- Associated Webcasts: Threat Hunting and Discovery: A SANS Review of Vectra Cognito
- Sponsored By: Vectra Networks Inc.
Vectra's Cognito security analytics platform aims to address modern attacks by analyzingmany of the attacker behaviors outlined in MITRE's ATT&CK matrix, which thoroughly describes an attack campaign and its phases. Security teams are facing pressure to detect attacks and respond to them more rapidly, which is difficult when trying to find evidence of lateral movement, reconnaissance, privilege escalation and other stealthy behavior. SANS reviewed the Cognito platform to understand how it can be used to rapidly analyze network data and provide a behavior-focused model of detection and response.
Workforce Transformation: Challenges, Risks and Opportunities by David Hazar - December 17, 2019
- Associated Webcasts: Workforce Transformation and Risk: A SANS Survey Workforce Transformation and Risk: A SANS Survey
- Sponsored By: RSA
Shifts in globalization, demographics, work styles and work sourcing are transforming the way companies manage their businesses. In this survey, SANS, in cooperation with RSA, examines the risk factors associated with workforce transformation, what organizations are most concerned about, and what organizations are doing to mitigate risks.
How to Leverage a CASB for Your AWS Environment by Kyle Dickinson - December 17, 2019
- Associated Webcasts: How to Leverage a CASB for Your AWS Environment
- Sponsored By: AWS Marketplace
As organizations move applications and data to the cloud, the number of applications they can leverage grows constantly, as do the areas where data can reside. Cloud access security brokers (CASBs) provide the convenience and means to integrate with modern technologies and implement security controls. Discover how CASBs help you make sense of auditing data, provide data protection and storage security, take advantage of common CASB features to secure deployments.
Protecting the User: A Review of Mimecast's Web Security Service by David Szili - December 11, 2019
- Associated Webcasts: Protecting the User: A Review of Mimecast�s Web Security Service Protecting the User: A Review of Mimecast�s Web Security Service
- Sponsored By: Mimecast Services Limited
The web remains a primary vector for cyberattacks, as either the initiation point or the way to complete the adversaries' mission. In this review, SANS instructor David Szili shares his perspectives on best practices for securing the web in general and his experience using the Mimecast Web Security cloud service in particular.
Threat Hunting with Consistency by Matt Bromiley - December 8, 2019
- Associated Webcasts: Threat Hunting with Consistency - A SANS Whitepaper
- Sponsored By: Vectra Networks Inc.
A proposed alternative language to threat hunting, based on the existing MITRE ATT&CK language, this white paper outlines a stronger internal process that builds a security team that views their environment holistically and relies on evidence-based security research. Through a uniformed vocabulary, greater efficiencies and stronger borders against threats can be developed.
How to Build a Threat Hunting Capability in AWS by Shaun McCullough - December 3, 2019
- Associated Webcasts: How to Build a Threat Hunting Capability in AWS
- Sponsored By: AWS Marketplace
Threat hunting is more of an art than a science, in that its approach and implementation can differ substantially among enterprises and still be successful. In cloud environments, where the threat landscape is always changing, security teams must know what data to collect and how to analyze it in order to tease out suspicious anomalies. In addition to these topics, this whitepaper walks you through the threat hunting process, describing tools and techniques you can use to find and neutralize threats.
2019 SANS Survey on Next-Generation Endpoint Risks and Protections by Justin Henderson and John Hubbard - December 2, 2019
- Associated Webcasts: 2019 SANS Survey on Next-Generation Endpoint Risks and Protections
- Sponsored By: Cisco Systems OpenText Inc. Sophos Inc. VMWare Carbon Black
Past SANS surveys show that endpoints of all types are being breached and used to dig deeper into organizations' networks. Our 2019 Next-Generation Endpoint Survey explores how attack methods and payloads are changing, whether organizations are containing breaches effectively, and more--including recommendations and guidance in addressing these concerns.
Taming the Wild West: Finding Security in Linux by Matt Bromiley - November 22, 2019
- Associated Webcasts: Taming Linux for Enterprise Security
- Sponsored By: Cmd
Although Linux has historically been less prone to attacks, increased enterprise use on-premises and in the cloud means it has become as common a target as Windows environments. This paper looks at the deficiencies of Linux from a security perspective and how to lock Linux down more effectively.
Someone to Watch Over You: A Review of CrowdStrike�s Falcon OverWatch by Joe Sullivan - November 19, 2019
- Associated Webcasts: Someone to Watch Over You: A Review of CrowdStrike�s Falcon OverWatch
- Sponsored By: CrowdStrike, Inc.
Technology alone cannot stop 100% of threats against endpoints. Ensuring security requires that people and processes be an integral part of threat hunting. That’s where CrowdStrike’s Falcon OverWatch comes in--with a team of live, trained threat hunting analysts whose job it is to alert you to advanced attack techniques that can go undetected by automated tools. In this review, SANS puts OverWatch through its paces to detect and alert on sophisticated attacks like credential theft, defense evasion and lateral movement, making it possible for on-premises security teams to respond to threats immediately.
JumpStart Guide to Investigations and Cloud Security Posture Management in AWS by Kyle Dickinson - November 8, 2019
- Associated Webcasts: JumpStart Guide to Security Investigations and Posture Management in Amazon Web Services
- Sponsored By: Barracuda Networks AWS Marketplace
Cloud security posture management ( CSPM) has gained popularity as organizations move to a cloud-first mentality. CSPM enables efficient investigations because it centralizes data sources that provide operational and security insight. When an organization moves to the cloud, the security team needs visibility into its AWS accounts, which can be a complex undertaking. This paper focuses on the tactics that can aid in an investigation.
How to Perform a Security Investigation in AWS A SANS Whitepaper by Kyle Dickinson - October 30, 2019
- Associated Webcasts: How to Perform a Security Investigation in AWS
- Sponsored By: AWS Marketplace
Because the technologies that enable investigations in the cloud differ from those on premises, as do the levels of responsibility, organizations need to put in place a cloud-specific incident response plan. By planning out how they will perform investigations using solutions such as AWS, organizations can validate that any obligations they may have as a security organization can be met as effectively in cloud environments as they did in-house.
Investigating Like Sherlock: A SANS Review of QRadar Advisor with Watson by Matt Bromiley - October 26, 2019
- Sponsored By: IBM
This paper reviews QRadar Advisor with Watson, a platform that combines IBM�s famous Watson with QRadar.
SANS 2019 Threat Hunting Survey: The Differing Needs of New and Experienced Hunters by Mathias Fuchs and Joshua Lemon - October 25, 2019
- Associated Webcasts: SANS 2019 Threat Hunting Survey: The Differing Needs of New and Experienced Hunters Threat Hunting for New and Experienced Hunters: Panel Discussion of the SANS 2019 Threat Hunting Survey
- Sponsored By: Sophos Inc. VMWare Carbon Black Anomali DomainTools ThreatConnect ThreatQuotient Authentic8 ExtraHop Lastline Verodin
Organizations just starting their threat hunting journey have different needs than those who are honing their skills and programs. The SANS 2019 Threat Hunting Survey looks at those differences and how they impact the priorities set by both types of organizations. The authors provide actionable advice to assist organizations as they grow their programs and improve their threat hunting abilities, whether they are new to threat hunting or are simply honing their processes.
What Security Practitioners Really Do When It Comes to Security Testing by Matt Bromiley - October 18, 2019
- Associated Webcasts: Are Your Security Controls Yesterday\'s News?
- Sponsored By: Cymulate
Given the number, criticality and potential damage of attacks, how can you better protect your organization against the latest threats? And with so many solutions in your arsenal, how can you ensure that security controls are integrated seamlessly to defend you in the moment of truth against attacks? This paper, which is a follow-up to "Are Your Security Controls Yesterday’s News?," addresses issues with security effectiveness testing and how to improve control validation to shorten testing cycles, accelerate remediation and improve your organization's security posture--faster. It presents the results of a recent SANS poll to provide insight into how organizations are testing for security effectiveness and how performance is actually being measured. The paper also provides specific steps to help you optimize security in a more proactive, continuous way.
How to Secure App Pipelines in AWS by Dave Shackleford - October 16, 2019
- Associated Webcasts: How to Secure App Pipelines in AWS
- Sponsored By: AWS Marketplace
We are seeing nothing less than an evolutionary shift as security infrastructure moves to software-defined models that improve speed and scale, and afford enterprise IT more agility and capabilities than ever before. Application development and deployment are driving this shift, and as the pace of development increases, organizations have a real need to ensure application security is embedded in all phases of the development and deployment life cycle, as well as in the cloud during operations.
How to Effectively Use Segmentation and Microsegmentation by Dave Shackleford - October 15, 2019
- Associated Webcasts: How to Effectively Use Segmentation and Microsegmentation
- Sponsored By: VMWare, Inc
In recent years, software-defined networking (SDN) has emerged as a significant technology to help improve network visibility, packet analysis and security functions. Unfortunately, not all segmentation models are equal when it comes to security. This whitepaper covers several different models of SDN and microsegmentation, and explores situations where security shortcomings are possible. Learn how to test your SDN platform to determine whether it can provide full coverage in detecting and preventing significant security incidents.
Red, Blue and Purple Teams: Combining Your Security Capabilities for the Best Outcome by Chris Dale - October 2, 2019
- Associated Webcasts: Red, Blue and Purple Teams: Combining Your Security Capabilities for the Best Outcome
- Sponsored By: Core Security Technologies
- Login
- Join SANS.org
ExtraHop Reveal(x) Expands Attack Investigations to Cover All Vectors by Dave Shackleford - September 30, 2019
- Associated Webcasts: ExtraHop Reveal(x) Expands Attack Investigations to Cover All Vectors
- Sponsored By: ExtraHop
- Login
- Join SANS.org
JumpStart Guide to Application Security in Amazon Web Services by Nathan Getty - September 27, 2019
- Associated Webcasts: Jumpstart Guide to Application Security in the Cloud
- Sponsored By: Fortinet, Inc. AWS Marketplace
This paper seeks to give you a better idea of what your organization needs to successfully plan and execute a secure application transition to, or deployment in, an AWS environment. Learn how security teams can best support application development teams, what options you have as a security professional for this support, and how best to guide your development teams as they transition workflows to AWS.
How to Build a Threat Detection Strategy in Amazon Web Services (AWS) by David Szili - September 10, 2019
- Associated Webcasts: How to Build a Threat Detection Strategy in AWS
- Sponsored By: AWS Marketplace
Threat detection and continuous security monitoring in the cloud must integrate traditional on-premises system monitoring with the cloud network infrastructure and cloud management plane. A successful, cloud-based threat detection strategy will collect data from systems, networks and the cloud environment in a central platform for analysis and alerting. This paper describes how to build a threat detection strategy that automates common tasks like data collection and analysis.
Success Patterns for Supply Chain Security by John Pescatore - September 9, 2019
- Associated Webcasts: Success Patterns for Supply Chain Security
- Sponsored By: Panorays Interos
Many CISOs report that supply chain security is one of their top challenges. Supply chain attacks are on the rise, and the high financial impact of these attacks has increased CEO, board of director, and regulatory/auditor attention to supply chain security. In this whitepaper, John Pescatore, SANS Director of Emerging Security Trends, provides recommendations and guidance in addressing these concerns.
Elevating Enterprise Security with Fidelis Cybersecurity: Endpoint Security Capabilities by Matt Bromiley - September 5, 2019
- Associated Webcasts: Elevating Enterprise Security with Fidelis Cybersecurity: Endpoint Security Capabilities
- Sponsored By: Fidelis Cybersecurity
In this final part of a two-part review, Matt Bromiley continues his review of the Fidelis Elevate platform, shifting focus to endpoint security. He examines how Fidelis Endpoint provides endpoint insight and response, highlighting capabilities such as behavioral monitoring and detections, enterprisewide threat hunting, and response automation, as well as ease of integration with Fidelis Elevate to bring networks and endpoints together. With this kind of holistic visibility, the job of securing modern enterprises becomes significantly easier and more achievable.
Elevating Enterprise Security with Fidelis Cybersecurity: Network and Deception by Matt Bromiley - September 5, 2019
- Associated Webcasts: Elevating Enterprise Security with Fidelis Cybersecurity: Network and Deception
- Sponsored By: Fidelis Cybersecurity
Security teams cannot defend complex networks without holistic, correlative insight into the environment. In this first part of a two-part review, Matt Bromiley reviews the Fidelis Elevate platform, with respect to its ability to provide insight into network traffic, threats and deception. Not only does the Fidelis platform allow for holistic visibility, but it also makes it easy for organizations to move toward threat hunting, shortening their time to detect and uncover intrusions.
JumpStart Guide for SIEM in AWS by J. Michael Butler - August 20, 2019
- Associated Webcasts: JumpStart Guide for Security Information and Event Management (SIEM) in AWS
- Sponsored By: Optiv AWS Marketplace
This paper explores the needs, implementation options, capabilities, and various considerations for organizations looking to implement SIEM/SOAR capabilities in Amazon Web Services (AWS). The paper compares the integration of SIEM and SOAR in the cloud environment to on-premises use. Suggestions for planning SIEM and SOAR integration into an AWS cloud environment also included.
Effectively Addressing Advanced Threats by Matt Bromiley - August 19, 2019
- Sponsored By: IBM Security
As security professionals well know, the wave of advanced threats never stops, and organizations are increasingly challenged in dealing with the onslaught. But not all threats are created equal. How do you identify the most critical and deal with those? In this survey, we asked the security community to share what advanced threats their organizations are facing and how they're allocating resources and technology.
Register now for the associated webcast at 1 p.m. Eastern on Wednesday September 25, 2019: https://register.gotowebinar.com/register/6150616769136423937
Better Security Using the People You Have by Matt Bromiley - August 13, 2019
- Associated Webcasts: Stop Letting Security Fail. Identify the True Problem
- Sponsored By: Endgame
Is your organization making optimal use of technology and processes to support the people you currently have? Because, if not, there is more work to do-and it doesn't involve hiring more people. This paper looks at the people, process and technology trifecta to identify weak points in your security. Compensate for deficiencies, maximize the resources you have, and prepare for future security threats. Get tips on how to empower your employees and help them grow their skills relative to the sophistication of today's security challenges.
Device Visibility and Control: Streamlining IT and OT Security with Forescout by Don Murdoch - August 12, 2019
- Associated Webcasts: Visibility for Incident Response: A Review of Forescout 8.1
- Sponsored By: Forescout Technologies BV
Forescout's latest iteration of its eponymous platform builds on the product's long-standing reputation for handling network admission controls, and adds multifaceted IT/OT network device visibility and control. In this review, SANS analyst and instructor Don Murdoch delves deep into how Forescout can help organizations gain greater visibility into the devices on the network, through device discovery, auto classification, risk assessment and automating security controls.
SANS 2019 Incident Response (IR) Survey: It's Time for a Change by Matt Bromiley - July 31, 2019
- Associated Webcasts: Integrated Incident Response: A SANS Survey Integrated Incident Response: A Panel Discussion about the SANS 2019 IR Survey
- Sponsored By: OpenText Inc. Unisys InfoBlox DomainTools DFLabs Swimlane ExtraHop King & Union
The 2019 SANS Incident Response (IR) survey provides insight into the integration of IR capabilities to identify weak spots and best practices for improving IR functions and capabilities. In this survey paper, senior SANS instructor and IR expert Matt Bromiley explores what types of data, tools and information are key to investigations of an incident; the state of budget and staffing for IR; maturity of IR processes; impediments to IR implementations and plans for improvement; and more. The report also includes actionable advice for improving organizational IR practices.
How to Protect Enterprise Systems with Cloud-Based Firewalls by Kevin Garvey - July 26, 2019
- Associated Webcasts: How to Protect Enterprise Systems with Cloud-Based Firewalls
- Sponsored By: AWS Marketplace
Deploying WAFs and firewalls in the cloud saves security teams valuable time as they rely on the cloud to automate many tasks. This paper identifies key considerations in using cloud-based firewalls to protect your enterprise, including network logging, IDS/IPS, authentication and inspection. This paper also covers advanced firewalls features like behavioral threat detection, next-gen analytics and customized rules. A comprehensive use case serves as an essential how-to for making it all work.
JumpStart Guide for Cloud-Based Firewalls in AWS by Brian Russell - July 24, 2019
- Associated Webcasts: JumpStart Guide to Cloud-Based Firewalls in AWS
- Sponsored By: Optiv AWS Marketplace
This guide examines options for implementing firewalls within the Amazon Web Services (AWS) Cloud. It examines the needs and capabilities associated with today�s firewall and threat prevention services and details general, technical and operational considerations when choosing these products. The guide concludes by examining AWS-specific considerations and recommending a plan of action for organizations considering the purchase of cloud-based firewalls.
Bye Bye Passwords: New Ways to Authenticate by Matt Bromiley - July 23, 2019
- Sponsored By: Microsoft
The "passwordless movement" is upon us! This paper addresses ways to change password handling and implement more secure authentication It examines the problem of passwords and password mismanagement, and provides tips and suggestions for increasing your organization's account security using modern industry standards.
Are Your Security Controls Yesterday's News? by Matt Bromiley - July 18, 2019
- Associated Webcasts: Are Your Security Controls Yesterday\'s News?
- Sponsored By: Cymulate
This spotlight paper, one of a two-part series, looks at just how successful an organization can expect to be if it's using old news, limited scope or "cookie-cutter" vulnerability scans as a way to assess its environment. SANS believes security control testing needs to improve significantly to emulate actual--not hypothetical--threats to an organization.

The second spotlight, "What Security Practitioners Really Do When It Comes to Security Testing," focuses on the input SANS received from a poll that gathered opinions from the SANS community on this topic
Common and Best Practices for Security Operations Centers: Results of the 2019 SOC Survey by Chris Crowley and John Pescatore - July 9, 2019
- Associated Webcasts: Common and Best Practices for Security Operations Centers: Results of the 2019 SOC Survey Common and Best Practices for Security Operations Centers: Panel Discussion
- Sponsored By: Anomali ThreatConnect CYBERBIT Commercial Solutions Siemplify DFLabs ExtraHop BTB Security CyberProof
In this survey, senior SANS instructor and course author Christopher Crowley, along with advisor and SANS director of emerging technologies John Pescatore, provide objective data to security leaders who are looking to establish a SOC or optimize an existing one. This report captures common and best practices, provides defendable metrics that can be used to justify SOC resources to management, and highlights the key areas that SOC managers should prioritize to increase the effectiveness and efficiency of security operations.
Why Traditional EDR Is Not Working - and What to Do About It by Jake Williams - June 27, 2019
- Associated Webcasts: Why Traditional EDR Is Not Working--and What to Do About It
- Sponsored By: Mcafee LLC
EDR, or endpoint detection and response, promises to revolutionize the way security analysts neutralize attacks. Unfortunately, EDR has not always lived up to the promised hype. This paper examines the challenges of traditional EDR platforms, and suggests what you can do to overcome them for effective EDR implementation. Paper includes a checklist of considerations for selecting and deploying an EDR platform.
How to Build an Endpoint Security Strategy in AWS by Thomas J. Banasik - June 27, 2019
- Associated Webcasts: How to Build an Endpoint Security Strategy in AWS
- Sponsored By: AWS Marketplace
Endpoint security is the cornerstone of any successful cloud migration. This paper details how to build an endpoint security strategy that uses a defense-in-depth architecture to protect cloud assets, as well as implement key endpoint security capabilities such as EDR, UEBA and DLP solutions. It also explains synchronization with AWS services for a comprehensive view that increases visibility when combatting threats.
Building and Maturing Your Threat Hunting Program by David Szili - June 24, 2019
- Associated Webcasts: Building and Maturing Your Threat Hunt Program
- Sponsored By: Cisco Systems
Building an effective threat hunting program can be daunting. This paper addresses how to get started and covers building a team, what a typical hunt might look like and constructing a knowledge base for later use. It also covers how to create a test lab and use effective metrics.
JumpStart Guide for Endpoint Security in AWS by David Hazar - June 19, 2019
- Associated Webcasts: JumpStart Guide for Endpoint Security in AWS
- Sponsored By: Optiv AWS Marketplace
Endpoint security is a key component of any cybersecurity program, but some organizations struggle with extending this program component to cloud workloads. This paper provides guidance on the key issues to consider when choosing an endpoint security solution for integration on the AWS platform and suggests a process for making that important decision.
How to Build a Data Security Strategy in AWS by Dave Shackleford - June 13, 2019
- Associated Webcasts: How to Build a Data Protection Strategy in AWS
- Sponsored By: AWS Marketplace
When organizations move sensitive data to the cloud, they absolutely must choose a provider that can ensure compliance with privacy regulations on a global stage. Data security strategies in the cloud must include encryption and key management, data loss prevention and the capability to classify and track data. By using the AWS Cloud, organizations can protect sensitive data at rest, in transit and in use.
Authentication: It Is All About the User Experience by Matt Bromiley - June 12, 2019
- Associated Webcasts: Authentication: It Is All About the User Experience
- Sponsored By: Yubico
In a world where compromised user credentials can cost an enterprise millions of dollars, the importance of being able to validate user accounts is a crucial enterprise requirement. Yet implementation of modern authentication techniques is lagging, even though it provides better user experiences as well as stronger authentication. This paper examines how these techniques can be applied within your organization for your employees--the other custodians of your data. It also explores the benefits of the new WebAuthn specification.
SANS 2019 State of OT/ICS Cybersecurity Survey by Barbara Filkins and Doug Wylie - June 11, 2019
- Associated Webcasts: SANS 2019 State of OT/ICS Cybersecurity Survey Converging OT and IT Networks: Where and How to Evolve ICS for Security
- Sponsored By: Forescout Technologies BV Cisco Systems Inc. Yokogawa Corporation of America Nozomi Networks Radiflow Owl Cyber Defense
In this survey, SANS experts Doug Wylie and Barb Filkins, with advisor and SANS instructor Jason Dely, examine the current state of known and perceived cybersecurity risks, threats and potential impacts to industrial and automation control systems that are applied within the Operational Technology (OT) domain. The survey explores how adeptly we are safeguarding operations and protecting human and company capital from a range of technical and non-technical cybersecurity risks that stem from threats that include malicious and unintentional insiders and outsiders. View the associated infographic here.
Passive Isn't Good Enough: Moving into Active EDR by Justin Henderson - May 17, 2019
- Associated Webcasts: Passive Isn\'t Good Enough: Moving into Active EDR
- Sponsored By: SentinelOne
Endpoint detection and response (EDR) technologies focus on identifying anomalous activity at scale, but are often constrained by delayed analyses. Endpoint protection platforms (EPP) can manage aspects of endpoint security, but often lack enterprise class detection and reporting capabilities. Which leads us to the most recent addition to the endpoint protection arsenal--active endpoint detection and response, which boasts real-time analysis capabilities as compared to traditional passive EDR.
How to Protect a Modern Web Application in AWS by Shaun McCullough - May 9, 2019
- Sponsored By: AWS Marketplace
In moving assets to the cloud, organizations need to prioritize their security plans based on the risks to which they are exposed. With threat modeling, organizations can identify and prioritize the risks to infrastructure, applications and the services they provide, as well as evaluate how to manage those risks over time. This paper includes use cases for threat modeling web apps and the DevSecOps platform, using a process that is both repeatable and improvable.
SANS 2019 Cloud Security Survey by Dave Shackleford - April 30, 2019
- Associated Webcasts: The State of Cloud Security: Results of the SANS 2019 Cloud Security Survey The State of Cloud Security: Panel Discussion
- Sponsored By: Sophos Inc. ExtraHop Sysdig
This whitepaper delves into the results of the SANS 2019 Cloud Security Survey, conducted in cooperation with the Cloud Security Alliance, concerning organizations' use of the public cloud and provides actionable advice organizations can use to improve their cloud security. It answers questions including, "Are security infrastructures maturing to support the business and improve risk management in the cloud model?" and "How are organizations using the public cloud to meet their business needs?"
Increasing Visibility with Ixia's Vision ONE by Serge Borso - April 23, 2019
- Associated Webcasts: Increasing Visibility with Ixia\'s Vision ONE
- Sponsored By: Ixia
Visibility into network structures and endpoints is vital to security and intelligence operations. Ixia's Vision ONE is a device that enables organizations to gain visibility into threats and manage security operations within a single platform. The SANS review of the Vision ONE platform examines how it provides enhanced, more efficient security through packet brokers and actionable information at the application level. We also consider how Vision ONE can help reduce operational costs. | Visibility into network structures and endpoints is vital to security and intelligence operations. Ixia's Vision ONE is a device that enables organizations to gain visibility into threats and manage security operations within a single platform. The SANS review of the Vision ONE platform examines how it provides enhanced, more efficient security through packet brokers and actionable information at the application level. We also consider how Vision ONE can help reduce operational costs.
Why Your Vulnerability Management Strategy Is Not Working - and What to Do About It by Jake Williams - April 23, 2019
- Associated Webcasts: Why Your Vulnerability Management Strategy Is Not Working � and What to Do About It
- Sponsored By: Lookingglass Cyber Solutions, Inc.
This paper looks at why vulnerability management solutions have not met expectations and how IT and security teams can better implement those solutions to maximize value. It also addresses how to deal with the resourcing constraints that all vulnerability management programs encounter.
Thinking like a Hunter: Implementing a Threat Hunting Program by Matt Bromiley - April 21, 2019
- Sponsored By: IBM
A successful threat hunting program should identify previously unknown or ongoing threats within the environment and facilitate a deeper understanding of the organization's technical landscape. This paper focuses on bridging the gap between those two objectives and discusses the whats, whys and hows of threat hunting. The paper presents techniques that can be immediately applied to your environment to help you either build a new hunt team or hone your existing one.
SANS Top New Attacks and Threat Report by John Pescatore - April 18, 2019
- Associated Webcasts: SANS Top New Attacks and Threat Report
- Sponsored By: Unisys InfoBlox Veracode Anomali DomainTools
Each year, the annual RSA Conference features top SANS instructors presenting their look at the new attack techniques currently in use and their projections for future exploits. This whitepaper captures highlights from this year's fast-paced and informative panel discussion, including insight into overall cybersecurity trends on both the offensive and defensive sides as well as advice from SANS on the steps enterprises must take to meet future risks.
How to Build a Security Visibility Strategy in the Cloud by Dave Shackleford - April 17, 2019
- Associated Webcasts: How to Build a Security Visibility Strategy in the Cloud
- Sponsored By: AWS Marketplace
The security of cloud-based assets requires visibility into the events and behaviors that move into and through the cloud environment, a strategy that differs from traditional security visibility. This paper describes controls that can be used to ensure network, application, instance/container, database/storage and control plane visibility, and explains how to create a strategy that ties event monitoring, vulnerability scanning and control planes together to enhance visibility.
SANS Vulnerability Management Survey by Andrew Laman - April 8, 2019
- Associated Webcasts: Current State of Vulnerability Management: Part 1 of the SANS Vulnerability Management Survey Results Vulnerability Practices of Tomorrow: Part 2 of the SANS Vulnerability Management Survey Results
- Sponsored By: Tenable Veracode Bromium Balbix
More and more organizations are finding that they need more than scanning results to manage their vulnerabilities effectively. This SANS survey investigates how organizations are managing vulnerabilities across their endpoints, applications, cloud services and business partners, while providing insights about survey results related to risk-based vulnerability management practices, management of cloud-based vulnerabilities and more.
The Foundation of Continuous Host Monitoring by Matt Bromiley - April 2, 2019
- Associated Webcasts: The Foundation of Continuous Host Monitoring
- Sponsored By: OpenText Inc.
Without the right architecture, continuous monitoring can cause more headaches than it cures. This paper examines some of the difficulties organizations face when trying to improperly scale forensic tools and/or concepts, and provides guidance on architectural decisions to help improve continuous monitoring implementations.
How to Automate Compliance and Risk Management for Cloud Workloads by Matt Bromiley - March 27, 2019
- Associated Webcasts: How to Automate Compliance and Risk Management for Cloud Workloads
- Sponsored By: AWS Marketplace
As organizations experience growth and network expansion, their decisions impact the safety and integrity of their data. Organizations that are moving to the cloud must balance the benefits of cloud services with compliance, while also managing risk. Because migrating data to the cloud does not remove the need for compliance, organizations need to focus on compliance from the start and create a strategy that automates compliance and risk management using native and cloud security controls.
Taming the Endpoint Chaos Within: A Review of Panda Security Adaptive Defense 360 by Justin Henderson - March 26, 2019
- Associated Webcasts: Taming the Endpoint Chaos Within: A Review of Panda Security Adaptive Defense 360
- Sponsored By: Panda Security
Endpoint security requires a solution that scales, is easy to maintain and provides a comprehensive integration into the endpoint itself. This review of Panda Security Adaptive Defense 360 details how the endpoint platform prevents malicious executables, automates complex tasks and provides scalability. Panda Security's EDR approach applies prevention controls in combination with detective controls, and allows security teams to deploy preventive technologies while retaining insight into environments.
Security Gets Smart with AI by G.W. Ray Davidson and Barbara Filkins - March 23, 2019
- Associated Webcasts: Security Gets Smart with AI: A SANS Survey
- Sponsored By: Cylance
This SANS survey, directed at cybersecurity professionals who use or are interested in AI, examines perceptions about AI's basic capabilities for security and what technologies--including deep learning, various recognition techniques, machine learning and others--are considered part of AI for security. The survey also examines whether, how and when security experts will begin implementing AI for security and how they intend to use it.
Empowering Incident Response via Automation by Matt Bromiley - March 20, 2019
- Associated Webcasts: Empowering Incident Response via Automation
- Sponsored By: Cisco Systems
This paper examines where incident response automation can be used to empower your teams and bring their level of productivity and investigations to never-before-seen heights. Your analysts should be focused on solving the problems that require human intervention, not tripped up by technical hurdles that a computer could easily solve.
2019 SANS Automation and Integration Survey by Barbara Filkins - March 15, 2019
- Associated Webcasts: The State of Automation/Integration Practice: Part 1 of the SANS Automation and Integration Survey What\'s Next in Automation Support: Part 2 of the SANS Automation and Integration Survey
- Sponsored By: Mcafee LLC LogRhythm ThreatConnect D3 Security Swimlane
With an ever-evolving threat landscape, security and risk management leaders must consider what security automation and integration can do to improve the efficiency, quality and efficacy of security operations. Our 2019 survey explores how respondents characterize their efforts and challenges with security automation, integration and workflow orchestration, and includes actionable advice for achieving the benefits of security automation.
Securing Your Endpoints with Carbon Black: A SANS Review of the CB Predictive Security Cloud Platform by Dave Shackleford - March 14, 2019
- Associated Webcasts: Securing Your Endpoints with Carbon Black: A SANS Review of the CB Predictive Security Cloud Platform
- Sponsored By: Carbon Black
Endpoint security remains a top security priority for most organizations. SANS reviews the CB Predictive Security Cloud (PSC), which focuses on securing endpoints by using a single lightweight agent that provides security professionals with actionable insights about cyberattacks. It uses behavioral analytics and big data in the cloud to prevent emerging threats; helps with vulnerability assessment and compliance reporting; and assists in threat hunting and incident response.
Maximizing SOC Effectiveness and Efficiency with Integrated Operations and Defense by John Pescatore - March 12, 2019
- Associated Webcasts: Maximizing SOC Effectiveness and Efficiency with Integrated Operations and Defense
- Sponsored By: NETSCOUT Systems, Inc.
John Pescatore of the SANS Institute leads a discussion on how to overcome the most commonly cited barriers to improving security operations. Gain perspective on integrating processes and controls used by networks operations with those used for security operations; using timely, accurate threat intelligence to proactively tune detection and protection controls; and assuring that defenses can withstand complex, multi-pronged attacks both today and in the future.
Taking SIEM to the Cloud: A SANS Review of Securonix Next-Gen SIEM v6.1 by Dave Shackleford - March 1, 2019
- Associated Webcasts: Taking SIEM to the Cloud: A SANS Review of Securonix Next-Gen SIEM
- Sponsored By: Securonix
The SANS Analyst team reviewed Securonix Next-Gen SIEM, which includes many advanced features for reducing detection and response time for security operations and investigations, and processing large quantities of data from numerous sources in real time.
Understanding the Adversary with Deception Technology by Matt Bromiley - February 26, 2019
- Associated Webcasts: Improving Detection and Understanding the Adversary with Deception Technology
- Sponsored By: TrapX Security
Organizations are having great difficulties properly remediating incidents and eradicating attackers from their environment. This paper examines some of the challenges facing organizations in understanding the adversary, and presents some of the latest deception techniques that can be used to identify attacker activity (both known and unknown).
How to Optimize Security Operations in the Cloud Through the Lens of the NIST Framework by John Pescatore - February 25, 2019
- Associated Webcasts: Prioritizing Security Operations in the Cloud through the Lens of the NIST Framework
- Sponsored By: AWS Marketplace
Security teams today face the mandate of moving production workloads from on-premises to the cloud. By using the NIST Cybersecurity Framework (CSF), teams can effectively and efficiently build in security as part of the migration of operations activities to IaaS services and hybrid cloud implementations. This paper shares proven best practices for evaluating and implementing security architectures, processes and controls while developing an approach to migration that is repeatable.
The Evolution of Cyber Threat Intelligence (CTI): 2019 SANS CTI Survey by Rebekah Brown and Robert M. Lee - February 4, 2019
- Associated Webcasts: CTI Requirements and Inhibitors: Part 1 of the 2019 SANS Cyber Threat Intelligence Survey CTI Tools, Usage and a Look Ahead: Part 2 of the 2019 SANS Cyber Threat Intelligence Survey
- Sponsored By: Anomali DomainTools RecordedFuture ThreatQuotient IntSights
In order to use cyber threat intelligence (CTI) effectively, organizations must know what intelligence to apply and where to get that intelligence. This paper delves into the results of the SANS 2019 Cyber Threat Intelligence Survey and explores the value of CTI, CTI requirements, how respondents are currently using CTI--and what the future holds.
Enterprise Security with a Fluid Perimeter by Matt Bromiley - January 22, 2019
- Associated Webcasts: Enterprise Security with a Fluid Perimeter
- Sponsored By: Aruba Networks
Between BYOD, the cloud, third-party providers and a fluctuating mobile workforce, it is growing more difficult to maintain a rigid security policy. This paper examines critical techniques to addressing this issue, including the role of baselining, integrating and automating response, and defending against attacks more quickly--as well as specific action items for better protection.
Evolving Micro-Segmentation for Preventive Security: Adaptive Protection in a DevOps World by Dave Shackleford - January 7, 2019
- Associated Webcasts: Defeating Attackers with Preventive Security
- Sponsored By: VMWare, Inc
This paper looks at micro-segmentation as a new way to approach network security. The paper proposes ways to implement effective cyber hygiene, examines the role of automation, and explores ways to add security to workflows.
Defend Your Business Against Phishing by Matt Bromiley - January 4, 2019
- Sponsored By: Microsoft
Phishing is an ever-evolving and pervasive method of attack against small- and medium-sized businesses (SMBs). Don't let your business be an easy target! After walking you through the phishing techniques that attackers commonly use, Matt Bromiley shares proven strategies and specific, actionable steps you can take today to reduce your risk. No matter your budget or level of expertise, you can defend against phishing attacks.
Defend Your Business Against Insider Threats by Matt Bromiley - January 4, 2019
- Sponsored By: Microsoft
Your business faces a security risk that may not even be on your radar. Looming from within are insider threats, which pose a significant risk to small- and medium-sized businesses (SMBs). Matt Bromiley breaks down the two types of insider threats and provides specific, actionable steps and user education tips you can implement today to protect and defend your business against threats from the inside.
Protecting Data To, From and In the Cloud by Dave Shackleford - December 11, 2018
- Sponsored By: Symantec
Attackers have adapted their strategies to the cloud and will likely continue to focus on this threat surface. In this spotlight paper, SANS offers some guidance and recommendations for improving cloud service visibility, data protection, threat protection, access control and reporting.
Automating Detection and Response: A SANS Review of Swimlane by Alissa Torres - December 11, 2018
- Associated Webcasts: Efficient Alert Processing and Response: A SANS Review of Swimlane
- Sponsored By: Swimlane
This paper highlights the best-in-breed features of Swimlane: its ease of use, customizability, role-based access control and current technology integrations. We put Swimlane through its paces in a triage of a typical phishing email, applying the concept of componential workflow automation.
An Evaluator's Guide to NextGen SIEM by Barbara Filkins - December 6, 2018
- Associated Webcasts: An Evaluator\'s Guide to Next-Generation SIEM
- Sponsored By: LogRhythm
A traditional SIEM often lacks the capability to produce actionable information and has a limited shelf life. To be effective, a SIEM must stay relevant in the face of new threats and changes in an organizations technical and support infrastructures. Learn about the key questions to ask as you research adding a next-generation SIEM, one that captures data and generates information that security teams can use as intelligence to detect potentially malicious activity.
Integrating Threat Intelligence into Endpoint Security: A Review of CrowdStrike Falcon X by Dave Shackleford - November 26, 2018
- Associated Webcasts: Threat Intelligence and Protecting Your Endpoints: A SANS Review of the CrowdStrike Falcon X Platform
- Sponsored By: CrowdStrike, Inc.
While threat intelligence can transform an organization's security posture, it can be complex and costly for organizations to adopt and operationalize. With that in mind, SANS Analyst Dave Shackleford tested CrowdStrike Falcon X, which purportedly enables cybersecurity teams to automatically analyze malware found on endpoints, find related threats and enrich the results with customized threat intelligence. This review encapsulates his findings, and details how the solution can help SOC teams.
2018 Secure DevOps: Fact or Fiction? by Jim Bird and Barbara Filkins - November 5, 2018
- Associated Webcasts: Secure DevOps: Fact or Fiction? SANS Survey Looks at Reality, Part I Secure DevOps: Fact or Fiction? SANS Survey Looks at Reality, Part II
- Sponsored By: Qualys WhiteHat Security Rapid7 Inc. Veracode Aqua Security Inc. Signal Sciences
A new SANS survey indicates that fewer than half (46%) of survey respondents are confronting security risks up front in requirements and service design in 2018--and only half of respondents are fixing major vulnerabilities. This report chronicles how security practitioners are managing the collaborative, agile nature of DevOps and weave it seamlessly into the development process.
Network Architecture with Security in Mind by Matt Bromiley - November 2, 2018
- Associated Webcasts: Network Architecture with Security in Mind
- Sponsored By: Gigamon
This paper looks at how efficient and security-minded network routing and security tool utilization can shorten detection and response times.
It's Awfully Noisy Out There: Results of the 2018 SANS Incident Response Survey by Matt Bromiley - October 30, 2018
- Associated Webcasts: Improving the Incident Response Function: SANS 2018 Incident Response Survey Results Part II How Are You Responding to Threats? SANS 2018 Incident Response Survey Results Part I
- Sponsored By: Forescout Technologies BV Coalfire Systems OpenText Inc. Fidelis Security Systems, Inc. ThreatQuotient 1E
A new SANS survey finds that incident response (IR) teams are stanching serious data breaches faster in 2018--but they haven't managed to improve on a major hurdle that they reported in 2017: visibility into incidents. This report explores how organizations have structured their incident response functions, what systems they are conducting investigations on, and how they're uncovering threats.
The Algorithm of You: Defeating Attackers by Being Yourself by Matt Bromiley - October 17, 2018
- Associated Webcasts: The Algorithm of You: Defeating Attackers by Being Yourself
- Sponsored By: BehavioSec
Yesterday's defense mechanisms--such as tokens, one-time passwords and even fingerprint readers--are not adequately protecting our devices, data and networks. SANS author and DFIR expert Matt Bromiley examined a relatively new authentication method, behavioral biometrics, as implemented in a product from BehavioSec. This SANS Product Review chronicles Matts experience as he put BehavioSec's product through the paces, and it explores what behavioral biometrics is, how it works and the role it plays in authentication.
Investigate East-West Attacks on Critical Assets with Network Traffic Analysis by Dave Shackleford - October 3, 2018
- Associated Webcasts: Investigate East-West Attack Activities to Defend Critical Assets: A SANS Review of ExtraHop Reveal(x)
- Sponsored By: ExtraHop
Once attackers compromise a network, they attempt to maintain a persistent presence in the network and focus on data access and exfiltration. Such east-west attacks can be challenging to detect and remediate. SANS reviewed ExtraHop Networks Reveal(x) network traffic analysis platform, which aims to address the east-west challenge. Read on to learn more.
Practical Industrial Control System (ICS) Cybersecurity: IT and OT Have Converged - Discover and Defend Your Assets by Doug Wylie and Dean Parsons - September 26, 2018
- Associated Webcasts: Practical Industrial Control System (ICS) Cybersecurity: IT and OT Have Converged--Discover and Defend Your Assets
- Sponsored By: Tenable
The benefits derived from information technology (IT) and operational technology (OT) convergence are enabling more effective management of contemporary control systems. However, the unique challenges of IT/OT convergence make managing and securing an industrial control system (ICS) more difficult. This paper explores how industrial and information system administrators can build stronger cybersecurity programs to protect IT/OT systems.
Automating Open Source Security: A SANS Review of WhiteSource by Serge Borso - September 25, 2018
- Associated Webcasts: Automating Open Source Security: A SANS Review of WhiteSource
- Sponsored By: WhiteSource
This paper takes a close look at how the WhiteSource solution can handle the myriad of open source vulnerabilities through real-time detection and remediation.
SANS 2018 Threat Hunting Survey Results by Robert M. Lee and Rob T. Lee - September 18, 2018
- Associated Webcasts: Threat Hunting Is a Process, Not a Thing: SANS 2018 Survey Results, Part I Threat Hunting in Action: SANS 2018 Survey Results, Part II
- Sponsored By: Qualys IBM RiskIQ Anomali DomainTools Malwarebytes
Our third survey on threat hunting looks at the maturity of hunting programs and where they are going, along with best practices being used in organizations to detect and remediate threats that would otherwise remain hidden. Read this report to learn how survey respondents answered questions that are immediately important to organizations conducting threat hunting.
Essential Requirements for Cloud-Based Endpoint Security by Barbara Filkins - September 11, 2018
- Sponsored By: Carbon Black
Next-generation endpoint security (NGES) strives to combine prevention, detection, response and IT operations into a single platform, allowing for the consolidation of the endpoint footprint while substantially increasing endpoint protection. For those ready to replace their traditional antivirus with NGES, SANS has developed this evaluation guide for assessing NGES tools against your organization's requirements before making capital investments in NGES.
Breach Avoidance: It Can Be Done, It Needs to Be Done by John Pescatore - September 10, 2018
- Associated Webcasts: Breach Avoidance: Yes, You Can!
- Sponsored By: Balbix
Almost every day it seems like the press is reporting on yet another security breach. Some breaches expose sensitive business and customer information, while others bring down business operations. But breaches are not inevitable. By implementing security processes and controls to proactively identify and remove or mitigate vulnerabilities, today�s companies, even those with limited staff and budgets, can avoid or limit business damage by prioritizing security efforts.
The Need for Speed: Integrated Threat Response A SANS Whitepaper by Matt Bromiley - September 10, 2018
- Associated Webcasts: The Need for Speed: Integrated Threat Response
- Sponsored By: Lookingglass Cyber Solutions, Inc.
This paper addresses the concepts of security automation and integration and provides recommendations on how to use technology to make your team faster and more efficient. It not only emphasizes the need for security automation and integration, but also shows how they are enhancements to, rather than replacements for, a security program.
Stronger Security with Global IT Asset Inventory by Matt Bromiley - August 29, 2018
- Associated Webcasts: Stronger Security with Global IT Asset Inventory Stronger Security with Global IT Asset Inventory
- Sponsored By: Qualys
You must secure what you cannot see. But how? Take the first step: Recognize the various pieces. Then you'll see how IT asset inventory can, and should be, one of the most useful tools for the security team in identifying and addressing security concerns.
The Definition of SOC-cess? SANS 2018 Security Operations Center Survey by Christopher Crowley and John Pescatore - August 13, 2018
- Associated Webcasts: No Single Definition of a SOC: Part I of the SANS 2018 SOC Survey Results Webcast SOC Capabilities and Usefulness: Part II of the SANS SOC Survey Results Webcast SOC Capabilities and Usefulness: Part II of the SANS SOC Survey Results Webcast No Single Definition of a SOC: Part I of the SANS 2018 SOC Survey Results Webcast
- Sponsored By: LogRhythm CYBERBIT Commercial Solutions Authentic8 DFLabs Awake Security ExtraHop
Although SOCs are maturing, staffing and retention issues continue to vex critical SOC support functions. In this paper, learn how respondents to our 2018 SOC survey are staffing their SOCs, the value of cloud-based services to augment staff and technology, and respondents' level of satisfaction with the architectures they've deployed.
Understanding the (True) Cost of Endpoint Management by Matt Bromiley - July 30, 2018
- Associated Webcasts: Understanding the True Cost of Endpoint Management
- Sponsored By: IBM
In this paper, we review the challenges in dealing with complex, ever-changing environments and offer suggestions and recommendations in effective endpoint management. Additionally, we discuss enterprise security as it relates to endpoint management and examine the benefits of integrating endpoint management into your security posture.
How Visibility of the Attack Surface Minimizes Risk by Dave Shackleford - July 30, 2018
- Associated Webcasts: How Visibility of the Attack Surface Minimizes Risk
- Sponsored By: Skybox Security, Inc.
To understand risks and control the attack surface, you need visibility. But what is visibility and why is it critical? And how do you get it? This paper will help you define visibility for effective security and understand why visibility it is key to determining your exposure and potential vulnerabilities.
A Guide to Managing Cloud Security by Dave Shackleford - July 25, 2018
- Associated Webcasts: Managing Cloud Security
- Sponsored By: Tenable
While many of the core concepts of vulnerability and threat management remain the same in the world of cloud deployments, we need to adapt our thinking to operate in a hybrid or public cloud deployment model. This paper will help you evaluate cloud vulnerabilities and threat management, and protect your data and assets in a dynamic cloud infrastructure.
AI Hunting with the Cybereason Platform: A SANS Review by Dave Shackleford - July 23, 2018
- Associated Webcasts: Single-Agent Cyber Security Analytics: A SANS Review of the Cybereason Platform
SANS reviewed Cybereason's AI hunting platform, which offers a lightweight, behavior-focused model of host-based protection that can help intrusion analysis and investigations teams more rapidly and efficiently prevent, detect and analyze malicious behavior in their environments.
The 2018 SANS Industrial IoT Security Survey: Shaping IIoT Security Concerns by Barbara Filkins - July 18, 2018
- Associated Webcasts: The State of Industrial IoT
- Sponsored By: Forescout Technologies BV Accenture Indegy
IIoT endpoint security is the leading concern of respondents to the 2018 SANS IIoT Security Survey, with network security controls and countermeasures being the main enablers of IIoT security. Most of the growth in connected devices is expected to be for those used for monitoring, status, alarms and alerting, as well as predictive maintenance, but over 50% of respondents are still using their devices controlling operations and processes. Read on to learn more.
One-Click Forensic Analysis: A SANS Review of EnCase Forensic by Jake Williams - June 27, 2018
- Associated Webcasts: EnCase Forensic 8: A SANS Analyst Program Review
- Sponsored By: OpenText Inc.
When security incidents occur, law enforcement needs forensic information in hours, not days. The new features in EnCase Forensic 8 purport to assist investigators in gathering and analyzing key data in a more efficient manner. Learn more in this product review of EnCase Forensic 8.
Cloud Security: Are You Ready? by Dave Shackleford - June 18, 2018
- Sponsored By: Symantec
As more midsize organizations move into the cloud, security professionals may wonder why cloud security seems difficult. More than likely, the real security challenge is the perceived loss of control. Numerous security best practices plus improved security products and services now exist. This short paper takes a look at some of the key elements and best practices for midsize enterprises looking to ensure security in their cloud implementations.
Stopping IoT-based Attacks on Enterprise Networks by G. W. Ray Davidson - June 14, 2018
- Associated Webcasts: Stopping IoT-based Attacks on Enterprise Networks
- Sponsored By: Hewlett Packard
The increased use of IoT devices on business networks presents an growing challenge to security, and printers are an especially overlooked device from a security perspective. This paper examines specific attack areas for IoT devices, particularly printers, including data, management, monitoring and reporting, and make recommendations for protecting against various attacks.
Endpoint Protection and Response: A SANS Survey by Lee Neely - June 12, 2018
- Associated Webcasts: It Starts With The Endpoint: Part 1 of the SANS 2018 Endpoint Security Survey Results Endpoint Detection and Response: Part 2 of the SANS 2018 Endpoint Security Survey Results
- Sponsored By: Forescout Technologies BV Mcafee LLC OpenText Inc. CrowdStrike, Inc. VMWare Carbon Black Endgame Malwarebytes
Respondents have a vested interest in improving visibility, detection and response through more automated, integrated endpoint protection, detection and response technologies. In this survey, 84% of endpoint breaches included more than one endpoint. Desktops, laptops, server endpoints, endpoints in the cloud, SCADA and other IIoT devices are being caught in the dragnet of multi-endpoint breaches. Read on for more detail, best practices and advice.
Back to Basics: Building a Foundation for Cyber Integrity by Barbara Filkins - June 6, 2018
- Sponsored By: Tripwire, Inc.
File integrity is at the heart of maintaining a secure cyber profile. But cyber security must also protect system integrity--the state of the infrastructure (encompassing applications, endpoints and networks) where intended functions must not be degraded or impaired by other changes or disruptions to its environments. This SANS Spotlight explores how cyber integrity weaves people, processes and technology together into a holistic framework that guards the modern enterprise against changes, whether authorized or unauthorized, that weaken security and destabilize operations.
Automate Threat Detection and Incident Response: SANS Review of RSA NetWitness Platform by Ahmed Tantawy - May 10, 2018
- Associated Webcasts: Automate Threat Detection and Incident Response: SANS Review of RSA NetWitness
- Sponsored By: RSA
In a recent SANS survey, approximately 35 percent of respondents said their greatest impediment is a skills gap in their IT environments. With that in mind, we reviewed RSA NetWitness Platform, a solution that aims to bridge the human skills gap via machine learning and analytics. This review focuses on RSA NetWitness Platform and examines different views, from responding to an incident to performing an investigation and drilling down to see an activity in real time.
10 Endpoint Security Problems Solved by the Cloud by Deb Radcliff - May 4, 2018
- Sponsored By: Carbon Black
SANS surveys and testimonials from IT and security professionals indicate that endpoint security is a challenge. There is too much complexity and cost, defenses aren't keeping up, and security staff is stretched thin. This infographic explores how cloud can help address these issues.
Tailoring Intelligence for Automated Response by Sonny Sarai - May 2, 2018
- Associated Webcasts: Tailored Intelligence for Automated Remediation: SANS Review of IntSights\' Enterprise Intelligence and Mitigation Platform
- Sponsored By: IntSights
Overworked and understaffed IT security teams are trying to integrate threat intelligence into their detection, response, and protection processes -- but not very successfully. IT teams need fewer intelligence alerts and more visibility into external threats that matter to their enterprises. SANS Analyst Sonny Sarai discusses his experience reviewing IntSights' Enterprise Threat Intelligence and Mitigation Platform under simulated attack, detection, and remediation scenarios.
Back to Basics: Focus on the First Six CIS Critical Security Controls by John Pescatore - May 1, 2018
- Sponsored By: Tripwire, Inc.
Post-breach investigations reveal that the majority of security incidents occur because well-known security controls and practices were not implemented or were not working as organizations had assumed. This paper explores how Version 7.0 of the Center for Internet Security (CIS) Critical Security Controls addresses the current threat landscape, emerging technologies and tools, and changing mission and business requirements around security.
Security Testing and Vendor Selection with BreakingPoint by Serge Borso - April 30, 2018
- Associated Webcasts: BreakingPoint: A Multi-Function Tool for Application and Security Testing
- Sponsored By: Ixia
In this product review conducted by SANS instructor Serge Borso, we learned that BreakingPoint is more than just a network testing tool. BreakingPoint provides a unique solution that enables security assessment, vendor selection and change management. It integrates well and is easy to use. We believe the tool has great value to the security community and specifically larger enterprises in the midst of infrastructure updates and those optimizing information security programs.
Securing the Hybrid Cloud: Traditional vs. New Tools and Strategies A SANS Whitepaper by Dave Shackleford - April 2, 2018
- Associated Webcasts: Securing the Hybrid Cloud: A Guide to Using Security Controls, Tools and Automation
- Sponsored By: Qualys
This paper takes a look at the current state of cloud security and offers specific recommendations for security best practices, including how to use some traditional security tools and emerging solutions, while taking into account typical staffing, technology and other resource issues.
An Evaluator�s Guide to Cloud-Based NGAV: The SANS Guide to Evaluating Next-Generation Antivirus by Barbara Filkins - March 26, 2018
- Associated Webcasts: Moving Endpoint Security to the Cloud: Replacing Traditional Antivirus
- Sponsored By: VMWare Carbon Black
The coupling between NGAV and cloud-based analytics is here. The dynamics of cloud-based analytics, which allow for near-real-time operations, bring an essential dimension to NGAV, disrupting the traditional attack model by processing endpoint activity as it happens, algorithmically looking for any kind of bad or threatening behavior, not just for malicious files. This paper covers how cloud support for NGAVs is changing the game and how to evaluate such solutions.
Stopping Advanced Malware, Pre- and Post-Execution: A SANS Review of enSilo's Comprehensive Endpoint Security Platform by Dave Shackleford - March 20, 2018
- Associated Webcasts: Stop Really Nasty Malware, Pre- and Post-Execution: A SANS Review of the enSilo Endpoint Security Platform
- Sponsored By: Ensilo
Sophisticated malware is the new weapon of choice for criminals and nation states. A multilayered self-defending security solution--agnostic to operating systems, mitigating malware in real-time, enabling pre- and post-execution--is needed to defend against cyber attacks. In this review, SANS Instructor and Analyst Dave Shackleford tests enSilo's response against advanced malware and ransomware threats and explores how enSilo's features can alleviate burden on security staff.
Pinpoint and Remediate Unknown Threats: SANS Review of EnCase Endpoint Security by Jake Williams - March 15, 2018
- Associated Webcasts: Pinpoint and Remediate Unknown Threats: SANS Review of EnCase Endpoint Security 6
- Sponsored By: OpenText Inc.
With the increasing prevalence of security incidents, security teams are learning quickly that the endpoint is involved in almost every targeted attack. EnCase Endpoint Security aims to help security teams focus on the most critical incidents and avoid costly data breaches. In this review, SANS analyst Jake Williams shares his tests of EnCase Endpoint Security version 6.02 and how it performs.
VMRay Analyzer: Rapid Malware Analysis for Incident Response (IR) Teams by Matt Bromiley - March 12, 2018
- Associated Webcasts: VMRay Analyzer, agentless malware analysis and rapid incident response: A SANS Product Review
- Sponsored By: VMRay
In our hands-on testing, we found that VMRay Analyzer's agentless approach to malware analysis is an effective way to provide rapid incident response. VMRay bridges the gap between an easy-to-use interface and back-end technology that provides a novel platform for analyzing advanced threats.
Managing User Risk: A Review of LogRhythm CloudAI for User and Entity Behavior Analytics by Dave Shackleford - February 26, 2018
- Associated Webcasts: Why Insider Actions Matter: SANS Review of LogRhythm CloudAI for User and Entity Behavior Analytics
- Sponsored By: LogRhythm
In this product review, we explored the recently released LogRhythm CloudAI, which applies user and entity behaviour analytics (UEBA) capabilities to enhance traditional event management and security analytics toolsets to monitor behaviors tracked over time, alerting analysts to unusual events or patterns of events.
Immutability Disrupts the Linux Kill Chain by Hal Pomeranz - February 20, 2018
- Sponsored By: Immutable Systems
New exploits aimed at Linux systems are able to succeed by achieving root access to the OS. But what if you could lock down the OS and enforce security policies from outside of it? This Spotlight Paper explores the concept of �immutability� as a way of interdicting the Linux kill chain.
CTI in Security Operations: SANS 2018 Cyber Threat Intelligence Survey by Dave Shackleford - February 5, 2018
- Associated Webcasts: Cyber Threat Intelligence Today: SANS CTI Survey Results, Part 1 Cyber Threat Intelligence Skills and Usefulness: SANS CTI Survey Results, Part 2
- Sponsored By: Rapid7 Inc. Anomali DomainTools ThreatConnect IntSights
The survey focuses on how organizations could collect security intelligence data from a variety of sources, and then recognize and act upon indicators of attack and compromise scenarios in a timely manner. Although some CTI trends continued this year, we definitely saw several differences in a number of areas, which are noted in the research. From this year's results, it is obvious that CTI collection, integration and use within security teams are maturing.
DNS: An Asset, Not a Liability by Matt Bromiley - January 30, 2018
- Associated Webcasts: DNS: An Asset, Not a Liability
- Sponsored By: InfoBlox
The Domain Name System, or DNS, is crucial to billions of Internet users daily, but it comes with issues that organizations must be aware of. Attackers are abusing DNS to conduct attacks that bring businesses to their knees. Fortunately, with the right detection and analysis mechanisms in place, security teams can turn DNS vulnerabilities into enterprise assets.
Building the New Network Security Architecture for the Future by Sonny Sarai - January 22, 2018
- Associated Webcasts: In a Perfect World...Building the Network Security Architecture for the Future
- Sponsored By: NETSCOUT Systems, Inc.
With the move to cloud services, software-defined networks and IoT devices, the game has changed in terms of defining an organization's network. Current network security architecture doesn't offer the visibility required for modern-day networks, much less guard against threats roaming within them. This white paper examines key elements of the network of the future and their optimal implementation.
SOC Automation-Deliverance or Disaster by Eric Cole, PhD - December 11, 2017
- Sponsored By: DFLabs
Learn how to strike a balance between security alerts that can be automated with minimal impact and the higher-risk alerts that need to be handled by analysts.
Security and Operations - An Overlooked But Necessary Partnership by Sonny Sarai - December 4, 2017
- Associated Webcasts: Security and Ops Hacks
- Sponsored By: Rapid7 Inc.
This paper explores ways to foster cooperation between Security and Operations groups for better visibility into threats and threat pathways, while improving overall protection and network hygiene.
Minerva Labs: Using Anti-Evasion to Block the Stealth Attacks Other Defenses Miss by Eric Cole, PhD - December 4, 2017
- Associated Webcasts: Using Anti-Evasion to Block Stealth Attacks with Minerva Labs
- Sponsored By: Minerva Labs
Attackers routinely use evasion to evade baseline anti-malware tools and ultimately compromise endpoints. How can enterprises prevent such intrusions without relying on after-the-fact detection? This paper explores a unique approach to preventing evasive malware from infecting endpoints, using Minerva's Anti-Evasion Platform to automatically block threats without ever scanning files or processes. SANS Reviewer Eric Cole, PhD, shares his findings regarding the ability of Minerva's Anti-Evasion Platform to block such evasive threats.
Updated: Out with the Old, In with the New: Replacing Traditional Antivirus by Barbara Filkins - December 1, 2017
- Associated Webcasts: Next-Generation Antivirus (NGAV) Buyer\'s Guide: Successful Strategies for Choosing and Implementing NGAV Next-Generation Antivirus (NGAV) Buyer\'s Guide: Successful Strategies for Choosing and Implementing NGAV
- Sponsored By: VMWare Carbon Black
This updated version of the 2016 paper that included the SANS guide to evaluating next-generation antivirus provides the background information organizations need to assist them in their efforts to procure next-generation antivirus. Review this document to establish your overall road map and help resolve any questions you may have on the procurement process after reading the companion piece: "SANS Step-by-Step Guide for Procuring Next-Generation Antivirus".
Step by Step Guide for Procuring Next-Generation Antivirus by Barbara Filkins - November 30, 2017
- Associated Webcasts: Next-Generation Antivirus (NGAV) Buyer\'s Guide: Successful Strategies for Choosing and Implementing NGAV Next-Generation Antivirus (NGAV) Buyer\'s Guide: Successful Strategies for Choosing and Implementing NGAV
- Sponsored By: VMWare Carbon Black
This document outlines a procurement process you can use and customize when upgrading to NGAV. The key steps to successful procurement do not change and should apply to any NGAV procurement project.
NGAV RFP by Barbara Filkins - November 30, 2017
- Associated Webcasts: Next-Generation Antivirus (NGAV) Buyer\'s Guide: Successful Strategies for Choosing and Implementing NGAV Next-Generation Antivirus (NGAV) Buyer\'s Guide: Successful Strategies for Choosing and Implementing NGAV
- Sponsored By: VMWare Carbon Black
This document is a standalone RFP for selecting a next-generation antivirus (NGAV) solution. For more information on how to procure NGAV, be sure to access the Step by Step Guide for Procuring Next-Generation Antivirus.
NGAV RFP Evaluation Master Template by Barbara Filkins - November 30, 2017
- Associated Webcasts: Next-Generation Antivirus (NGAV) Buyer\'s Guide: Successful Strategies for Choosing and Implementing NGAV Next-Generation Antivirus (NGAV) Buyer\'s Guide: Successful Strategies for Choosing and Implementing NGAV
- Sponsored By: VMWare Carbon Black
Click on the link in this file to access the Excel spreadsheet designed to help you compare the vendors from whom you have collected RFP information.
Cloud Security: Defense in Detail if Not in Depth by Dave Shackleford - October 31, 2017
- Associated Webcasts: Cloud Security: Defense in Detail if Not in Depth. Part 1: Using Cloud Services to Address the Cloud Threat Environment Cloud Security: Defense in Detail if Not in Depth. Part 2: Changes Make the Cloud More Secure, but Is InfoSec Changing Even More? Cloud Security: Defense in Detail if Not in Depth. Part 1: Using Cloud Services to Address the Cloud Threat Environment
- Sponsored By: Qualys Mcafee LLC BMC Software, Inc. Forcepoint LLC
Survey respondents feel that they lack visibility, auditability and effective controls to monitor everything that goes on in their public clouds. We are, however, seeing increased use of security controls within cloud provider environments and wider use of security-as-a-service (SecaaS) solutions to achieve in-house and external security and compliance requirements. Related findings and best practices are discussed in the following report.
Closing the Skills Gap with Analytics and Machine Learning by Ahmed Tantawy - October 30, 2017
- Associated Webcasts: Closing the Skills Gap with Analytics and Machine Learning Closing the Skills Gap with Analytics and Machine Learning
- Sponsored By: RSA
It is important that IT departments leverage automated analytics and machine learning solutions that connect the dots between seemingly random events and provide much-needed context, visibility and actionable advice. In this paper, we explain how to utilize and integrate analytics and machine learning to reduce the load on security professionals, while increasing visibility and accurately predicting attackers' next steps.
Blueprint for CIS Control Application: Securing the Oracle E-Business Suite by Barbara Filkins - October 26, 2017
- Sponsored By: Onapsis
This paper looks at how the Critical Security Controls can be used to secure Oracle's E-Business Suite (EBS), using an approach that considers application- as well as network-related issues.
2017 State of Application Security: Balancing Speed and Risk by Jim Bird - October 24, 2017
- Associated Webcasts: Application Security on the Go! SANS Survey Results, Part 1 Application Breaches and Lifecycle Security: SANS 2017 Application Security Survey, Part 2 Application Security on the Go! SANS Survey Results, Part 1 Application Breaches and Lifecycle Security: SANS 2017 Application Security Survey, Part 2 Application Breaches and Lifecycle Security: SANS 2017 Application Security Survey, Part 2
- Sponsored By: Tenable WhiteHat Security Rapid7 Inc. Veracode Synopsys
Agile teams deliver working software every few weeks. High-speed cross-functional DevOps teams push software changes directly to production multiple times each day. Organizations are taking advantage of cloud platforms and on-demand services, containerization, and automated build and continuous delivery pipelines. All of this radically changes how development teams�and their security/risk management teams�think and work. Read on to learn more.
Enhance Your Investigations with Network Data by Matt Bromiley - October 19, 2017
- Associated Webcasts: Enhance Your Investigations with Network Data
- Sponsored By: Cisco Systems
Network forensics is its own specialized field that often introduces complex protocols, jargon, and analysis techniques that are potentially confusing to practitioners. But particular artifacts can be leveraged to determine the attack sequence and to offer a more complete picture of the breach. In this white paper, SANS analyst and instructor Matt Bromiley examines the power of network forensics and why it should be incorporated into all incident response investigations.
Targeted Attack Protection: A Review of Endgame�s Endpoint Security Platform by Dave Shackleford - October 17, 2017
- Associated Webcasts: Targeted Attack Protection: SANS Review of Endgame\'s endpoint security platform
- Sponsored By: Endgame
SANS Analyst Dave Shackleford presents his experience reviewing Endgame's Managed Detection and Response Services under real-world threats in a simulated environment.
AppSec: ROI Justifying Your AppSec Program Through Value-Stream Analysis by Jim Bird - October 4, 2017
- Sponsored By: Veracode
In this paper we focus narrowly on the impact of application security on the end-to-end software development value chain. We also look at ways to identify and balance cost and risk to help you decide which tools and practices are most practical and cost effective for your organization.
Next-Gen Protection for the Endpoint: SANS Review of Carbon Black Cb Defense by Jerry Shenk - September 14, 2017
- Associated Webcasts: EDR + NGAV Working Together: SANS Review of Carbon Black Cb Defense
- Sponsored By: Carbon Black
In today�s threat landscape, organizations wanting to shore up their defenses need endpoint tools that not only detect, alert and prevent malware and malware-less attacks, but also provide defenders a road map of the systems and pathways attackers took advantage of. Our review shows that Carbon Black�s Cb Defense does all this and more with a high degree of intelligence and analytics. Utilizing a cloud-based delivery system, it makes informed decisions on subtle user and system behaviors that we wouldn�t otherwise see with traditional antivirus tools. Importantly, it saved us time: Manual correlation and false positives are among the top 10 time-consuming tasks IT professionals hate, according to a recent article in Dark Reading.2 Rather than toggling between separate security systems, tra c logs and so on, we used a single cloud interface�through drill-down and pivot�to determine whether a threat was a false positive or real.
Asking the Right Questions: A Buyer's Guide to Dynamic Scanning to Secure Web Applications by Barbara Filkins - September 12, 2017
- Associated Webcasts: Asking the Right Questions about Dynamic Scanning to Secure Web Applications: A Buyer\'s Guide to App Sec Scanning Tools
- Sponsored By: Veracode
Securing a web apps across its lifecycle is fundamentally different than securing an app born inside a secure perimeter. The selection of tools designed to scan running applications is more complex and challenging select than are conventional tools as the threat these are designed to counter is also more intensive and more pervasive. This makes the choice of tool critical. We walk you through the various parameters involved in the decision-making process in this paper.
Sensitive Data at Risk: The SANS 2017 Data Protection Survey by Barbara Filkins - September 5, 2017
- Associated Webcasts: Sensitive Data Everywhere: Results of SANS 2017 Data Protection Survey
- Sponsored By: Mcafee LLC InfoBlox
Ransomware, insider threat and denial of service are considered the top threats to sensitive data by respondents to the 2017 SANS Data Protection Survey. User credentials and privileged accounts represented the most common data types involved in these breaches reported in the survey, spotlighting the fact that access data is prized by attackers. The experiences of respondents with compromised data provide valuable lessons for security professionals.
The Efficiency of Context: Review of WireX Systems Incident Response Platform by Jerry Shenk - September 5, 2017
- Associated Webcasts: The Efficiency of Context: Review of WireX Network Forensics Platform
- Sponsored By: WireX Systems
WireX Systems officials think they have found the way to slash the time it takes to spot an intruder by making it easier for mere mortals to read and understand network traffic and identify early signs of a breach. Contextual Capture, a key feature of the WireX Network Forensics Platform, is designed to turn every SOC member into a valuable analyst by providing easy-to-use forensics history (for periods of months) using a unique and intuitive query interface. WireX NFP also creates investigation workflows that can be used by the entire security team to accelerate alert validation and incident response.
2017 Threat Landscape Survey: Users on the Front Line by Lee Neely - August 14, 2017
- Associated Webcasts: Security Whack-a-Mole: SANS 2017 Threat Landscape Survey Security Whack-a-Mole: SANS 2017 Threat Landscape Survey
- Sponsored By: Qualys Mcafee LLC FireEye Cylance
Endpoints-and the users behind them-are on the front lines of the battle: Together they represent the most significant entry points for attackers obtaining a toehold into the corporate network. Users are also the best detection tool organizations have against real threats, according to the 2017 SANS Threat Landscape survey. Read on for more detail on the types of attacks occurring and their impact on organizations and their security.
Road Map to a Secure, Smart Infrastructure by Barbara Filkins - August 9, 2017
- Associated Webcasts: Roadmap to a Secure Smart Infrastructure
- Sponsored By: Rapid7 Inc.
This paper provides a multifaceted security approach for securing infrastructure systems that are being targeted by attackers and malware.
Defending Against the Wrong Enemy: 2017 SANS Insider Threat Survey by Eric Cole - July 31, 2017
- Associated Webcasts: The SANS 2017 Insider Threat Survey: Mounting an Effective Defense Against Insider Threat The SANS 2017 Insider Threat Survey: Mounting an Effective Defense Against Insider Threat
- Sponsored By: Rapid7 Inc. Dtex Systems Haystax Technology
It is easy, while evaluating attack vectors, researching competitors and gauging the threat from organized crime or foreign adversaries, to conclude that external attacks should be the primary focus of defense. This conclusion would be wrong. The critical element is not the source of a threat, but its potential for damage. This survey highlights the importance of managing internal threats as the key to winning at cyber security.
Automating Cloud Security to Mitigate Risk by Dave Shackleford - July 20, 2017
- Associated Webcasts: Automating Cloud Security to Mitigate Risk
- Sponsored By: Skybox Security, Inc.
As cloud computing services evolve, the cloud opens up entirely new ways for potential attacks. This paper explores the potential security challenges enterprises face as they migrate to any kind of cloud setup and offers guidance to ensure a smooth migration to new solutions.
Securing Industrial Control Systems-2017 by Bengt Gregory-Brown - July 11, 2017
- Associated Webcasts: The 2017 State of Industrial Control System Security-Part 1: Personnel, Threats and Tools The 2017 State of Industrial Control System Security�Part 2: Protection, Prevention and Convergence
- Sponsored By: Tripwire, Inc. Tempered Great Bay Software PAS Nozomi Networks
We annually gather and analyze raw data from hundreds of IT and industrial control systems (ICS) security practitioners. Our mission is to turn these inputs into actionable intelligence to support new developments and address trends in the field to inform the crucial business decisions. Here we report on these trends and other changes that make active use of ICS as a core enabler for business imperatives and provide actionable advice for today's security practitioners.
Complying with Data Protection Law in a Changing World by Benjamin Wright - June 27, 2017
- Associated Webcasts: Complying with Data Protection Law in a Changing World
- Sponsored By: Forcepoint LLC
Failure to meet legal and political expectations for data security can expose your enterprise to fines, lawsuits, negative publicity and regulatory investigations. These expectations are rapidly evolving across the world, making it difficult for enterprises to effectively protect their brands. This white paper reveals the major steps a large, multinational enterprise can take to assure the public, authorities and business partners that it is behaving responsibly and is on a commendable path of compliance.
Zero-Touch Detection and Investigation of Cloud Breaches: A Review of Lacework's Cloud Workload Security Platform by Matt Bromiley - June 27, 2017
- Associated Webcasts: Effortless Detection and Investigation of Cloud Breaches: A Review of Lacework\'s Zero Touch Cloud Workload Security Platform
- Sponsored By: Lacework
Today's increasingly dynamic cloud environments present new challenges to security practitioners. With security talent in short supply, tailoring old policy-and-logs approaches to the needs of an organization can require time and resources it just doesn't have. In this review, SANS analyst and instructor Matt Bromiley shares his experience using Lacework's new Zero Touch Cloud Workload Security Platform to mitigate these challenges.
Testing Web Apps with Dynamic Scanning in Development and Operations by Barbara Filkins - June 15, 2017
- Associated Webcasts: Using Dynamic Scanning to Secure Web Apps in Development and After Deployment
- Sponsored By: Veracode
Building secure web applications requires more than testing the code to weed out flaws during development and keeping the servers on which it runs up to date. Public-facing web apps remain the primary source of data breaches. To keep web apps secure, IT ops groups are increasingly adopting Dynamic Application Security Testing (DAST) tools. Learn how DAST tools can reduce dev costs and security flaws; how to avoid organizational gaps between dev and ops that can make remediation difficult; and other AppSec/vulnerability scanning issues.
The Show Must Go On! The 2017 SANS Incident Response Survey by Matt Bromiley - June 12, 2017
- Associated Webcasts: SANS 2017 Incident Response Survey Results - Part 1: Attack, Response and Maturity SANS 2017 Incident Response Survey Results�Part 2: Threat Intelligence and Improving Incident Response Capabilities
- Sponsored By: Guidance Software Mcafee LLC LogRhythm IBM AlienVault Anomali
Overall, the results of 2017 Incident Response survey were very promising. Organizations are building IR teams that suit their environments and their unique set of issues. Malware still looms as the root cause of a large majority of incidents; and IR teams still suffer from a shortage of skilled staff, lack of ownership and business silo issues. Read on to examine the results of the survey and guidelines and feedback to spur improvements.
Security by Design: The Role of Vulnerability Scanning in Web App Security by Barbara Filkins - June 7, 2017
- Associated Webcasts: The Role of Vulnerability Scanning in Web App Security
- Sponsored By: Netsparker
The growth in custom applications in the cloud has increased organizations' security exposure. Although more organizations want to test and remediate during development, this doesn't address the thousands of existing, potentially vulnerable, apps already online. Modern web scanners can help by highlighting areas of likely vulnerability. Their speed and automation can make them a valuable part of a multilayered scanning and monitoring program.
Using Cloud Deployment to Jump-Start Application Security by Adam Shostack - May 24, 2017
- Associated Webcasts: Choosing the Right Path to Application Security
- Sponsored By: Veracode
The cloud has significantly changed corporate application development. Now that releases come every few days rather than once or twice a year, AppSec is now squeezed into tiny windows of time. The speed, repetitiveness and changes in responsibility associated with these changes make it hard for traditional approaches to work. What are the choices and best practices for security within AppSec? How can you leverage the cloud to work for you? Attend this webcast and be among the first to receive access to the associated whitepaper developed by Adam Shostack.
Network Security Infrastructure and Best Practices: A SANS Survey by Barbara Filkins - May 23, 2017
- Associated Webcasts: Network Security Infrastructure and Best Practices: A SANS Survey
- Sponsored By: NETSCOUT Systems, Inc.
Network infrastructure is the key business asset for organizations that depend on geographically dispersed data centers and cloud computing for their critical line-of-business applications. Consistent performance across links and between locations must be maintained to ensure timely access to data, enabling real-time results for decision making. The following pages provide guidance on how to approach common challenges faced by both the network and security operational teams in managing interrelated security and performance problems.
Future SOC: SANS 2017 Security Operations Center Survey by Christopher Crowley - May 16, 2017
- Associated Webcasts: SOCs Grow Up to Protect, Defend, Respond: Results of the 2017 SANS Survey on Security Operations Centers, Part 1 Future SOCs: Results of the 2017 SANS Survey on Security Operations Centers, Part 2
- Sponsored By: Tripwire, Inc. LogRhythm NETSCOUT Systems, Inc. Carbon Black ThreatConnect Endgame
The primary strengths of security operations centers (SOCs) are flexibility and adaptability, while their biggest weakness is lack of visibility. Survey results indicate a need for more automation across the prevention, detection and response functions. There are opportunities to improve security operations, starting with coordination with IT operations. SOCs can improve their understanding how to serve the organization more effectively and their use of metrics.
How to Conquer Targeted Email Threats: SANS Review of Agari Advanced Threat Protection by Dave Shackleford - May 9, 2017
- Associated Webcasts: How to Conquer Targeted Email Threats: SANS Review of Agari Advanced Threat Protection
- Sponsored By: AGARI
Why are our traditional email and endpoint security tools failing us? First, most email deployments lack any authentication of outside senders. Given this vulnerability, it�s trivial to execute spoo ng and falsi ed email content that purports to come from a trusted entity the recipient knows and trusts. Second, attackers are using cloud-based email and �detection-busting� techniques such as fake identities, deceptive sender names and phony domains to beat defenses. Clearly, given the prevalence of email-borne threats, protecting email infrastructure and end users needs to be a high priority for all security teams today. To this end, SANS had the opportunity to review Agari Enterprise Protect and the Agari Email Trust Platform.
Deception Matters: Slowing Down the Adversary with illusive networks® by Eric Cole, PhD - May 1, 2017
- Associated Webcasts: Deception Matters: Slowing the Adversary with illusive networks
- Sponsored By: Illusive Networks
Deception is an effective defense against targeted attacks that leverages a false map of cyber assets to boost the odds of finding an adversary early and mitigate overall damage. The adversary is tricked into a cyber rabbit hole of fake systems with fake libraries and DNS servers, counteracting the attacker's every move. In this review, SANS Fellow Eric Cole recounts his review of illusive networks' deception and protection capabilities to show cyber deception in action.
A New Era in Endpoint Protection by Dave Shackleford - April 26, 2017
- Associated Webcasts: A New Era in Endpoint Protection: A SANS Product Review of CrowdStrike Falcon Endpoint Protection
- Sponsored By: CrowdStrike, Inc.
Conventional antivirus solutions aren�t keeping pace with today's threats. There's a lot of fear, uncertainty and doubt around replacing antivirus with next-generation antivirus solutions, particularly in legacy environments. Learn what NGAV actually is; where it fits into the IT infrastructure; and how to easily utilize CrowdStrike's Falcon cloud-based services against a variety of threats first-generation AV normally wouldn't catch. SANS analyst Dave Shackleford explains and presents his findings.
The Hunter Strikes Back: The SANS 2017 Threat Hunting Survey by Rob Lee and Robert M. Lee - April 25, 2017
- Associated Webcasts: Threat Hunting-Modernizing Detection Operations: The SANS 2017 Threat Hunting Survey Results | Part 1 Reducing Attacks and Improving Resiliency: The SANS 2017 Threat Hunting Survey Results | Part 2
- Sponsored By: Rapid7 Inc. Anomali DomainTools ThreatConnect Sqrrl Data, Inc. Malwarebytes
Threat hunting is a focused and iterative approach to searching out, identifying and understanding adversaries that have entered the defender�s networks. Results just in from our new SANS 2017 Threat Hunting Survey show that, for many organizations, hunting is still new and poorly defined from a process and organizational viewpoint.
Integrating Prevention, Detection and Response Work Flows: SANS Survey on Security Optimization by G.W. Ray Davidson, PhD - April 19, 2017
- Associated Webcasts: Impact of Isolated Cyber Security Functions: A SANS Survey
- Sponsored By: ThreatConnect
Are the prevention, detection, response and prediction functional groups operating in unison with shared data and workflow, or are they remaining true to the tradition of operational silos in most technology groups? In this survey, we analyze satisfaction with staffing levels, tools and management-support architectures to help provide best practices and guidance for IT security practitioners.
Speed and Scalability Matter: Review of LogRhythm 7 SIEM and Analytics Platform by Dave Shackleford - April 13, 2017
- Associated Webcasts: Speed and Scalability Matter: SANS Review of LogRhythm 7 SIEM and Analytics Platform
Just how scalable, fast and accurate are SIEM tools when under load? To find out, we put the LogRhythm 7.2 Threat Lifecycle Management Platform to the test. We found that its clustered Elasticsearch indexing layer supported large log volumes of security and event data during simulated events that would require investigation and remediation.
SOC-as-a-Service: All the Benefits of a Security Operations Center Without the High Costs of a DIY Solution by Sonny Sarai - March 28, 2017
- Associated Webcasts: SOC in the Cloud: A review of Arctic Wolf SOC Services
- Sponsored By: Arctic Wolf Networks
Security Operations Centers are increasingly important in today's enterprises - they protect against intrusions, damaging DDoS attacks and data security breaches, as well as help with investigation and remediation. But how can midsize enterprises get the same SOC advantages as their large enterprise peers?

This paper explores how Arctic Wolf Networks' CyberSOC can help midsize organizations roll out a SOC-as-a-Service, thereby leveraging the benefits of a SOC without the high costs of a DIY solution.
Cyber Security Trends: Aiming Ahead of the Target to Increase Security in 2017 by John Pescatore - March 20, 2017
- Associated Webcasts: 2017 Cybersecurity Trends: Aiming Ahead of the Target to Increase Security
Attackers are always changing their methods, but some cybersecurity trends are clear--and identifying these trends will help security professionals plan for addressing these issues in the coming year. Attacks will continue, and many will be successful. While security professionals should try to prevent a breach, it's far more critical to uncover breaches quickly and mitigate damage. Another significant trend for 2017: expanding current security measures to better protect data in the cloud and to address the security shortcomings of the Internet of Things. Even while fighting daily security fires, security managers can expect boards of directors to show more interest in their efforts. Board members are keenly aware that breaches can be high-profile catastrophes for companies, and they are also concerned that the organizations they oversee are in compliance with new and more stringent regulations. This whitepaper covers the latest and best security hygiene and common success patterns that will best keep your organization off the "Worst Breaches of 2017" lists.
Securing DNS Against Emerging Threats: A Hybrid Approach by John Pescatore - March 16, 2017
- Associated Webcasts: Protecting Business Mobility Against Emerging Threats
- Sponsored By: InfoBlox
This paper looks at the impact of mobility and new attack vectors on DNS-related risk and outlines use cases for securing DNS services more effectively. It also examines the use of a hybrid model of on-premises and cloud-based services to improve the security posture of organizations.
Cyber Threat Intelligence Uses, Successes and Failures: The SANS 2017 CTI Survey by Dave Shackleford - March 14, 2017
- Associated Webcasts: Cyber Threat Intelligence in Action-Skills and Implementations: Results of the 2017 Cyber Threat Intelligence Survey Part 1 Cyber Threat Intelligence in Action-Effectiveness of CTI Programs and Wish Lists for the Future: Results of the 2017 Cyber Threat Intelligence Survey Part 2
- Sponsored By: Arbor Networks Rapid7 Inc. Lookingglass Cyber Solutions, Inc. Anomali DomainTools ThreatConnect
Respondents' biggest challenges to effective implementation of cyber threat intelligence (CTI) are lack of trained staff, funding, time to implement new processes, and technical capability to integrate CTI, as well as limited management support. Those challenges indicate a need for more training and easier, more intuitive tools and processes to support the use of CTI in today's networks. These and other trends and best practices are covered in this report.
Preparing for Compliance with the General Data Protection Regulation (GDPR) A Technology Guide for Security Practitioners by Benjamin Wright - March 7, 2017
- Associated Webcasts: Complying with the General Data Protection Regulation: A Guide for Security Practitioners
- Sponsored By: Skybox Security, Inc.
The General Data Protection Regulation (GDPR) is the latest data security legislation in the European Union. When it goes into effect, it can apply widely to various organizations, including those without a physical presence in the European Union. What does this complex regulation mean and what does your organization need to do to comply? This paper explains these as well as how to identify a Data Protection Officer and what this person needs to know to be effective. It also provides a checklist for compliance with concise, practical information your organization can begin using now.
Next-Gen Endpoint Risks and Protections: A SANS Survey by G. W. Ray Davidson, PhD - February 27, 2017
- Associated Webcasts: Next-Gen Endpoints Risks and Protections: A SANS Survey Part 1: New Devices and Risks Next-Gen Endpoints Risks and Protections: A SANS Survey Part 2: Next-Gen Protection and Response
- Sponsored By: Guidance Software Sophos Inc. Carbon Black IBM Malwarebytes Great Bay Software
Results of this survey suggest that we may need to broaden the definition of an endpoint to include users, as the two most common forms of attack reported are directed at users. Lack of adequate patching programs also results in endpoint compromises, despite reported centralized endpoint management. Results also point to the need for improved detection, response, automation of remediation processes.
DevSecOps Transformation: The New DNA of Agile Business by Dave Shackleford - February 21, 2017
This is an additional resource that accompanies the analyst paper, "The DevSecOps Approach to Securing Your Code and Your Cloud". To view the paper please click this link.
Moving Toward Better Security Testing of Software for Financial Services by Steve Kosten - February 7, 2017
- Associated Webcasts: Enhanced Application Security for the Financial Industry Enhanced Application Security for the Financial Industry
- Sponsored By: Synopsys
The financial services industry (FSI) maintains high-value assets and typically operates in a very complex environment. Applications of all types--web applications, mobile applications, internal web services and so forth--are being developed quickly in response to market pressures by developers with limited security training and with relatively immature processes to support secure application development. This combination presents a juicy target for attackers, and data shows that the FSI continues to be a top target. Attempts to introduce security into the application life cycle frequently face challenges such as a lack of available application security expertise, concerns about costs for tooling, and a fear among product owners that security processes might impede the development cycle and slow their response to market conditions. This paper explores why the applications are being targeted, what is motivating the attackers and what some inhibitors of application security are. Most important, this paper specifies some best practices for developing a secure development life cycle to safeguard applications in the FSI.
The DevSecOps Approach to Securing Your Code and Your Cloud by Dave Shackleford - February 7, 2017
- Sponsored By: CloudPassage
DevSecOps, at heart, is about collaboration. More specifically, it is continual collaboration between information security, application development and IT operations teams. Having all three teams immersed in all development and deployment activities makes it easier for information security teams to integrate controls into the deployment pipeline without causing delays or creating issues by implementing security controls after systems are already running. Despite the potential benefits, getting started with DevSecOps will likely require some cultural changes and considerable planning, especially when automating the configuration and security of assets in the cloud. To help the shift toward a more collaborative culture, security teams need to integrate with the developers who are promoting code to cloud-based applications to show they can bring quality conditions to bear on any production code push without slowing the process. Security teams should also work with QA and development to define the key qualifiers and parameters that need to be met before any code can be promoted. This paper also has an additional resource titled, "DevSecOps Transformation: The New DNA of Agile Business". The resource can be accessed by clicking this link.
Digital Ghost: Turning the Tables by Michael J. Assante - February 1, 2017
- Associated Webcasts: Digital Ghost: Turning the Tables on Cyber Attacks in Industrial Systems
- Sponsored By: GE
The complex weave of digital technology relies heavily on hyperconnected systems to move data and unlock value through analytics. The benefits are real, but the stakes involved require a serious look at the potential downsides, including the risk of cyber attacks. Organizations embracing technology innovation should not focus solely on efficiency and productivity, for innovation done correctly can also reduce the risks that come with expanding digital touchpoints.
Back to Basics: Focus on the First Six CIS Critical Security Controls by John Pescatore - January 24, 2017
- Sponsored By: Tripwire, Inc.
Rather than a lack of choices in security solutions, a major problem in cyber security is an inability to implement mature processes - many organizations lack a defined and repeatable process for selecting, implementing and monitoring the security controls that are most effective against real-world threats. This paper explores how the Center for Internet Security (CIS) Critical Security Controls has proven to be an effective framework for addressing that problem.
Countering Impersonation, Spearphishing and Other Email-Borne Threats: A Review of Mimecast Targeted Threat Protection by Jerry Shenk - January 24, 2017
- Associated Webcasts: Mimecast Targeted Threat Protection
- Sponsored By: Mimecast Services Limited
The FBI estimates that between October 2013 and August 2015, more than 7,000 U.S.-based organizations lost a total of $748 million to business email scams. Such scams rely on the same tricks as confidence artists in the real world: the appearance of legitimacy and the tendency of victims to go along with requests that appear to be on the up-and-up, without checking to be sure. In this whitepaper, SANS senior analyst Jerry Shenk evaluates Targeted Threat Protect, an email-security service from Mimecast that is focused on stopping sophisticated phishing attacks. Among its most difficult targets: �whaling� attacks that spoof high-level executives asking for sensitive data, access or the transfer of money to accounts owned by scammers.
Implementing the Critical Security Controls by Jim D. Hietala - January 24, 2017
- Associated Webcasts: Secure Configuration in Action (and How to Apply It)
- Sponsored By: Tripwire, Inc.
This paper serves as a how-to for organizations in various stages of implementing the controls and offers two real-world examples of CIS Control adoption. The case studies are based on real-time interviews with the people behind the efforts and includes the security environments before the implementation, the challenges experienced in adopting the controls and the benefits they�ve experienced.
Packets Don't Lie: LogRythm NetMon Freemium Review by Dave Shackleford - January 18, 2017
- Associated Webcasts: Packets Don�t Lie: What�s Really Happening on Your Network?
- Sponsored By: LogRhythm
With more traffic than ever passing through our environments, and adversaries who know how to blend in, network security analysts need all the help they can get. At the same time, data is leaking out of our environments right under our noses. This paper investigates how LogRhythm�s Network Monitor Freemium (NetMon Freemium) Version 3.2.3 provides intelligent monitoring, and helps organizations to identify sensitive data leaving the network and to respond when loss occurs.
SANS 2016 Security Analytics Survey by Dave Shackleford - December 6, 2016
- Associated Webcasts: Security Analytics in Action: SANS Fourth Annual Security Analytics Survey - Part 1 Part 2 | SANS Security Analytics Survey Results: What\'s Working? What\'s Not?
- Sponsored By: LogRhythm Rapid7 Inc. AlienVault Lookingglass Cyber Solutions, Inc. Anomali
Survey respondents have become more aware of the value of analytics and have moved beyond using them simply for detection and response to using them to measure and aid in improving their overall risk posture. Still, we�ve got a long way to go before analytics truly progresses in many security organizations. Read on to learn more.
Insider Threats and the Need for Fast and Directed Response by Dr. Eric Cole - December 1, 2016
- Associated Webcasts: Insider Threats and the Real Financial Impact to Organizations - A SANS Survey
- Sponsored By: Veriato
As breaches continue to cause significant damage to organizations, security consciousness is shifting from traditional perimeter defense to a holistic understanding of what is causing the damage and where organizations are exposed. Although many attacks are from an external source, attacks from within often cause the most damage. This report looks at how and why insider attacks occur and their implications.
Reducing Attack Surface: SANS� Second Survey on Continuous Monitoring Programs by Barbara Filkins - November 14, 2016
- Associated Webcasts: Vulnerabilities, Controls and Continuous Monitoring: The SANS 2016 Continuous Monitoring Survey
- Sponsored By: Forescout Technologies BV Qualys IBM RiskIQ
Continuous monitoring is not a single activity. Rather, it is a set of activities, tools and processes (asset and configuration management, host and network inventories, and continuous vulnerability scanning) that must be integrated and automated all the way down to the remediation workflow. Although CM is shifting focus and slowly improving, it still has a way to go to attain the maturity needed to become a critical part of an organization�s business strategy.
Forcepoint Review: Effective Measure of Defense by Eric Cole, PhD - November 9, 2016
- Associated Webcasts: Taking Action: Effective Measures of Defense
- Sponsored By: Forcepoint LLC
Effective security is all about the quality of the solution, not the quantity of products. Indeed, buying more products can make the problem worse. All of the major breaches over the last several years have had one thing in common: Multiple products were issuing alerts, but there were too many alerts and not enough people charged with monitoring and responding to them. When that is the case, putting more products in place spreads current resources even thinner--the problem gets worse, not better. This paper explains the advantages of an integrated defense-in-depth approach to security and looks at how Forcepoint's integrated solution suite meets the needs of such an approach.
Out with the Old, In with the New: Replacing Traditional Antivirus by Barbara Filkins - November 2, 2016
- Associated Webcasts: Ready to Replace AV? Criteria to Evaluate NGAV Solutions
- Sponsored By: Carbon Black
Research over the past 10 years indicates that traditional antivirus products are rarely successful in detecting smart malware, unknown malware and malware-less attacks. This doesn�t mean that antivirus is �dead.� Instead, antivirus is growing up. Today, organizations look to spend their antivirus budget on replacing current solutions with next-generation antivirus (NGAV) platforms that can stop modern attacks. This paper provides a guide to evaluating NGAV solutions.
Security in a Converging IT/OT World by Bengt Gregory-Brown and Derek Harp - November 1, 2016
- Associated Webcasts: The Fusion of IT and OT Security: What You Need to Know
- Sponsored By: GE
In this paper we look at the challenges in securing ICS environments and recommendations for effective ICS security. OT cyber security is a relatively young field with few experts, but a great deal can be judiciously drawn from IT experience. The fundamentals are the same: controlling access to devices and applications; monitoring networks to identify potential issues and direct appropriate responsive action; oversight and periodic reviews of controls and their effectiveness; securing the supply chain; and securing the human factor through awareness training. It is in the design and application of these basics to the particular considerations and technical nature of control systems and process control networks (PCNs) that things diverge the most, and it is here that we will focus.
Getting C-Level Support to Ensure a High-Impact SOC Rollout by John Pescatore - October 24, 2016
- Associated Webcasts: Prioritizing and Planning to Ensure a High-Impact SOC Rollout
- Sponsored By: Leidos
To security professionals, the need for an effective SOC is obvious. But to organizational management, security is just one of many groups asking for financial and personnel resources. Security leaders who simply promise management that a SOC will provide better security or help the company avoid attacks won�t get very far. The security team must define and communicate the business benefits of investing in, establishing and optimizing a SOC over the long term.
From the Trenches: SANS 2016 Survey on Security and Risk in the Financial Sector by G. Mark Hardy - October 18, 2016
- Associated Webcasts: From the Trenches, the SANS 2016 Survey on Security and Risk in the Financial Sector: Part 1 Incidents, Risks and Preparedness From the Trenches, the SANS 2016 Survey on Security and Risk in the Financial Sector: Part 2 Securing Financial Environments
- Sponsored By: Forescout Technologies BV Guidance Software Arbor Networks WhiteHat Security NSFOCUS
The financial services industry is under a barrage of ransomware and spearphishing attacks that are rising dramatically. These top two attack vectors rely on the user to click something. Organizations enlist email security monitoring, enhanced security awareness training, endpoint detection and response, and firewalls/IDS/IPS to identify, stop and remediate threats. Yet, their preparedness to defend against attacks isn�t showing much improvement. Read on to learn more.
Security and Accountability in the Cloud Data Center: A SANS Survey by Dave Shackleford - October 10, 2016
- Associated Webcasts: Security and Accountability in the Cloud, the SANS 2016 Cloud Security Survey: Part 2 - Changes in Cloud Security Security and Accountability in the Cloud, the SANS 2016 Cloud Security Survey: Part 1 - Breach Landscape and the Top Threats and Challenges
- Sponsored By: Mcafee LLC Rapid7 Inc. IBM CloudPassage Bitglass
Despite risk that is higher than more controlled on-premises traditional non-cloud systems, this survey found that almost a quarter of respondents (24%) are in organizations adopting a �cloud first� strategy. Using public cloud or on-premises applications as appropriate led the way, chosen by 46% of respondents, and 30% of respondents said they prefer on-premises applications. Read on to learn more about the state of cloud security and what we need to do to improve it.
Taking Action Against the Insider Threat by Eric Cole, PhD - October 5, 2016
- Associated Webcasts: Taking Action Against Insider Threats Taking Action Against Insider Threats
- Sponsored By: Dtex Systems
Most organizations tend to focus on external threats, but insider threats are increasingly taking center stage. Insider threats come not only from the malicious insider, but also from infiltrators and unintentional insiders as well. Why are insider threats so common and why do they have such a significant impact? What is the difference between the different types of insider threats and the degree of risk they can constitute?
Security Intelligence and the Critical Security Controls v6 by G. W. Ray Davidson, PhD - September 29, 2016
- Sponsored By: LogRhythm
Security data is everywhere�in our logs, feeds from security devices (IDS/IPS/ rewalls, whitelists, etc.), network and endpoint systems, anomaly reports, access records, network tra c data, security incident and event monitoring (SIEM) systems, and even in applications hosted in the cloud. All of this data�and the processes that use them� combine to form an organization�s security intelligence ecosystem. The major challenge of managing this ecosystem of security data is tying all these bits of data together and automating their correlation and use, with the goal of faster detection, prevention, continued security improvement and ultimately, reduced risk.1 The key to success is through automation and integration, according to the CIS Critical Security Controls, which is now in version 6.
Threat Intelligence: What It Is, and How to Use It Effectively by Matt Bromiley - September 19, 2016
- Sponsored By: NSFOCUS
In today�s cyber landscape, decision makers constantly question the value of their security investments, asking whether each dollar is helping secure the business. Meanwhile, cyber attackers are growing smarter and more capable every day. Today�s security teams often nd themselves falling behind, left to analyze artifacts from the past to try to determine the future. As organizations work to bridge this gap, threat intelligence (TI) is growing in popularity, usefulness and applicability.
Data Breaches: Is Prevention Practical? by Barbara Filkins - September 13, 2016
- Associated Webcasts: Breach Detected! Could It Have Been Prevented?
- Sponsored By: Palo Alto Networks
Despite the potential costs, legal consequences and other negative outcomes of data breaches, they continue to happen. A new SANS Institute survey looks at the preventive aspect of breaches � and what security and IT practitioners actually are, or are not, implementing for prevention.
Intelligent Network Defense by Jake Williams - September 8, 2016
- Associated Webcasts: Intelligent Network Security
- Sponsored By: ThreatSTOP
When an army invades a sovereign nation, one of the defenders� first goals is to disrupt the invader�s command and control (C2) operations. The same is true when cyber attackers invade your network. Network defenders must prevent adversary communication, stopping the attack in its tracks while alerting the incident response (IR) team to the point of compromise and nature of the attack. Read on to learn more.
Hunting with Prevention by Dave Shackleford - August 24, 2016
- Associated Webcasts: Using an Attacker Technique-Based Approach for Prevention
- Sponsored By: Endgame
Traditional endpoint protection such as antivirus, while effective in some cases, is no match for the ever-changing techniques that attackers use to get past defenses, according to multiple SANS surveys.
Protect the Network from the Endpoint with the Critical Security Controls by G. W. Ray Davidson, PhD - August 22, 2016
- Sponsored By: Forescout Technologies BV
The endpoint is rapidly evolving and often the first vector of attack into enterprises, according to the SANS 2016 State of Endpoint Security Survey. As such, all endpoints should be considered potentially hostile.
Generating Hypotheses for Successful Threat Hunting by Robert M. Lee and David Bianco - August 15, 2016
Threat hunting is a proactive and iterative approach to detecting threats. Although threat hunters should rely heavily on automation and machine assistance, the process itself cannot be fully automated. One of the human�s key contributions to a hunt is the formulation of a hypotheses to guide the hunt. This paper explores three types of hypotheses and outlines how and when to formulate each of them.
The SANS State of Cyber Threat Intelligence Survey: CTI Important and Maturing by Dave Shackleford - August 15, 2016
- Associated Webcasts: The State of Cyber Threat Intelligence: Part 1: How Cyber Threat Intelligence Is Consumed and Processed The State of Cyber Threat Intelligence: Part 2: The Value of CTI
- Sponsored By: Arbor Networks Hewlett Packard NETSCOUT Systems, Inc. Rapid7 Inc. AlienVault Anomali
It�s 2016, and the attacks (and attackers) continue to be more brazen than ever. In this threat landscape, the use of cyber threat intelligence (CTI) is becoming more important to IT security and response teams than ever before. This paper provides survey results along with advice and best practices for getting the most out of CTI.
Exploits at the Endpoint: SANS 2016 Threat Landscape Survey by Lee Neely - August 10, 2016
- Associated Webcasts: 2016 Threat Landscape Survey Report: Europe Edition 2016 Threat Landscape Survey Report
- Sponsored By: Check Point Software Technologies, Inc.
The perfect storm it is upon us: Users with their many devices are falling victim to phishing and ransomware at alarming rates, with user actions at the endpoint representing the most common entry points allowing threats into organizations. Results reveal that ransomware, which spreads by phishing and web downloads, is the No. 1 type of malware making its way into organizations. Read on to learn more.
Healthcare Provider Breaches and Risk Management Road Maps: Results of the SANS Survey on Information Security Practices in the Healthcare Industry by Barbara Filkins - July 19, 2016
- Associated Webcasts: Health Care Provider Breaches and Risk Management Roadmaps: Part 2 - Health Care Security from the Top Down
- Sponsored By: Forescout Technologies BV WhiteHat Security Carbon Black Trend Micro Inc. Anomali Great Bay Software
The number of attack surfaces continues to rise as the use of mobile medical- and health-related apps grows and as electronic health records (EHR) become ever more embedded in clinical settings. As this survey shows, many attacks stem from insiders with access, whether through simple negligence, malicious intent or just plain curiosity. To get the specifics, read on �
Decision Criteria and Analysis for Hardware-Based Encryption by Eric Cole, PhD - July 13, 2016
- Associated Webcasts: Decision Criteria and Analysis for Hardware-Based Encryption
- Sponsored By: THALES e-Security
Organizations trying to balance the risk of data breaches against the inconvenience, latency and cost of encrypting every bit of valuable data often balk at the trade-off. But with the volume of digital data growing and computing environments becoming more complex and accessible, the ratio of cost to benefit has improved and encryption is now far more common in organizations that rely heavily on Internet- or cloud-connected applications for significant business functions.
The Case for PIM/PAM in Today's Infosec by Barbara Filkins - June 30, 2016
- Associated Webcasts: The Case for PIM/PAM in Today's Infosec
- Sponsored By: CA, Inc.
To see how serious a threat the misuse of privileged credentials represents, look no further than the astonishing scope of the breach discovered in 2015 at the United States Office of Personnel Management (OPM). To realize how often similar threats become real, look no further than the 2016 Verizon Data Breach Incident Report (DBIR), which found that privilege misuse was the second-most frequent cause of security incidents and the fourth-most common cause of breaches.
SANS 2016 State of ICS Security Survey by Derek Harp and Bengt Gregory-Brown - June 28, 2016
- Associated Webcasts: Where Are We Now?: The SANS 2016 ICS Survey
- Sponsored By: Arbor Networks Carbon Black Anomali Belden
Analysis of survey data collected between January and April 2016 indicates that security for ICSes has not improved in many areas and that many problems identified as high-priority concerns in our past surveys remain as prevalent as ever. In this report we focus on identifying and prioritizing recommendations to address the greatest concerns.
Bridging the Insurance/InfoSec Gap: The SANS 2016 Cyber Insurance Survey by Barbara Filkins - June 20, 2016
- Associated Webcasts: Bridging the Insurance/InfoSec Gap: The SANS 2016 Cyber Insurance Survey
- Sponsored By: PivotPoint Risk Analytics
Results of this survey, conducted in conjunction with Advisen, Ltd., make it clear that the effort to achieve a common understanding of cyber insurance and derive value from it will require focused attention from all sides. This study also sets a direction toward a common, achievable goal: reducing the risk of financial loss from a cyber incident. The gaps identified in this survey come together to form the building blocks needed to achieve this goal.
Infographic: Financial Apps at Risk by - June 7, 2016
- Sponsored By: Veracode
View the associated whitepaper here: https://www.sans.org/reading-room/whitepapers/analyst/understanding-security-regulations-financial-services-industry-37027
Incident Response Capabilities in 2016: The 2016 SANS Incident Response Survey by Matt Bromiley - June 7, 2016
- Associated Webcasts: Incident Response Capabilities in 2016 - Part 1: The Current Threat Landscape and Survey Results Incident Response Capabilities in 2016 - Part 2: Emerging Trends in Incident Response and Survey Results
- Sponsored By: IBM Security Mcafee LLC Arbor Networks LogRhythm NETSCOUT Systems, Inc. HP Enterprise Security AlienVault Veriato
Results of the 2016 Incident Response Survey indicate that the IR landscape is ever changing. Advanced industries are able to maintain effective IR teams, but as shown in this report, there are still hurdles to jump to increase the efficiency of many IR teams. Read this report to learn more.
Understanding Security Regulations in the Financial Services Industry by David Hoelzer - June 3, 2016
- Sponsored By: Veracode
View the associated infographic here: https://www.sans.org/reading-room/whitepapers/analyst/infographic-financial-apps-risk-37042
Blueprint for CIS Control Application: Securing the SAP Landscape by Barbara Filkins - May 26, 2016
- Associated Webcasts: A Blueprint to Secure SAP Applications Using CIS Controls As a Guide
- Sponsored By: Onapsis
Any data breach can be expensive, but the potential cost rises with the value or exploitability of the data targeted in an attack.
Assessing Application Security: A Buyer's Guide by Barbara Filkins - May 23, 2016
- Sponsored By: Veracode
Organizations realize that application security (AppSec) is key to protecting their data and the IT assets that contain it.
2016 State of Application Security: Skills, Configurations and Components by Johannes Ullrich, PhD - April 26, 2016
- Associated Webcasts: Managing Applications Securely: A SANS Survey
- Sponsored By: WhiteHat Security Veracode Checkmarx Inc.
Survey results reveal that it is critical for an overall enterprise security program to coordinate efforts among developers, architects and system administrators�particularly since many software vulnerabilities are rooted in configuration issues or third-party components, not just in code written by the development team. Read on to learn more.
Improving Application and Privilege Management: Critical Security Controls Update by John Pescatore - April 25, 2016
- Associated Webcasts: Overcome Privilege Management Obstacles with CSC v. 6
- Sponsored By: Appsense
- Login
- Join SANS.org
Threat Hunting: Open Season on the Adversary by Dr. Eric Cole - April 12, 2016
- Associated Webcasts: Open Season on Cyberthreats: Part 2- Threat Hunting Methodologies and Tools Open Season on Cyberthreats: Part I- Threat Hunting 101
- Sponsored By: HPE Carbon Black DomainTools Endgame Sqrrl Data, Inc. Malwarebytes
Nearly 86% of organizations responding to the survey want to be doing the hunting, albeit informally, as more than 40% do not have a formal threat hunting program in place. Results indicate that hunting is providing benefits, including finding previously undetected threats, reducing attack surfaces and enhancing the speed and accuracy of response by using threat hunting. They also suggest that organizations want to improve their threat-hunting programs and realize more benefits from threat hunting.
Can We Say Next-Gen Yet? State of Endpoint Security by G. W. Ray Davidson, PhD - March 16, 2016
- Associated Webcasts: SANS 2016 Endpoint Security Survey Part 1: The Evolving Definition of Endpoints SANS 2016 Endpoint Security Survey Part 2: Can We Say Next-Gen Yet?
- Sponsored By: Guidance Software IBM Security Sophos Inc. Malwarebytes Great Bay Software
The survey results show that although conventional devices such as desktops and servers represent the largest segment of endpoints connected to the network, the variety of endpoints is growing quickly. Read this survey results paper for insight into endpoint management strategies and processes.
Using Metrics to Manage Your Application Security Program by Jim Bird - March 14, 2016
- Associated Webcasts: Benchmarking AppSec: A Metrics Pyramid
- Sponsored By: Veracode
In this paper, we�ll look at the first steps in measuring your AppSec program, starting with how to use metrics to understand what is working and where you need to improve, to identify and solve problems, and to build a case for making further investments in your program. Ultimately, the goal is to make AppSec part of the organization�s culture, and ensure it�s relevant to business units and meaningful to executives.
Active Breach Detection: The Next-Generation Security Technology? by Dave Shackleford - March 11, 2016
- Associated Webcasts: Is Active Breach Detection the Next-Generation Security Technology?
- Sponsored By: EastWind Networks
A SANS Whitepaper written by Dave Shackleford
A DevSecOps Playbook by Dave Shackleford - March 8, 2016
- Associated Webcasts: A DevSecOps Playbook
- Sponsored By: CloudPassage
Enterprise computing is going through a major transformation of infrastructure and IT delivery models, one that is at least as disruptive as the move from mainframe computing to client/server (Internet) architectures. With client/server architectures, the change in hardware was the most obvious difference, but the more meaningful transformation was IT organizations� new ability to build custom systems and software much more quickly, with far greater flexibility and at lower cost than had been possible during the mainframe era.
The Who, What, Where, When, Why and How of Effective Threat Hunting by Robert M. Lee and Rob Lee - March 1, 2016
- Associated Webcasts: Threat Hunting
- Sponsored By: Sqrrl Data, Inc.
The chances are very high that hidden threats are already in your organization�s networks. Organizations can�t afford to believe that their security measures are perfect and impenetrable, no matter how thorough their security precautions might be. Having a perimeter and defending it are not enough because the perimeter has faded away as new technologies and interconnected devices have emerged. Prevention systems alone are insufficient to counter focused human adversaries who know how to get around most security and monitoring tools by, for example, making their attacks look like normal activity.
Quantifying Risk: Closing the Chasm Between Cybersecurity and Cyber Insurance by Barbara Filkins - February 25, 2016
- Sponsored By: PivotPoint Risk Analytics
Sponsored by PivotPoint Risk Analytics, in conjunction with Advisen.
Getting Started with Web Application Security by Gregory Leonard - February 10, 2016
- Associated Webcasts: Getting Started with Web Application Security
- Sponsored By: Veracode
- Login
- Join SANS.org
Mobile Threat Protection: A Holistic Approach to Securing Mobile Data and Devices by Lee Neely - February 9, 2016
- Associated Webcasts: Mobile Threat Protection: A Holistic Approach to Securing Mobile Data and Devices
- Sponsored By: Skycure
The ubiquitous use of mobile devices results in a mixture of corporate and personal data stored on devices that are online continuously, seamlessly connecting to the closest available network, downloading and uploading data whenever possible, and carried with users continuously. This trend has radically changed the landscape of data protection.
Using Analytics to Predict Future Attacks and Breaches by Dave Shackleford - February 9, 2016
- Associated Webcasts: Predicting Future Attacks and Breaches: Analytics in Action
- Sponsored By: SAS INSTITUTE INC
The pace and sophistication of data breaches is growing all the time. Anyone with valuable secrets can be a target, and likely already is. According to the Privacy Rights Clearinghouse, at the time of this writing, 884,903,517 records were breached in 4,621 incidents documented since 2005. This number is just an estimate based on publicly disclosed and well-documented incidents; the real number is likely much higher. According to data available from datalossdb.org, the size of the major breaches over the past several years has grown significantly.
Eliminating Blind Spots: A New Paradigm of Monitoring and Response by Dave Shackleford - February 4, 2016
- Associated Webcasts: A New Paradigm of Monitoring and Response
- Sponsored By: Raytheon | Websense
- Login
- Join SANS.org
IT Security Spending Trends by Barbara Filkins - February 2, 2016
- Associated Webcasts: SANS 2016 IT Security Spending Strategies Survey
- Sponsored By: Arbor Networks Gigamon
This paper assumes security budgeting occurs as part of each organization's yearly cost management cycle. Readers will explore the what, why, where and how of IT security spending and will get advice on how to better meet the challenge of aligning security spending processes with organizational needs.
Why You Need an Application Security Program by Johannes B. Ullrich, PhD - January 28, 2016
- Associated Webcasts: Why You Need Application Security
- Sponsored By: Veracode
- Login
- Join SANS.org
Guarding Beyond the Gateway: Challenges of Email Security by Barbara Filkins - January 6, 2016
- Associated Webcasts: Guarding Beyond the Gateway: Modern Challenges of Email Security
- Sponsored By: Mimecast Services Limited
Learn how to maximize the trustworthiness of email services through changes to infrastructure and how to use your systems to improve the performance of the human firewall.
Cleaning Up After a Breach Post-Breach Impact: A Cost Compendium by Barbara Filkins - December 14, 2015
- Associated Webcasts: Post-Breach Impact: A Cost Compendium
- Sponsored By: Spirion
Read this report to explore the factors that influence the financial impact on the organization in the post-breach environment: forensic analysis, system repair and data recovery, legal and insurance considerations, additional controls, customer support and losses to brand and reputation.
LogRhythm 7 Review: Reducing Detection and Response Times by Dave Shackleford - December 10, 2015
- Associated Webcasts: Scaling Big Data Analytics: SANS Review of LogRhythm 7 Analytics and Intelligence Upgrades
- Sponsored By: LogRhythm
Although we have made progress in the use of analytics and intelligence, the latest SANS Security Analytics survey shows 26 percent of respondents feel they still cant understand and baseline normal behavior in their IT environments, with a majority citing a lack of people and dedicated resources as an impediment.
Advancing Endpoint Protection and Compliance with Promisec Endpoint Manager by Jake Williams - December 10, 2015
- Associated Webcasts: Ensuring Compliance and Detecting Suspicious Activity with Promisec Endpoint Manager
- Sponsored By: Promisec
A review by SANS analyst and instructor Jake Williams of Promisec Endpoint Manager (PEM). It discusses PEMs effectiveness in detecting and remediating endpoint issues.
Intrusion Prevention with HPE TippingPoint by Dave Shackleford - December 7, 2015
- Associated Webcasts: New Frontiers in Intrusion Protection
- Sponsored By: Hewlett Packard
A review by Dave Shackleford of HPEs TippingPoint 2600NX IPS and its management platform. It examines the device's analytic and operational features and discusses the integration of such devices with security information and event management (SIEM) systems as wells as external threat information.
Protect Against Advanced Email-Borne Malware, Phishing and Social Media Fraud: A SANS Guide by Jerry Shenk - December 2, 2015
- Sponsored By: ProofPoint
Organizations are constantly under attack. Nearly every week comes a news headline of another breach affecting millions of people. Organizations that experience 'small' breaches spend hundreds of thousands of dollars on forensic examinations, infrastructure upgrades and identity monitoring. Those that get hit by a large breach spend millions.
Securing SSH with the CIS Critical Security Controls by Barbara Filkins - November 30, 2015
- Associated Webcasts: Securing SSH Itself with the Critical Security Controls
- Sponsored By: Venafi, Inc
A SANS Analyst Program whitepaper by Barb Filkins. It discusses how the Critical Security Controls—coupled with good configuration management processes—can support the effort required to avoid the risks inherent to SSH.
2015 Analytics and Intelligence Survey by Dave Shackleford - November 10, 2015
- Associated Webcasts: Security Analytics Maturation Curve: Part 1 of the 3rd Annual SANS Security Analytics and Intelligence Survey Moving up the Analytics Maturation Curve: Part 2 of the 3rd Annual SANS Security Analytics and Intelligence Survey
- Sponsored By: LogRhythm AlienVault Lookingglass Cyber Solutions, Inc. SAS INSTITUTE INC Anomali DomainTools
Although survey results indicate slow and steady progress in the use of analytics and intelligence, most analytics programs lack maturity. Read this survey to understand what is missing and learn where most organizations plan to invest funds to drive improvement.
Security Automation: Security Nirvana or Just a Fad? by Jerry Shenk - November 3, 2015
- Associated Webcasts: Security Automation: Security Nirvana or Just A Fad?
- Sponsored By: Symantec
Security breaches have become so frequent that often, they don�t even make news.
The Expanding Role of Data Analytics in Threat Detection by Barbara Filkins - October 27, 2015
- Associated Webcasts: The Expanding Role of Data Analytics in Threat Detection
- Sponsored By: Vectra Networks Inc.
- Login
- Join SANS.org
What Are Their Vulnerabilities?: A SANS Survey on Continuous Monitoring by David Hoelzer - October 27, 2015
- Associated Webcasts: What Are Their Vulnerabilities? A SANS Continuous Monitoring Survey
- Sponsored By: Tenable Arbor Networks HP AlienVault
This report offers an analysis of the survey findings and recommendations for improving practices. It also offers a definition of what a mature program should look like now and in the future. The goal, ultimately, is to provide a metric by which organizations can gauge their own progress in an objective way.
Behind the Curve? A Maturity Model for Endpoint Security by G. Mark Hardy - October 22, 2015
- Associated Webcasts: Behind the Curve? Getting Started on Endpoint Security Maturity
- Login
- Join SANS.org
Detecting a Targeted Data Breach with Ease: A SANS Product Review by Jake Williams - October 21, 2015
- Associated Webcasts: Implementing Active Breach Detection
A product review by Jake Williams. It examines LightCyber Magna, focusing on its effectiveness in detecting reconnaissance, lateral movement, data exfiltration and other threats.
The State of Dynamic Data Center and Cloud Security in the Modern Enterprise by Dave Shackleford - October 13, 2015
- Associated Webcasts: Dynamic Data Center Security
- Sponsored By: Illumio
As organizations' data centers become more dynamic and the need to scale quickly in complex architectures grows, security will need to adapt accordingly. Read this survey results paper to learn the challenges hybrid data centers face, along with some of the steps you can take to update current practices to enhance security for the dynamic data centers in use today.
Automating the Hunt for Hidden Threats by Eric Cole, PhD - October 1, 2015
- Associated Webcasts: Automating the Hunt for Network Intruders
- Sponsored By: Endgame
An Analyst Program whitepaper by Dr. Eric Cole. It defines the process of automating the hunt for threats, and discusses how to deploy a continuous threat-hunting process while preparing a team to analyze threats to protect critical processes and data.
Orchestrating Security in the Cloud by Dave Shackleford - September 22, 2015
- Sponsored By: HP Intel CloudPassage Evident.io
Survey results indicate a strong need to keep security close to the data as it traverses cloud systems. Findings also indicate a need to integrate monitoring capabilities across hybrid environments and partnership with public cloud providers for full-spectrum visibility and response. Learn more by in this survey report focusing on cloud security.
Combatting Cyber Risks in the Supply Chain by Dave Shackleford - September 9, 2015
- Associated Webcasts: Combatting Cyber Risks in the Supply Chain
- Sponsored By: Raytheon | Websense
By some estimates, up to 80% of breaches may originate in the supply chain. Read this paper to get some guidance on best practices to protect your organization from vulnerabilities introduced by your vendors and suppliers.
Retail Security: Third-Party Interaction by Eric Cole, PhD - September 4, 2015
- Associated Webcasts: Retail Security: PCI DSS and Third Party Interactions
- Sponsored By: Tenable
- Login
- Join SANS.org
A Proactive Approach to Incident Response by Jake Williams - August 31, 2015
- Associated Webcasts: A Proactive Approach to Incident Response
- Sponsored By: Blue Coat Systems, Inc.
- Login
- Join SANS.org
Using Hardware-Enabled Trusted Crypto to Thwart Advanced Threats by John Pescatore - August 28, 2015
- Associated Webcasts: Thwarting Advanced Threats with Trusted Crypto
- Sponsored By: THALES e-Security
- Login
- Join SANS.org
Protecting Third Party Applications with RASP Infographic by - August 27, 2015
- Associated Webcasts: Protecting Third Party Applications with RASP
- Login
- Join SANS.org
Detect, Contain and Control Cyberthreats by Eric Cole, PhD - August 20, 2015
- Associated Webcasts: Detect, Contain, and Control Cyberthreats
- Sponsored By: Raytheon | Websense
An Analyst Program whitepaper by Dr. Eric Cole. It discusses the value of prioritizing mitigation efforts based on known risks and high- value targets, and how doing so can reinforce network defenses.
The Race to Detection: A Look at Rapidly Changing IR Practices by Alissa Torres - August 19, 2015
- Associated Webcasts: The Race to Detection: IR Trends, Tools and Processes That Close the Gap
- Sponsored By: Carbon Black
With the rapidly changing risk environment, those assigned to protect their organizations must be agile in adapting technology to meet the challenges presented to them. Read this paper to learn what leading incident response practices are doing, and what they plan for the future.
Insider-Focused Investigation Made Easier by Dave Shackleford - August 18, 2015
- Associated Webcasts: The Value of Real-Time Pattern Recognition
- Sponsored By: Raytheon | Websense
A review by SANS analyst and instructor Dave Shackleford of Raytheon|Websense SureView Insider Threat. It discusses the product's ability to assist security teams in their efforts to mitigate the threats posed by trusted insiders.
Maturing and Specializing: Incident Response Capabilities Needed by Alissa Torres - August 17, 2015
- Associated Webcasts: Part 1: Incident Response - What Is (and Isn't) Working Today Part 2: Incident Response - How Can We Be More Proactive for the Future?
- Sponsored By: Mcafee LLC Arbor Networks Hewlett Packard Rapid7 Inc. Carbon Black AlienVault
Survey results reveal an increasingly complex response landscape and the need for automation of processes and services to provide both visibility across systems and best avenues of remediation. Read this paper for coverage of these issues, along with best practices and sage advice.
Observation and Response: An Intelligent Approach by J. Michael Butler - August 7, 2015
- Associated Webcasts: Tracking and Observation-How-To and What To Watch For
- Sponsored By: Anomali
A SANS Analyst Program whitepaper by J. Michael Butler. It discusses how properly focused observation and tracking efforts provide intelligence from inside the enterprise by monitoring for indicators of compromise such as odd point-in-time activities on the network, unusual machine-to-machine communications, outbound transfers, connection requests and many other suspicious activities.
Beyond the Point of Sale: Six Steps to Stronger Retail Security by Robert L. Scheier - July 28, 2015
- Associated Webcasts: Analyst Webcast: Securing Retail Beyond the Cash Register--Insider Threats and Targeted Attacks
- Sponsored By: Palo Alto Networks
A whitepaper by Robert Scheier. It addresses the complex nature of IT in the retail environment and outlines a six-step process for enhancing security of small shopkeepers as well as big-box chains.
The State of Security in Control Systems Today by Derek Harp and Bengt Gregory-Brown - June 24, 2015
- Associated Webcasts: The State of Security in Control Systems Today: A SANS Survey Webcast
- Sponsored By: Tenable SurfWatch Labs
By reading this report, ICS professionals will gain insight into the challenges facing peers, as well the approaches being employed to reduce the risk of cyberattack.
Security Spending and Preparedness in the Financial Sector: A SANS Survey by Jaikumar Vijayan - June 23, 2015
- Associated Webcasts: SANS 2nd Financial Sector Security Survey
- Sponsored By: Arbor Networks LogRhythm VSS Monitoring, Inc. AlienVault
Financial services organizations are being breached too often. Find out how the threat landscape and the tools to secure data are changing in the 2015 SANS Financial Services Survey.
Six Steps to Stronger Security for SMBs by Eric Cole, PhD - June 23, 2015
- Associated Webcasts: Six Steps to Stronger Security for SMBs
- Sponsored By: Qualys
An Analyst Program whitepaper by Dr. Eric Cole. It describes a six-step approach that small and medium-size businesses can use as a template for enhancing their overall security posture.
Enabling Big Data by Removing Security and Compliance Barriers by Barbara Filkins - June 17, 2015
- Associated Webcasts: Big Data: Identifying Major Threats and Removing Security and Compliance Barriers
- Sponsored By: Cloudera
The rewards that big data can bring are widely recognized: scientific insight, competitive intelligence and improved fraud detection, as well as the benefits derived from sophisticated analyses of vast sets of transactional and behavioral data.
Conquering Network Security Challenges in Distributed Enterprises by John Pescatore - June 11, 2015
- Associated Webcasts: Conquering Network Security Challenges in Distributed Enterprises
- Sponsored By: Palo Alto Networks
Enterprises continue to have difficulties detecting, blocking and responding to threats.
New Critical Security Controls Guidelines for SSL/TLS Management by Barbara Filkins - June 4, 2015
- Associated Webcasts: Meeting New CSC Guidelines for SSL Certificate Management
- Sponsored By: Venafi, Inc
Security flaws like Heartbleed, POODLE, BEAST and a series of high-profile certificate thefts and misappropriations have shaken public confidence in "secure" SSL/TLS certificates. It is possible for organizations to safeguard themselves and retain most of the benefits of using the web's most common authentication system, however, as long as they're rigorous about setting and enforcing the right policies on who do trust among many questionable nodes in the global network of trust.
Improving Detection, Prevention and Response with Security Maturity Modeling by Byron Acohido - May 29, 2015
- Associated Webcasts: The Value of Adopting and Improving Security Maturity Models
- Sponsored By: HP
An Analyst Program whitepaper written by Byron Acohido. It discusses various security maturity models and how organizations can use them to improve their defense posture while reducing the time needed to respond to incidents and contain the damage.
Securing Portable Data and Applications for a Mobile Workforce by Jaikumar Vijayan - May 13, 2015
- Associated Webcasts: Securing Portable Data and Applications on Enterprise Mobile Workspaces: A SANS Survey
- Sponsored By: Ironkey by Imation
Explore the challenges of securing a mobile workforce while enabling a desktop environment for mobile workers.
2015 State of Application Security: Closing the Gap by Jim Bird, Eric Johnson, Frank Kim - May 12, 2015
- Associated Webcasts: 2015 Application Security Survey, Part 2: Builder Issues 2015 Application Security Survey, Part 1: Defender Issues
- Sponsored By: Qualys WhiteHat Security Hewlett Packard Veracode Waratek
Explore the current state of application security through the lens of both builders and defenders and find out how much progress has been made in securing applications over the last 12 months.
The Case for Visibility: SANS 2nd Annual Survey on the State of Endpoint Risk and Security by Jacob Williams - May 5, 2015
- Associated Webcasts: Assume Compromise and Protect Your Endpoints: SANS 2nd Survey on Endpoint Security
- Sponsored By: Guidance Software
Read the results of the 2015 Endpoint Security Survey to find out whether organizations assume risk, whether their perimeter defenses protect their endpoints, how much progress we are making on automation, how long it takes to remediate each compromised endpoint, and much more.
Protection from the Inside: Application Security Methodologies Compared by Jacob Williams - April 27, 2015
- Associated Webcasts: Analyst Webcast: RASP vs. WAF: Comparing Capabilities and Efficiencies
- Sponsored By: HP
A SANS Analyst Program review by Jacob Williams. This webcast will explore the relative capabilities and efficiencies of RASP and WAF technologies, and discuss a blind, vendor-anonymous review of a representative product in each category.
Building a World-Class Security Operations Center: A Roadmap by Alissa Torres - April 15, 2015
- Sponsored By: RSA
Explore how you can build a world-class security operations center (SOC) by focusing on the triad of people, process and technology.
Improving the Effectiveness of Log Analysis with HP ArcSight Logger 6 by Dave Shackleford - April 1, 2015
- Associated Webcasts: Analyst Webcast: Simplifying Compliance and Forensic Requirements with HP ArcSight Logger
- Sponsored By: Hewlett Packard
A review of HP ArcSight Logger 6 by SANS analyst and instructor Dave Shackleford. It discusses the latest release of ArcSight Logger and its usefulness to security analysts who need to collect and monitor logs.
Creating an SOC by Alissa Torres - March 31, 2015
- Associated Webcasts: Creating a Roadmap for Dramatically Improving Your Strategic Security Operations
- Sponsored By: RSA
Graphically explore how you can build a world-class security operations center (SOC) by focusing on the triad of people, process and technology.
Enabling Large-Scale Mobility with Security from the Ground Up by Jaikumar Vijayan - March 30, 2015
- Associated Webcasts: Analyst Webcast: Enabling Enterprise Mobility With Security From The Ground Up
- Sponsored By: Symantec
A SANS Analyst Program whitepaper written by Jaikumar Vijayan and advised by SANS Analyst G. Mark Hardy. It discusses the state of enterprise mobility and the challenges posed to information technology groups by the massive influx of personal and corporate-owned mobile devices in the workplace in recent years.
Enabling Large-Scale Mobility with Security from the Ground Up Infographic by Jaikumar Vijayan - March 30, 2015
- Associated Webcasts: Analyst Webcast: Enabling Enterprise Mobility With Security From The Ground Up
- Sponsored By: Symantec
A SANS Analyst Program infographic based on the whitepaper, Enabling Large-Scale Mobility with Security from the Ground Up. It offers a graphical interpretation of the paper's keytakeaways and supplemental data.
Automation in the Incident Response Process: Creating an Effective Long-Term Plan by Alissa Torres - March 4, 2015
- Associated Webcasts: Automating the Incident Response Process
- Sponsored By: Carbon Black
With the right resources in place, attackers can be detected more accurately and efficiently, mitigating damage and data loss from inevitable network attacks. This paper presents a proper process and procedure for incident response that includes the use of automation tools.
Who's Using Cyberthreat Intelligence and How? by Dave Shackleford - February 16, 2015
- Associated Webcasts: Who's Using Cyberthreat Intelligence and How? Part 1: Definitions, Tools and Standards Who's Using Cyberthreat Intelligence and How? Part 2: Best Practices to Improve Incident Detection and Response
- Sponsored By: Arbor Networks Carbon Black BeyondTrust AlienVault SurfWatch Labs Anomali
In the last several years, we've seen a disturbing trend-attackers are innovating much faster than defenders are. We've seen the "commercialization" of malware, with attack kits available on underground forums for anyone who wants to perpetrate a variety of attacks.
The Critical Security Controls: What's NAC Got to Do with IT? by Deb Radcliff, Editor - February 4, 2015
- Associated Webcasts: Mapping Next-Generation NAC to the Critical Security Controls
- Sponsored By: Forescout Technologies BV
- Login
- Join SANS.org
Protecting Access to Data and Privilege with Oracle Database Vault by Pete Finnigan - January 29, 2015
- Associated Webcasts: Analyst Webcast: Securing Oracle Databases Made Easy
- Sponsored By: Oracle
A review of Oracle Database Vault 12c by security expert Pete Finnigan. Oracle Database Vault takes advantage of built-in features of the Oracle ecosystem, and provides a holistic approach to data security management.
New Threats Drive Improved Practices: State of Cybersecurity in Health Care Organizations by Barbara Filkins - December 9, 2014
- Associated Webcasts: SANS 2nd Survey on the State of Information Security in Health Care Institutions: Part 2 SANS 2nd Survey on the State of Information Security in Health Care Institutions: Part 1
- Sponsored By: Qualys Tenable Cigital, Inc. FireEye CloudPassage Trend Micro Inc. RiskIQ
See the results of the 2014 SANS Health Care Cybersecurity survey.
Securing Personal and Mobile Device Use with Next-Gen Network Access Controls by Deb Radcliff, executive editor - November 24, 2014
- Associated Webcasts: Securing Personal and Mobile Device Use with Next-Gen Network Access Controls
- Sponsored By: Forescout Technologies BV
An updated SANS Analyst Program whitepaper. It covers the essentials of applying NAC to secure guest networking, as well as leveraging NAC for BYOD (Bring Your Own Device) and CYOD (Choose Your Own Device) situations and ensuring endpoint compliance with network policy.
Point of Sale Systems and Security: Executive Summary by Wes Whitteker - November 20, 2014
- Sponsored By: Carbon Black
The last year has seen scores of point of sale (POS) systems compromised by bad actors. In many cases, these environments were PCI-DSS compliant at the time of compromise. Executives seeking to protect their organizations and POS systems from compromise need to look beyond PCI-DSS and adopt a proactive "offense must inform defense" approach to POS security.
Securing DNS to Thwart Advanced Targeted Attacks and Reduce Data Breaches by John Pescatore - November 12, 2014
- Associated Webcasts: Protecting DNS: Securing Your Internet Address Book
Internet traffic is severely affected when critical DNS services are not reliable or are compromised by cyber attacks. However, DNS services can be secured with the right configuration and deployment of appropriate solutions.
Be Ready for a Breach with Intelligent Response by James Tarala - November 5, 2014
- Associated Webcasts: Be Ready for a Breach with Intelligent Response
- Sponsored By: Mcafee LLC
By preparing a careful plan and resilient response infrastructure before an attack, organizations can limit both data loss and the reactive, post-incident expenses. The result: greatly reduced impact and costs associated with events.
Data Center Server Security Survey 2014 by Jacob Williams - October 29, 2014
- Associated Webcasts: Data Center Server Security: A SANS Survey
- Sponsored By: IBM Security Mcafee LLC
Learn how organizations are tackling the difficult problem of data center security, explore their best practices and consider improvements needed for data centers to meet compliance demands while reducing overall risk and management complexity.
Detect, Investigate, Scrutinize and Contain with Rapid7 UserInsight by Jerry Shenk - October 23, 2014
- Associated Webcasts: Detecting Risky Activity "Wherever" Before It Becomes A Problem
- Sponsored By: Rapid7 Inc.
A review of Rapid7 UserInsight by SANS senior analyst Jerry Shenk. It discusses a tool that highlights user credential misuse while tracking endpoint system details that would be valuable to an incident response team.
Breaches Happen: Be Prepared by Stephen Northcutt - October 14, 2014
- Associated Webcasts: Breaches Happen: Be Prepared
- Sponsored By: Symantec
A whitepaper by SANS Analyst and Senior Instructor Stephen Northcutt. It describes how improved malware reporting and gateway monitoring, combined with security intelligence from both internal and external resources, helps organizations meet the requirements of frameworks such as the Critical Security Controls.
Hardening Retail Security by John Pescatore - October 10, 2014
- Associated Webcasts: Hardening Retail Security: Why and How to Prevent Breaches and Attacks
- Sponsored By: LogRhythm
Read this article and learn what IT security staff in the retail industry say about their security budgets, behavioral baselining, and endpoint forensics practices.
Analytics and Intelligence Survey 2014 by Dave Shackleford - October 8, 2014
- Associated Webcasts: 2nd Annual Analytics and Intelligence Survey 2nd Annual Analytics and Intelligence Survey - Pt 2. Future State: Improving Intelligence and Threat Protection
- Sponsored By: Mcafee LLC HP LogRhythm Rapid7 Inc. AlienVault Anomali
This paper explores the use of analytics and intelligence today and exposes the impediments to successful implementation.
Ninth Log Management Survey Report by Jerry Shenk - October 3, 2014
- Associated Webcasts: Log and Event Management Survey
- Sponsored By: VMWare, Inc
Using the results of the 2014 Log Management Survey, this paper identifies strengths and weaknesses in log management systems and practices, and provides advice for improving visibility across systems with proper log collection, normalization and analysis.
Critical Security Controls: From Adoption to Implementation by James Tarala - September 18, 2014
- Associated Webcasts: The Critical Security Controls: From Adoption to Implementation A SANS Survey
- Sponsored By: Qualys Tripwire, Inc. Mcafee LLC EiQnetworks
This SANS survey report explores how widely the CSCs are being adopted, as well as what challenges adopters are facing in terms of implementation of the controls and what they are looking for to improve their implementation practices.
Data Encryption and Redaction: A Review of Oracle Advanced Security by Dave Shackleford - September 15, 2014
- Associated Webcasts: Simplifying Data Encryption and Redaction Without Touching the Code
- Sponsored By: Oracle
A review of Oracle Advanced Security for Oracle Database 12c by SANS Analyst and Senior Instructor Dave Shackleford. It explores a number of the product's capabilities, including transparent data encryption (TDE) and effortless redaction of sensitive data, that seamlessly protect data without any developer effort from unauthorized access.
Insider Threats in Law Enforcement by Dr. Eric Cole - September 4, 2014
- Associated Webcasts: Solving Insider Threats in Law Enforcement
- Sponsored By: Raytheon | Websense
Based on the valuable information they have at their disposal, law enforcement agencies are among those that are prime targets for advanced attacks. While network protection can be extensive and sophisticated, the exploitation of insiders poses a serious threat for illegal access to these agencies.
Under Threat or Compromise - Every Detail Counts by Jake Williams - August 20, 2014
- Associated Webcasts: Under Threat or Compromise: Every Detail Counts
- Sponsored By: Blue Coat Systems, Inc.
This paper outlines five major components of a life-cycle approach to defense and how companies can adopt this model to maximize security in the current threat landscape.
Incident Response: How to Fight Back by Alissa Torres - August 13, 2014
- Associated Webcasts: Incident Response Part 1: Incident Response Techniques and Processes: Where We Are in the Six-Step Process Incident Response Part 2: Growing and Maturing An IR Capability
- Sponsored By: Mcafee LLC AccessData Corp. Arbor Networks HP Carbon Black AlienVault
A spate of high-profile security breaches and attacks means that security practitioners find themselves thinking a lot about incident response. A new SANS incident response survey explores how practitioners are dealing with these numerous incidents and provides insight into incident response plans, attack histories, where organizations should focus their response efforts, and how to put all of the pieces together.
Continuous Diagnostics and Mitigation : Making it Work by John Pescatore - August 6, 2014
- Associated Webcasts: Continuous Diagnostics and Mitigation for Government Agencies: Is It Working? A SANS Survey
- Sponsored By: Forescout Technologies BV IBM Security Symantec Firemon
Security professionals in federal, state and local agencies face many unique challenges in protecting critical systems and information. The CDM program has tremendous potential for both increasing the security levels at those agencies and reducing the cost of demonstrating compliance. However, to be successful, the program must address the following: lack of awareness, low inspector general awareness and lack of information on how to use the program. For use of the program to result in better security, additional staffing and skills are needed, as are success stories to guide organizations attempting to implement CDM.
Killing Advanced Threats in Their Tracks: An Intelligent Approach to Attack Prevention by Tony Sager - July 29, 2014
- Associated Webcasts: Need to defeat APTs? Tony Sager Explains Where We're At With Live Threat Detection Automation
- Sponsored By: Palo Alto Networks
All attacks follow certain stages. By observing those stages during an attack progression and then creating immediate protections to block those attack methods, organizations can achieve a level of closed-loop intelligence that can block and protect across this attack kill chain. This paper explains the many steps in the kill chain, along with how to detect unknown attacks by integrating intelligence into sensors and management consoles.
Advanced Network Protection with McAfee Next Generation Firewall by Dave Shackleford - June 19, 2014
- Associated Webcasts: Analyst Webcast: Advanced Network Protection with McAfee Next Generation Firewall
- Sponsored By: Mcafee LLC
A review of McAfee Next Generation Firewall by SANS Analyst and Senior Instructor Dave Shackleford. It explores a number of the product's capabilities, including clustering and redundancy, numerous varieties of VPN access, policy options and features such as end-user identification and advanced anti-evasion tools
Higher Education: Open and Secure? by Randy Marchany - June 16, 2014
- Associated Webcasts: Higher Education: Open and Secure? A SANS Survey
- Sponsored By: Tenable Trend Micro Inc. AlienVault
- Login
- Join SANS.org
Practical Threat Management and Incident Response for the Small- to Medium-Sized Enterprises by Jacob Williams - June 12, 2014
- Associated Webcasts: Practical Threat Management and Incident Response for the Small- to Medium-Sized Enterprise
- Sponsored By: AlienVault
If you work in a small- to medium-sized enterprise (SME),1 you know how challenging securing your technology assets can be.
Cybersecurity Professional Trends: A SANS Survey Advisors: John Pescatore, Barb Filkins, Tracy Lenzner and SANS GIAC - May 8, 2014
- Associated Webcasts: SANS 2014 Salary Survey: The State of Security Professionals Today
- Sponsored By: Arbor Networks
Survey results on evolving roles of security professionals worldwide, including new roles, titles, managerial functions, and existing and planned certifications broken out by industry and geography.
Combining Security Intelligence and the Critical Security Controls: A Review of LogRhythm's SIEM Platform by Dave Shackleford - April 23, 2014
- Associated Webcasts: SIEM, Security Intelligence and the Critical Security Controls
- Sponsored By: LogRhythm
Review of LogRhythm�s security information and event management (SIEM) platform with new security intelligence features built in for compliance.
2014 Trends That Will Reshape Organizational Security by John Pescatore - April 22, 2014
- Associated Webcasts: The 2014 Security Trends Forecast: What Does 2014 Hold for Security and Its Impact on Business Professionals?
- Sponsored By: Cisco Systems Inc.
Information for security managers to facilitate focusing their investments on the areas that are mostly likely to impact their organizations and customers over the next several years.
Improving Security Management with Real-Time Queries by Dave Shackleford - April 2, 2014
- Associated Webcasts: The Value of On-Demand Endpoint Visibility
- Sponsored By: Mcafee LLC
Product review McAfee Real Time Command with a focus on features and ease of use. Examination of its security-related features found the product to be surprisingly intuitive.
Breaches on the Rise in Control Systems: A SANS Survey by Matthew Luallen - April 1, 2014
- Associated Webcasts: SANS Survey on Control Systems Security
- Sponsored By: Qualys Cisco Systems Inc. Tenable Raytheon | Websense
Survey shows SCADA breaches on rise from 2013, and more targeted.
Risk, Loss and Security Spending in the Financial Sector: A SANS Survey by Mark Hardy - March 26, 2014
- Associated Webcasts: Risks, Threats and Preparedness: Part I of the SANS Financial Services Survey
- Sponsored By: Forescout Technologies BV Cisco Systems Inc. Tenable Blue Coat Systems, Inc. Raytheon | Websense FireEye
Survey identified key areas in which financial service employees and endpoints were most at risk, with direct losses resulting from internal abuse, spearphishing and botnet infections.
DDoS Attacks Advancing and Enduring: A SANS Survey by John Pescatore - March 20, 2014
- Associated Webcasts: SANS Survey on Distributed Denial of Service
- Sponsored By: Corero
Survey on the state of DDoS readiness reveals more frequent and sophisticated DDoS attacks as well as lack of preparedness in many enterprises.
Finding Advanced Threats Before They Strike: A Review of Damballa Failsafe Advanced Threat Protection and Containment by Jerry Shenk - March 18, 2014
- Associated Webcasts: Finding Advanced Threats Before They Strike: Advanced Threat Protection and Containment
- Sponsored By: Damballa, Inc.
Review of Damballa Failsafe's ability to collect and analyze evidence and presents precise information about infected devices.
The Case for Endpoint Visibility by Jacob Williams - March 13, 2014
- Associated Webcasts: Visibility at the Endpoint: The SANS 2014 Survey of Endpoint Intelligence
- Sponsored By: Guidance Software
Information to help security professionals track trends in endpoint protection and identify how their organization�s capabilities compare with the survey base.
Champagne SIEM on a Beer Budget by Jerry Shenk - March 12, 2014
- Associated Webcasts: Making Log and Event Management Easy for SMBs
- Sponsored By: SolarWinds
Review of SolarWinds' Log & Event Manager (LEM) ability to provide small-to-medium-size businesses the forensic intelligence, compliance and security information necessary to manage operations.
Server Security: A Reality Check by Jake Williams - March 11, 2014
- Associated Webcasts: Server Security: A Reality Check
- Sponsored By: Carbon Black
Why servers are still vulnerable despite layers of security in place today.
Health Care Cyberthreat Report: Widespread Compromises Detected, Compliance Nightmare on Horizon by Barbara Filkins - March 6, 2014
- Associated Webcasts: Exposing Malicious Threats to Health Care IT
- Sponsored By: Norse
The use of threat intelligence to improve the security of information systems in the health care industry.
Calculating Total Cost of Ownership on Intrusion Prevention Technology by J. Michael Butler, Dave Shackleford - February 17, 2014
- Sponsored By: Cisco Systems Inc.
Calculate the value of specific automation features in NGIPSes with which organizations can achieve savings in total cost of ownership TCO
Protecting Virtual Endpoints with McAfee Server Security Suite Essentials by Dave Shackleford - February 14, 2014
- Associated Webcasts: Security Without Scanning for Today's Hybrid Datacenter
- Sponsored By: Mcafee LLC
A review of McAfee�s Server Security Suite Essentials that address some of the emerging challenges of securing virtual platforms and cloud environments.
Survey on Application Security Programs and Practices by Jim Bird, Frank Kim - February 12, 2014
- Associated Webcasts: Application Security Programs On the Rise, Skills Lacking: A SANS Survey
- Sponsored By: Qualys Hewlett Packard Veracode
Survey shows application security programs on the rise but skill are lacking.
Securing the �Internet of Things� Survey by John Pescatore - January 15, 2014
- Associated Webcasts: SANS Analyst Webcast: SANS Survey on Securing The Internet of Things
- Sponsored By: Codenomicon Norse
Survey reveals the risks introduced by an increasing array of "smart" things with wireless or Internet connections.
Database Activity Monitoring and Audit: A Review of Oracle Audit Vault and Database Firewall by Tanya Baccam - January 14, 2014
- Sponsored By: Oracle
Review of Oracle Audit Vault and Database Firewall (AVDF). A platform for organizations looking to increase security with enterprise wide database activity monitoring, auditing and reporting.
Industrial Control System (ICS) Cybersecurity Response to Physical Breaches of Unmanned Critical Infrastructure Sites by Scott D. Swartz and Michael J. Assante - January 1, 2014
- Sponsored By: Alert Enterprise
Physical break-ins and other unauthorized entries into unmanned critical infrastructure locations have historically been viewed only as traditional property crimes.
Fear and Loathing in BYOD by Joshua Wright - December 10, 2013
- Associated Webcasts: SANS Survey Results on BYOD Security Policies and Practices
- Sponsored By: Trusted Computing Group
Survey on mobile device security trends and techniques organizations are adopting to mitigate threats associated with mobile devices and BYOD.
Layered Security: Why It Works by Jerry Shenk - December 9, 2013
- Associated Webcasts: Layered Security: Why It Works
- Sponsored By: Symantec
How a layered approach to security provides better protection of your organization�s IT assets.
Managing Threats and Compliance While Automating the CSCs: EiQ SecureVue Review by Jerry Shenk - November 11, 2013
- Associated Webcasts: Managing Threats and Compliance While Automating the CSCs: EiQ SecureVue Review
- Sponsored By: EiQnetworks
Product review of EiQ SecureVue - a solution to provide advanced log management and security information and event management (SIEM) capabilities for the SMB-sized organizations.
Finding Hidden Threats by Decrypting SSL by Michael Butler - November 8, 2013
- Associated Webcasts: Finding Hidden Threats by Decrypting SSL/TLS
- Sponsored By: Blue Coat Systems, Inc.
Paper describes the role of SSL, the role SSL decryption/inspection tools play in security, options for deploying inspection tools, and how the information generated by such inspection can be shared with other security monitoring systems.
Inaugural Health Care Survey by Barbara Filkins - October 30, 2013
- Associated Webcasts: The SANS Survey of IT Security in Health Care
- Sponsored By: Tenable Oracle Trend Micro Inc. Redspin
This survey reveals aspects of security in the health care arena from the perspective of IT security staff�managers, analysts, and executives.
Not Your Father's IPS:SANS Survey on Network Security Results by Rob VandenBrink - October 29, 2013
- Associated Webcasts: Analyst Webcast: Not your Father's IPS: SANS Survey on Network Security Results
- Sponsored By: Hewlett Packard
Survey of security professionals on network security practices today, use of IPS, technical and management capacities, and how IPS will be integrated into overall security strategy for the future.
Securing Web Applications Made Simple and Scalable by Gregory Leonard - October 10, 2013
- Associated Webcasts: Securing Web Applications Made Simple and Scalable
- Sponsored By: Hewlett Packard
Evaluation of HP Fortify WebInspect 10.10, an application security testing (DAST) tool.
Correlating Event Data for Vulnerability Detection and Remediation by Jacob Williams - October 8, 2013
- Associated Webcasts: Correlating Real-Time Event Data with SIEM for Forensics and Incident Handling
- Sponsored By: Mcafee LLC
Examination of how 2012 Saudi Aramco �spearphishing� attacks could have been thwarted with the help of a SIEM platform that combines the power of historical data with real-time data from network data sources and security policies.
Application Security: Tools for Getting Management Support and Funding by John Pescatore - October 4, 2013
- Associated Webcasts: John Pescatore Analyst Webcast - Actionable Tools for Convincing Management to Fund Application Security
- Sponsored By: WhiteHat Security
This paper provide tools and techniques that demonstrate the need for better application security and the appropriate level of investment.
SANS Security Analytics Survey by Dave Shackleford - October 1, 2013
- Associated Webcasts: SANS Analytics and Intelligence Survey Results Part I: The Risk Landscape
- Sponsored By: Guidance Software LogRhythm Hewlett Packard SolarWinds Hexis Cyber Solutions
Survey on next generation of security tools shows that market is in need of analytics and intelligence wrapped around the data that is being/can be collected in organizations.
Real-World Testing of Next-Generation Firewalls by Dr. Eric Cole - September 13, 2013
- Associated Webcasts: Testing Next Gen Firewalls
- Sponsored By: Fortinet, Inc. Ixia
Advice on what to expect from a next-generation firewall, features and business needs to consider, and a test methodology for IT and business professionals to use to enhance their investments in security through enhanced firewall capabilities.
Scaling Analytics to Meet Real-Time Threats in Large Enterprises: A Deep Dive into LogRhythm's Security Analytics Platform by Dave Shackleford - September 10, 2013
- Associated Webcasts: Under Pressure: Scaling Analytics to Meet Real-Time Threats
- Sponsored By: LogRhythm
Evaluation of LogRhythm�s real-time analytics capabilities.
How DDoS Detection and Mitigation Can Fight Advanced Targeted Attacks by John Pescatore - September 5, 2013
- Associated Webcasts: How to Fight the Real DDoS Threat
- Sponsored By: Arbor Networks
Exploration of how DDoS is used as part of advanced targeted attacks (ATAs) and description of how DDoS detection and prevention tools and techniques can also be used against ATAs.
Simplifying Cloud Access Without Sacrificing Corporate Control: A Review of McAfees Integrated Web and Identity Solutions by Dave Shackleford - August 21, 2013
- Associated Webcasts: Managing Identities in the Cloud Without Sacrificing Corporate Control: A Review of McAfee
- Sponsored By: Mcafee LLC
Review of McAfee Web Gateway version 7.3, McAfee Cloud Single Sign On (CSSO) version 4.0 and McAfee One Time Password version 4.0, with Pledge Software Token (Pledge) version 2.0.
The SANS Survey of Digital Forensics and Incident Response by Paul Henry, Jacob Williams, and Benjamin Wright - July 18, 2013
- Associated Webcasts: Digital Forensics in Modern Times: A SANS Survey
- Sponsored By: Guidance Software FireEye Carbon Black Cellebrite
2013 Digital Forensics Survey to identify the nontraditional areas where digital forensics techniques are used.
The SANS 2013 Help Desk Security and Privacy Survey by Barbara Filkins - July 16, 2013
- Sponsored By: RSA
Survey/report will serve as a starting point to promote awareness and help bridge the educational gap between what a help desk is and what a secure help desk should be.
Network and Endpoint Security "Get Hitched" for Better Visibility and Response by Jerry Shenk - July 10, 2013
- Associated Webcasts: Network and Endpoint Security "Get Hitched" for Better Visibility and Response
- Sponsored By: Carbon Black
How endpoint visibility, coordinated with network intelligence, can help identify threats not discovered by other means, determine the level of threat, recognize previously unknown threats and follow up with more accurate information for regulators and investigators.
SANS 2013 Critical Security Controls Survey: Moving From Awareness to Action by John Pescatore - June 25, 2013
- Sponsored By: Tenable Symantec EiQnetworks FireEye IBM
Survey to determine how well the CSCs are known in government and private industry, how they are being used and what can we learn from CSC implementations to date.
Implementing Hardware Roots of Trust: The Trusted Platform Module Comes of Age by Gal Shpantzer - June 18, 2013
- Associated Webcasts: Implementing Hardware Roots of Trust
- Sponsored By: Trusted Computing Group
Discussion of trends that are driving adoption of TPM, with advice on how to take advantage of this increasingly commonplace technology without disrupting your security infrastructure.
Reducing Risk Through Prevention: Implementing Critical Security Controls 1-4 by James Tarala - June 12, 2013
- Associated Webcasts: Leveraging the First Four Critical Security Controls for Holistic Improvements
- Sponsored By: Tripwire, Inc.
Examination of actual threats facing organizations today, methods dedicated attackers use to compromise systems using the �intrusion kill chain� as a model and specific defenses organizations can use to mitigate threat.
Need for Speed: Streamlining Response and Reaction to Attacks by Michael Butler - June 7, 2013
- Sponsored By: Mcafee LLC
Exploration of how to correlate information from disparately managed systems and bring visibility to their behavior with accurate, actionable reporting in as near-real time as possible.
2013 SANS Mobile Application Security Survey by Kevin Johnson, James Jardine - June 6, 2013
- Sponsored By: SAP Global Marketing Veracode Box
Survey to assess organizational awareness and the procedures around mobile application risk.
Security Intelligence in Action: SANS Review of McAfee Enterprise Security Manager (ESM) 9.2 by Dave Shackleford - May 22, 2013
- Associated Webcasts: Advanced Intelligence in Action: Review of McAfee Enterprise Security Manager 9.2
Review of McAfee�s Enterprise Security Manager (ESM) 9.2 with focus on fundamental SIEM features and capabilities to meet business demand for security and threat intelligence.
Your Pad or Mine? Enabling Secure Personal and Mobile Device Use On Your Network by Mark Kadrich - May 7, 2013
- Sponsored By: Forescout Technologies BV
This paper discusses policies and approaches for using NAC to support guest networking and BYOD to complement and enable other mobile security controls such as Mobile Device Management (MDM).
The Critical Security Controls: What's NAC Got to Do with IT? by Mark Hardy - May 3, 2013
- Associated Webcasts: NAC Applied to the Critical Security Controls
- Sponsored By: Forescout Technologies BV
This paper reveals what NAC can do today, how it stacks up to many of the CSCs and what strategies are needed for successfully leveraging NAC to reduce risk, improve compliance and meet the key automation and integration requisites cited in the controls.
Next-Generation Datacenters = Next-Generation Security by Dave Shackleford - May 1, 2013
- Associated Webcasts: Datacenter Virtualization from a Security Perspective
- Sponsored By: Mcafee LLC
Whitepaper breaks down the foundations of a virtual infrastructure, examines pros and cons of security tools and controls available for risk layers, present the pros and cons of different approaches, and looks at new technology to implement protection models in virtual and cloud-based data centers.
Results of the SANS SCADA Security Survey by Matthew Luallen - February 20, 2013
- Associated Webcasts: Results of the SANS SCADA Security Survey
- Sponsored By: Splunk ABB Industrial Defender
In-depth survey of SCADA system operators to determine their risk awareness and security practices.
Security Intelligence in Action: A Review of LogRhythm's SIEM 2.0 Big Data Security Analytics Platform by Dave Shackleford - December 12, 2012
- Sponsored By: LogRhythm
Review of LogRhythm's SIEM 2.0 Big Data Security Analytics Platform -- the fundamental capabilities and the innovative new features.
SANS Survey on Application Security Programs and Practices by Jim Bird, Frank Kim - December 6, 2012
- Sponsored By: Qualys WhiteHat Security NT Objectives, Inc Veracode
Application security survey to understanding what works in appsec and why.
What Is Your Mobile Content Policy? A Checklist for Content Risk Mitigation by Barbara Filkins - November 3, 2012
- Sponsored By: SAP Global Marketing
Content management policies must adapt to the mobile user and the cloud, provide protection to information being accessed and processed, look at the context in which it is used and validate compliance.
SANS Institute Product Review: Self-Service Provisioning Made Simple: A Review of Oracle Identity Manager 11g R2 by Dave Shackleford - October 22, 2012
- Sponsored By: Oracle
Review of Oracle Identity Manager (OIM) 11g R2, an enterprise IAM product that offers end users a personalized experience through a friendly interface, while managing workflow approvals and executing changes at both the user and administrator levels.
SANS Survey on Mobility/BYOD Security Policies and Practices by Kevin Johnson, Tony DeLaGrange - October 15, 2012
- Sponsored By: Mcafee LLC F5 Networks, Inc. Oracle RSA MobileIron Box
Survey to determine the level of policy and controls around emerging threats against mobile devices.
Beyond Continuous Monitoring: Threat Modeling for Real-time Response by Mark Hardy - October 13, 2012
- Sponsored By: SecurityCoverage
Threat modeling, through timely and accurate inputs, can be used by enterprises to mitigate and defeat attack scenarios before they fully unfold.
Own Your Network with Continuous Monitoring by Jerry Shenk - September 10, 2012
- Sponsored By: Tripwire, Inc.
A look at what continuous monitoring is and how organizations can devise a solution that works for them.
Securing Data Center Servers: A Review of McAfee Data Center Security Suite Products by Jim Hietala - August 18, 2012
- Sponsored By: Mcafee LLC
This paper explores threats to data center servers, along with key security controls required to electively protect them, and reviews how the McAfee portfolio of server products aligns with these controls.
Secure Configuration Management Demystified by Dave Shackleford - August 2, 2012
- Sponsored By: Tripwire, Inc.
Paper shows how to use secure configuration concepts to reduce the overall attack surface, bring better coordination among groups within IT and elsewhere, and ultimately reduce the risk to your business by continuously improving the IT environment.
When Breaches Happen: Top Five Questions to Prepare For by Dave Shackleford - June 17, 2012
- Sponsored By: Solera Networks
This paper explores how to create processes to sort through data in the event of a breach that enable IT security and operations teams to respond immediately with actionable information.
Streamline Risk Management by Automating the SANS 20 Critical Security Controls by James Tarala - June 12, 2012
- Sponsored By: FireEye
Practical considerations for automating the 20 Critical Security Controls to create a more defensible network against these increasingly automated, persistent attacks.
SANS Eighth Annual 2012 Log and Event Management Survey Results: Sorting Through the Noise by Jerry Shenk - May 9, 2012
- Sponsored By: HPE Tripwire, Inc. LogLogic, Inc. LogRhythm TrustWave Corporation Splunk
SANS� Eighth Annual Log and Event Management Survey highlights inability of many organizations to separate normal log data from actionable events
Reducing Federal Systems Risk with the SANS 20 Critical Controls by G. Mark Hardy - April 22, 2012
- Sponsored By: Tripwire, Inc. Patriot Technologies
The 20CSCs: are they a better approach than the ten-year-old FISMA? And how will adoption ultimately enhance security and operations overall?
SANS Institute Product Review: Demystifying External Authorization: Oracle Entitlements Server Product Review by Tanya Baccam - April 20, 2012
- Sponsored By: Oracle
Product review of Oracle Entitlements Server (OES) -- a solution that provides flexibility in access control allowing for dynamic changes, understands multiple systems and applies complex rules in a flexible manner.
SANS Mobility/BYOD Security Survey by Kevin Johnson - March 5, 2012
- Sponsored By: Bradford Networks HP Enterprise Security MobileIron
Survey determines the type of mobile device usage allowed for enterprise applications and the level of policies and controls applied to this type of usage.
Oracle Audit Vault by Tanya Baccam - March 4, 2012
- Sponsored By: Oracle
Review of Oracle Audit Vault, which provides database log centralization, management, alerting and reporting across multiple databases.
Privileged Password Sharing: "root" of All Evil by J. Michael Butler - February 12, 2012
- Sponsored By: Quest Software
This paper addresses the issue of managing privileged accounts and offers advice on how to move toward better centralization of privileged account management.
NetIQ Sentinel 7 Review by Jerry Shenk - January 28, 2012
- Sponsored By: NetIQ
A functional review of the latest NetIQ offering in the SEIM space that effectively addresses issues organizations are having with log collection and management.
Needle in a Haystack? Getting to Attribution in Control Systems by Matthew E. Luallen - January 17, 2012
- Sponsored By: Tripwire, Inc. LogRhythm Splunk
In control system protection, mechanisms for achieving attack attribution must be implemented across physical, cyber and operational controls using additional tools.
Oracle Data Masking by Tanya Baccam - January 4, 2012
- Sponsored By: Oracle
This review of Oracle Data Masking, investigates the process of implementing and using data masking to mask specific confidential data types within Oracle Database 11g.
Oracle Advanced Security by Tanya Baccam - December 9, 2011
- Sponsored By: Oracle
Review of Oracle Advanced Security encryption covers important product capabilities including network encryption for data in flight and Transparent Data Encryption (TDE) for data at rest.
Critical Control System Vulnerabilities Demonstrated - And What to Do About Them by Matthew E. Luallen - November 29, 2011
- Sponsored By: NitroSecurity
A study of four common infrastructures (agriculture and food, transportation, water and wastewater, and physical facilities) demonstrates what vulnerabilities could be found in specific control systems and how they might be exploited and protected.
APT Dot Gov: Protecting Federal Systems from Advanced Threats by G. Mark Hardy - October 31, 2011
- Sponsored By: F5 Networks, Inc.
This paper describes advanced threats against federal and other governmental systems and provides advice on how to identify and protect the data at risk.
Adding Enterprise Access Management to Identity Management by J. Michael Butler - October 4, 2011
- Sponsored By: FoxT
This paper discusses the difference between IDM and EAM and explains how these two enterprise functions can work together for better control of access to operating systems, applications and related data.
Integrating Security into Development, No Pain Required by Dave Shackleford - September 20, 2011
- Sponsored By: IBM Security
This paper looks at software development from both the security and development perspectives, and then evaluates what tools and techniques can help integrate security into development cycles without slowing down the process or creating too much overhead.
Cloudy with a Chance of Better Health Care: Security and Compliance Fundamentals for Protecting e-Health Data by Barbara Filkins - September 6, 2011
- Sponsored By: ArcSight, an HP Company Ping Identity, Inc.
This paper explores challenges and considerations for the use of cloud computing in health care, paying particular attention to security and compliance issues related to cloud computing.
SANS Institute Review: Oracle Database Vault by Tanya Baccam - August 27, 2011
- Sponsored By: Oracle
Review of Oracle Database Vault with Oracle Database Enterprise Edition 11g Release 2demonstrates strong performance, while making it easy to add, change and modify rules and groups. as well as gain visibility into user activity through a variety of audit and compliance reports available through the Oracle Database Vault application.
Optimized Network Monitoring for Real-World Threats by Dave Shackleford - July 1, 2011
- Sponsored By: VSS Monitoring, Inc.
This paper explores current threats today�s networks face that impact monitoring capabilities, the types of gaps that exist in many current monitoring architectures, and ways that network and security monitoring can be improved through advances in trafﬁc capture and delivery technologies such as intelligent distributed taps.
Security of Applications: It Takes a Village by Dave Shackleford - June 20, 2011
- Sponsored By: Adobe Systems Inc.
This paper discusses the role of vendors and consumers in protecting against client-side application attacks.
Continuous Monitoring: What It Is, Why It Is Needed, and How to Use It by E. Eugene Schultz, Ph.D. - June 17, 2011
- Sponsored By: Tripwire, Inc.
A review of continuous monitoring as defined by the NIST 800-137 guidelines.
Network Security: Theory Versus Practice by James Tarala - May 6, 2011
- Sponsored By: BreakingPoint
Survey makes it clear that network security personnel are not consistent about validating the resiliency � performance, security, and stability � of the devices and systems that go into their network and data center infrastructures.
SANS Seventh Annual Log Management Survey Report by Jerry Shenk - April 30, 2011
- Sponsored By: LogLogic, Inc. ArcSight, an HP Company LogRhythm Splunk Trustwave
This annual survey has consistently identified areas in which organizations are focusing their log management initiatives and continues to provide a roadmap to the industry for future improvement.
Extending Role Based Access Control by J. Michael Butler - April 29, 2011
- Sponsored By: FoxT
This paper discusses advantages and disadvantages of RBAC, along with options to consider when planning to extend RBAC to allow for centralization and standardization in a heterogeneous environment of multiple, diverse operating systems.
Implementing the 20 Critical Controls with Security Information and Event Management (SIEM) Systems by James Tarala - April 5, 2011
- Sponsored By: ArcSight, an HP Company
This paper examines the top 20 controls, with advice on how to get started and an explanation of how SIEM systems can provide a central role in implementing the 20 critical controls effectively.
Managing Insiders in Utility Control Environments by Matthew E. Luallen - March 17, 2011
- Sponsored By: ArcSight, an HP Company Waterfall Security Industrial Defender
This paper discusses techniques attackers use to exploit missing insider controls and offers a cohesive set of cyber, operational and physical controls to manage a range of user access types for better security and compliance in utility control environments.
A Real-Time Approach to Continuous Monitoring by James Tarala - February 12, 2011
- Sponsored By: Splunk NetWitness
The paper identifies the components of a comprehensive CM program and how organizations can use this approach to decrease risk and improve efficiency.
Compliance and Security Challenges with Remote Administration by Dave Shackleford - January 3, 2011
- Sponsored By: Netop
This paper focuses on remote administration of systems with regulated data falling under the Payment Card Industry Data Security Standard (PCI DSS).
Building a Better Bunker: Securing Energy Control Systems Against Terrorists and Cyberwarriors by Jonathan Pollet - December 9, 2010
- Sponsored By: Mcafee LLC NitroSecurity
This paper, the second in the series, explains the advanced persistent threats being aimed at SCADA and utility control systems, followed by advanced measures to take against these threats.
Enabling Social Networking Applications for Enterprise Usage by Eric Cole, PhD - December 1, 2010
- Sponsored By: Palo Alto Networks
Businesses must define a secure social networking policy and educate employees about the risks associated with using social networking sites.
PCI 2.0: What's New? What Matters? What's Left? by Dave Hoelzer - November 12, 2010
- Sponsored By: Dell SecureWorks
This paper discusses what�s new and what still needs more attention in the PCI DSS 2.0 standard, including gaps in storage encryption, wireless networking, and physical security that carry over from version 1.2.
How to Choose a Qualified Security Assessor by Dave Shackleford - November 9, 2010
- Sponsored By: Dell SecureWorks
An overview of new guidance for Qualified Security Assessors as a result of the new Payment Card Industry Data Security Standard (PCI DSS v2.0).
Cloud Security and Compliance: A Primer by Dave Shackleford - August 6, 2010
- Sponsored By: Mcafee LLC Catbird
A quick guide to cloud computing that address areas of mobility and multi-tenancy, identity and access management, data protection and incident response and assessment.
McAfee Total Protection for Server Review by Dave Shackleford - June 17, 2010
- Sponsored By: Mcafee LLC
This paper is a review of the type of security and compliance coverage McAfee Total Protection for Server provides for server endpoints.
SANS Log Management Survey: Mid-Sized Businesses Respond by Jerry Shenk - June 5, 2010
- Sponsored By: RSA
Annual log management survey on how organizations collect and use their logs; what they aren�t currently using their log for but would like to; what they see as the biggest problems; and the impact Log Management issues have on small- and mid-sized businesses.
A Guide to Virtualization Hardening Guides by Dave Shackleford - May 20, 2010
- Sponsored By: VMWare, Inc
A guide to the virtualization hardening guides that includes key configuration and system security settings for VMware ESX and vSphere/Virtual Infrastructure with key control areas organizations need to consider.
Keys to the Kingdom: Monitoring Privileged User Actions for Security and Compliance by Dave Shackleford - May 2, 2010
- Sponsored By: LogRhythm
This paper explores some of the types of insider threat organizations face today and discusses monitoring and managing privileged user actions and the role this level of monitoring plays in today's compliance reporting efforts.
Oracle Database Security: What to Look for and Where to Secure by Tanya Baccam - April 10, 2010
- Sponsored By: Oracle
This paper discusses four risk management basics that must be addressed to protect databases and their sensitive data.

Reading Room

Subscribe to SANS Newsletters

Analyst Papers