SANS Webinar: Why Defense, Why Now

The webinar "Why Defense, Why Now" was given on May 30, 2013.  I watched it on July 10, 2013.  These notes are my evidence that I watched it in case of audit as I submit this for CPE credit.

Notes

"A" in APT is not for advanced threat, but rather an advanced adversary.

APTs almost always come in via email using one of these four vectors:

1. attached executable 
2. macros (office)
3. active scripting
4. html embedded content

So, do we really need these to come in via email?  Almost never, so disable these to significantly reduce risk from APTs.

Malware usually does these things

1. Upload code
2. Start a process
3. Establish connection
4. Modify startup or sytem files

So, we should focus our energy on detecting things that modify system files and make outbound connections.  This is where he pitches Tripwire.

Can use an outbound proxy.  It will break most command and control connections.

Organizations aren't detecting attacks.  Need to shift mentality to one that assumes we are going to get compromised, so figure out how to detect and neutralize compromises. 

Much like the APT webinar, he suggests looking at your network diagram and identifying all of the preventative devices and the detective devices.  The average is 88% preventive.  All the effort is on prevention and little to none on detection.  Need to start focusing more on detection.  Also 95% of the prevention is on inbound.

Prevention is ideal, but detection is a must!

Suggestions

1. Know your systems
1. up-to-date network diagram
2. network visibility map
3. cm and change control
2. Defense in depth
1. inbound prevention
2. outbound detection
3. log correlation
4. anomaly detection
3. Common metrics
1. utilize the critical controls
1. security defines the metrics
2. IT implements the metrics
3. audit validates the metrics
4. executives track the metrics