GrrCon Presentation
Video: Looking for the Weird Webinar for Lancope
YouTube video recording of my "Looking for the Weird: Detecting Bad Traffic and Abnormal Network Behavior" webinar for Lancope. This was given on 9/24/2014.
Converge Conference Presentation
My presentation deck from Converge Conference can be downloaded here.
Protecting the Crown Jewels
Summary of the features in StealthWatch 6.5 that protect sensitive data from theft by insider threat or advanced attack.
Coaxing Heads from the Security Sand
Some organizations have chosen to adopt a "plausible deniability" strategy to InfoSec. This article outlines some methods of helping these organizations move to a safer security practice.
School of NBAD Series: NBAD Relationship Anomaly Detection
The final installment of the NBAD series covering relationship anomaly detection.
3 Lessons to Unlearn from the Target Dogpile
3 dangerous "lessons" that have come from Target Breach discussions that we need to quickly unlearn.
School of NBAD: NBAD Host Anomaly Detection
Part 4 of the NBAD series on host anomaly detection.
Hospitals are Bleeding Data
Hospitals are under attack from cyber criminals and state sponsored attackers. This article reviews the cause and some remedies to the poor state of InfoSec in healthcare.
School of NBAD Series: NBAD Behavioral Detection
Third part of the network behavioral anomaly detection (NBAD) series on the role of behavioral detection.
"Looking for the Weird" video from BsidesChicago
School of NBAD Series: NBAD Signature Detection
In the second part of the NBAD series, signature detection methodologies are examined.
School of NBAD Series: History of NBAD
The first part in this series covers the history of Network Behavioral Anomaly Detection (NBAD.)
When An Alarm Isn’t
Vendors like to create an ocean of alarms in their products so they can dogpile after an event and claim that "they caught it." This article goes through the dangers of false positives in incident response and how to address them.
Dealing with Insider Threats
The most dangerous and difficult risk to detect to an organization is insider threat. When a trusted asset decides to betray the trust of his benefactor for the sake of ideology, greed or extortion the organization can suffer long lasting damage. This article outlines the nature and strategies of handling insider threat.
Processing IOCs in the StealthWatch System
Threat data contained in Indicators of Compromise (IOC) can be applied against the data stored in StealthWatch to look for markers of historical breach. This entry outlines the steps in performing this analysis.
Protecting Windows XP from Exploit
With Microsoft discontinuing support of Windows XP, organizations need guidance on how to protect the legacy machines they can't replace.
Parsing Vendor Claims of APT Detection
How to parse the claims vendors make in APT detection.
Reigning in External Services with NetFlow
NetFlow analysis can be an effective way of determining what cloud services are in use and monitoring them for violations.
Grand Rapids ISSA Deck
Thanks to the Grand Rapids chapter of the ISSA for hosting me today. My deck can be downloaded here.
Spear Phish Detection and Response
The difficulty in controlling user behavior makes spear phishing a "no-brainer" for attackers. Network surviellance can detect the attack at different parts of the kill chain.
Gartner Video on Network Behavioral Analysis
Video presentation from Lawrence Orans of Gartner, describing how Network Behavioral Analysis (NBA/NBAD) can detect advanced, targeted threats.
Shoe Bombers on the Network Part Five: Incident Response
The last installment of drawing lessons from the Shoe Bombing attack in Network Security is focusing on the actions and response following threat detection.
Shoe Bombers on the Network Part Four: Attackers
One thing we learned from the Shoe Bomber, Richard Reid is that not all attackers are the same. In this installment we examine the differences in cyber attackers.