There is no one single device that will provide a total security solution. All those “magic” and 4th quadrant solutions will not protect you. Security is not a framework, not a destination, and not a weekend of overtime implementing a new tool. It is not news that organizations need defense in depth or layered defenses. Too many organizations are stuck in a reactive security mode. Businesses react to network alerts, researching events in the morning from the day before. They react to virus detections when the av solution emails them a report. Each security solution only provides a part of the answer to the question “Am I owned?” Network alerts only provide a partial picture, same with host monitoring. By combining logs, network alerts, and system alerts a much clearer picture emerges. This talk will show that you can detect system compromises days, weeks and even months before antivirus will catch it. It will cover key system events and locations to monitor. Network events that you may not currently be watching for that you absolutely should be watching. Plus how simple visualization of log data can make potential compromises really stand out. Examples from compromises will be used to reinforce the concepts presented.
Renegade6 has been addicted to computers since he won a TI-99/4A in a school raffle. In 1997 he was blown away by NMRC, L0pht, and others. Past positions include satellite network administrator, network administrator, system administrator, information security team lead, Information Assurance Security Officer for the Green Zone in Iraq, Information Assurance Manager, instructor, network defense, and currently Network Defense SME and Senior Incident Handler.