According to Mandiant M-Trends, their customers average Mean Time to Discovery (MTTD) for breaches in 2012 was 416 days, 2014 was 205 days and 2015 was 146 days. In 2015 for those Mandiant customers that detected a breach themselves was 56 days! Unfortunately the average days for a third party to report your company has been breached is 320 days. As an industry we still need to vastly improve since companies get compromised within an hour and the entire organization within a day and valuable data begins to leak shortly thereafter. So how do we reduce our detection time? How can we save serious $$$ by either not using an IR firm and doing it ourselves or saving $$$ by reducing how long the IR firm is on site? Many of us cannot afford an IR firm at a DROP of a TABLE. The ultimate goal and challenge to all of us is to learn how to discover breaches ourselves. We as an industry must get better at discovery, detection and response and do it faster, much faster. This talk will share how, where to begin and a new tool to help us do it ourselves. Learn from those of us that have been through it because the criminals can own you in a day and it is still taking a year to receive the OH SH*T call.
Michael has 20 years' experience in IT and InfoSec. Michael now focuses his talents as a Blue Team Defender, Incident Responder, malwarian fighter and malware archeologist. Michael also co-partnered the BSides Texas Conference entity for 6 years. Michael is co-creator of LOG-MD, a free Windows logging and malicious behavior discovery tool to help defenders improve their Windows logging, discover malicious behavior and malware for Blue Teamers and Incident Responders. Michael also created the "Malware Management Framework", and also developed several "Windows Logging Cheat Sheets" to provide a starting point on detailed logging for Windows hosts.