According to Mandiant M-Trends, their customers average Mean Time to Discovery (MTTD) for breaches in 2012 was 416 days, 2014 was 205 days and 2015 was 146 days. In 2015 for those Mandiant customers that detected a breach themselves was 56 days! Unfortunately the average days for a third party to report your company has been breached is 320 days. As an industry we still need to vastly improve since companies get compromised within an hour and the entire organization within a day and valuable data begins to leak shortly thereafter. We CAN do better! So how do we reduce our detection time? How can we save serious $$$ by either not using an IR firm and doing it ourselves or saving $$$ by reducing how long the IR firm is on site? Many of us cannot afford an IR firm at a DROP of a TABLE. The ultimate goal and challenge to all of us is to learn how to discover a compromise ourselves and avoid a breach. We as an industry must get better at discovery, detection and response and do it faster, much faster. This talk will share how, where to begin and a new tool for Windows to help us do it ourselves. Learn from those of us that have been through it because the criminals can own you in a day and it is still taking a year to receive the OH SH*T call.
Michael (CISSP, CISA and CSIH) is a Malware Archaeologist, Blue Team defender, Active Defender, Incident Responder, Information Security professional and logoholic. Michael developed the ?Malware Management Framework? to improve malware discovery and detect and response capabilities. Michael also authored several Windows logging cheat sheets to help the security industry understand Windows logging, where to start and what to look for. Michael is co-developer of LOG-MD, a free tool that audits, set, collects and report on malicious Windows log data and malicious system artifacts. Michael?s responsible disclosures involve cardkey system exploits and vulnerabilities with leading security products. Michael has also Michael?s background includes 20 years of security consulting for Fortune 500 organizations with HP, health care, financial and gaming industries. Michael also ran BSides Texas for five years for the Austin, San Antonio, Dallas and Houston cons. Michael is also blogs on HackerHurricane.com on various InfoSec topics.