Meatspace Indicators and Incident Response

Presented at BSidesDC 2014, Oct. 18, 2014, 2:30 p.m. (50 minutes).

Do you ever get non-technical incident indicators? Are non-technical indicators important? Do incident responders sometimes get tunnel vision and forget that monitoring and response are a means to an end? The answers to all these questions are yes.

This talk will discuss the importance of non-technical indicators using the example of a real incident involving a home security breach. You will get a large dose of lessons learned, including how important non-technical indicators can be, how they can be used in combination with traditional technical tools, how the example does and does not apply to operational incident response teams, and how to keep your teenager from pwning you as a parent.


Presenters:

  • Nathaniel Richmond - Member of Technical Staff at Software Engineering Institute, CERT/CC
    Nathaniel Richmond is a member of CERT/CC, a part of the Software Engineering Institute at Carnegie Mellon University. He has 15 years experience in IT and has been focused on security for the past 10 years. His background in security includes enterprise network security monitoring, security architecture, incident response, and security research. As part of CERT/CC he has focused on transitioning research, training incident response teams, and developing sane enterprise security architecture. He participated in the 2009 SANS Incident Response Summit as a member of three discussion panels covering CIRTs and MSSPs, enterprise detection tools and tactics, and detection using logs. In his spare time he reads, watches way too many TV shows and movies, rides his bicycles, plays ice hockey, and catches his children behaving badly using his home security lab.

Links:

Similar Presentations: