Friday, December 11, 2009

I hope you're happy cost me a ton of sleep

So after two days of getting up at the crack of dawn, having to deal with other VRT folks before they've had their coffee and then driving through commuter traffic and getting on the Metro, I came home from the SANS Incident Detection Summit completely exhausted. But as my head hit the pillow my brain was working overtime and at full capacity, trying to process all of the ideas, opinions and tools that came up at the conference. This led to a night of restless sleep as my brain would not stop turning over ideas and to-do lists that were generated by the conference. I'm pretty sure that as far as I'm concerned that was the most useful conference I've ever attended.

Before I get to the talks, let me talk about the audience. I wish I could have trapped them all in a room and just talked for hours. The ones I did get to chat with were knowledgeable, were brimming with high-end problems and high-end ideas and were completely willing to talk your ear off about what they had done, what they needed and what they were worried about. Anyone who was at the conference that I was missed, get a hold of me, I'd love your thoughts.

The because of traffic issues, we missed the early part of day one. Now, I'll be honest, my favorite part of day one was participating in the two panels I was on and yelling at a room full of people about my crazy ideas. Yeah, I have opinions. But one of my main points was the importance of generating in-house data, and the CIRT/MSSP talk, along with the commercial security intelligence talks were very interesting.

Day two, in my mind, really took it up a notch, but that may be because I was forced (for the most part) to shut up and listen instead of flapping my pie hole. Right off the bat was easily the best talk of the conference (even better than my rants!) and it was Aaron Walters and Brendan Dolan-Gavitt's review of the Volatility Framework, which is a memory forensics tool. I was really impressed by the technology and felt that it would be very useful to some of our in-house research projects.

Another project that has long been on my radar is the Honeynet Project, and Brian Hay was there from the University of Alaska Fairbanks. I got to chat with him after the talk and that generated a ton of ideas.

The day was really packed, and it ended strong. Michael Cloppert moderated the Noncommercial Security Intelligence Service Providers panel, which also ended up in a number of post-talk chats on various topics. I was disappointed that Team Cymru's representative, Jerry Dixon, was unable to be there. They do a lot of work that I've used over the years.

The very last panel was on Commercial Host-centric Detection and Analysis Tools. The topics ranged all over the map, and I couldn't help but chime in with a couple of questions. There have been a lot of developments in the advanced persistent threats space over the last year or so, and it was really informative to hear about what these guys have seen.

So here is the TL;DNR version:

  1. I like yelling at people about what I think
  2. You should never miss this conference if you're interested in incident detection
  3. Some of the best information happens when you trap the speakers after the talks
  4. I'm really tired right now


  1. I think only Sourcefire had the most people from one company at the con (6 I think, GE had 5?) Glad to have all of you -- thanks for participating on the panels and for briefing!

  2. You may be interested in Michael Ligh's code, which includes a variety of volatility plugins.

    His blog at also contains some articles about using these plugins such as using one to enumerate virtual address descriptors to find the nasty clampi crimeware, very cool stuff.

    Curt Wilson

  3. I agree about Walters and Dolan-Gavitt. I've been to one of Aaron's talks before. It is amazing how much new he has added since his last talk that I attended!

    I think one of the big advantages of the panel format was the large and diverse assortment of speakers. It also meant that attendees were not all queued up to talk to only one or two people when the talks ended.

  4. @Richard: Just let us know when we can come back, had a fantastic time.

    @Curtw: Yeah I got Michael Ligh's named scribbled on one of my 10 pages of notes from the conference. I've spent most of the day connecting to folks who I met there and triaging my research for the next few [days/months]. Some memory work is in my near future, assuming I can get my VM stuff to settle down some.

    @nr: I liked the blend of briefings and panels, although (as may be apparent at this point) I didn't really like the yellow card thing. I very much prefer direct person-to-person questions. The time constraint definitely worked against that, but I talked to everyone I could during breaks.


Post a Comment

Note: Only a member of this blog may post a comment.