So after two days of getting up at the crack of dawn, having to deal with other VRT folks before they've had their coffee and then driving through commuter traffic and getting on the Metro, I came home from the SANS Incident Detection Summit completely exhausted. But as my head hit the pillow my brain was working overtime and at full capacity, trying to process all of the ideas, opinions and tools that came up at the conference. This led to a night of restless sleep as my brain would not stop turning over ideas and to-do lists that were generated by the conference. I'm pretty sure that as far as I'm concerned that was the most useful conference I've ever attended.

Before I get to the talks, let me talk about the audience. I wish I could have trapped them all in a room and just talked for hours. The ones I did get to chat with were knowledgeable, were brimming with high-end problems and high-end ideas and were completely willing to talk your ear off about what they had done, what they needed and what they were worried about. Anyone who was at the conference that I was missed, get a hold of me, I'd love your thoughts.

The talks...now because of traffic issues, we missed the early part of day one. Now, I'll be honest, my favorite part of day one was participating in the two panels I was on and yelling at a room full of people about my crazy ideas. Yeah, I have opinions. But one of my main points was the importance of generating in-house data, and the CIRT/MSSP talk, along with the commercial security intelligence talks were very interesting.

Day two, in my mind, really took it up a notch, but that may be because I was forced (for the most part) to shut up and listen instead of flapping my pie hole. Right off the bat was easily the best talk of the conference (even better than my rants!) and it was Aaron Walters and Brendan Dolan-Gavitt's review of the Volatility Framework, which is a memory forensics tool. I was really impressed by the technology and felt that it would be very useful to some of our in-house research projects.

Another project that has long been on my radar is the Honeynet Project, and Brian Hay was there from the University of Alaska Fairbanks. I got to chat with him after the talk and that generated a ton of ideas.

The day was really packed, and it ended strong. Michael Cloppert moderated the Noncommercial Security Intelligence Service Providers panel, which also ended up in a number of post-talk chats on various topics. I was disappointed that Team Cymru's representative, Jerry Dixon, was unable to be there. They do a lot of work that I've used over the years.

The very last panel was on Commercial Host-centric Detection and Analysis Tools. The topics ranged all over the map, and I couldn't help but chime in with a couple of questions. There have been a lot of developments in the advanced persistent threats space over the last year or so, and it was really informative to hear about what these guys have seen.

So here is the TL;DNR version:


  1. I like yelling at people about what I think
  2. You should never miss this conference if you're interested in incident detection
  3. Some of the best information happens when you trap the speakers after the talks
  4. I'm really tired right now