Consider it a pandemic silver lining. I’ve always wanted to attend a SANS summit. But living in Canada, time and money have been big factors and limited resources. That changed today when I got to follow along online, from the safety of my locked down domicile, albeit during work. It was amazing, truly amazing. Everything I’ve heard about can’t miss talks, excellent presenters, BIG takeaways – all true.
And guess what? There’s a whole second day of the same tomorrow! And I won’t miss the opening like I did today (work). I’ll catch up on the recorded stuff I did miss. And tomorrow, three Mandiant presenters will be talking SolarWinds and supply chain attacks. I remember that Sunday when news was breaking about SolarWinds, and staying up half the night tracking it on Twitter and blogs so I’d be ready for Monday. There’s a lot of sophistication and customization in the SolarWinds attack, from the tactics and techniques the attackers used to remain undetected and protect their best malware, to the creation of specialized malware. I’ll be pressing my Do Not Disturb settings for that – and I definitely consider this relevant to work.
Today I sat in on a great workshop about setting up a cyber threat intel program for a client, “Threat Intelligence the “EASY” Way”, by Chris Cochran, which ran through the thinking process involved. What kinds of questions do you need to ask to get the right information from your stakeholders? How do you make sure you give them intel that’s relevant to them and actionable? How do you build in feedback to ensure your process continues to be effective and adapts with their needs? It’s important to make sure you understand the fundamentals. You don’t do threat intel for the sake of doing threat intel – it’s meant to meet the organization’s needs. Information that they can put to work to improve existing security controls and processes, or visibility in their network. Info that tells them how well what they’re doing is actually working, like how many “phish” get through, or do they see where their data is going. Understanding the importance of aligning risks and results with metrics for measurement because that’s what the C Suite needs to see. It helped me realize that while I work in the strategic side, which I love so much, I need to get more experience on the operational side. Segmentation is for networks, not for effective intel gathering and collaboration.
To wrap up a day of fun and learning, there was a terrific panel discussion at the end with the hosts, Katie Nickels, Rick Holland, Rebekah Brown and Robert M. Lee, and the day’s speakers. They shared great insights and recommendations on resources, how to get started, the challenge of helping people understand the value of CTI. Best of all, they shared laughter and a real sense of camaraderie. I have slack channels full of new resources to explore to now, and feel connected to the world again in a way that’s been missing for too many months now. Til tomorrow!