Enterprise Security Monitoring: Comprehensive Intel-Driven DetectionReturn to TOC presented at FIRST 2014

by David J. Bianco,

Summary : Before coming to work as the Hunt Team Manager and DFIR subject matter expert at Mandiant, David spent five years helping to build an intel-driven detection & response program for a Fortune 5 company. He set detection strategies for a network of over 500 NSM sensors in over 160 countries and led response efforts for some of the company’s the most critical incidents, mainly involving targeted attacks. His blog is Enterprise Detection & Response (detect-respond.blogspot.com).
This is a great time to be in the detection field! More and more organizations are waking up to the fact that an effective detection program is a “must-have” to protect themselves against sophisticated threats. This creates a market for high-quality threat intelligence, and many groups are stepping up to meet this demand. With very little effort, your organization can connect to any number of quality data feeds, both commercial and free. However, this can lead to it’s own problems: almost no one is using threat intel effectively! Now that you’re drowning in a sea of intel, how do you make sense of it all and ensure that you are making maximum use of this information to provide the best possible detection strategies for your organization?
When you fully leverage your knowledge of an adversary to rapidly detect and respond to their attacks, you deny them access to their tradecraft. You become a harder target and they feel the burn! David developed the ESM method it's fundamental model, the "Pyramid of Pain", while creating and running the worldwide detection program at a Fortune 5 company. Learn how to apply ESM in your org to bring the fight to the attackers!