Publications

Research Projects

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?

Sep 18, 2013 SANS Reading Room

Many organizations have deployed Snort sensors at their ingress points. Some may have deployed them between segmented internal networks. Others may have IDS sensors littered throughout the organization. Regardless of how the sensor is placed the IDS can provide a significant view of traffic crossing the network. With this data already being generated, how many organizations create metrics for further analysis? What metrics are valuable to security teams and how are they used? What insights can one gain by good metrics and how can that be used to reduce risk to the organization? The paper will cover current technologies and techniques that can be used to create valuable metrics to aide security teams into making informed decisions.

Forensic Analysis of iOS Devices

Nov 5, 2012 SANS Reading Room

With a “bring your own device” (BOYD) movement, smartphones and tablets have exploded onto the corporate environment and show no sign of receding. This “consumerization” of endpoints means users will be performing work on devices other than the traditional organizational desktop or laptop running windows. Since smartphones and tablets are outfitted with more hardware than ever before they are being used to surf the internet, transfer data and to communicate with corporate mail servers. A large section of these BOYD devices are running Apple’s iOS and the ability to perform accurate and clear forensics on these devices will be valuable to an organization. This paper will cover the forensically sound methods that can be performed on an iOS device.

Meeting Compliance Efforts with the Mother of All Control Lists (MOACL)

Mar 4, 2010 SANS Reading Room

With the multitude of different compliance efforts an organization could be subjected to, it is not uncommon to hear confusion on what may or may not apply. What compliance regulations does the organization fall under? What must the organization do to meet a specific compliance effort and not conflict with a separate one? How can the organization know it is meeting required compliance controls? Can anything be done to reduce the amount of work needed to meet these objectives? The answers lay in the details of the many controls of each of these efforts and the ability for technology practitioners to find commonalities that will ease redundant testing. By reviewing each of the compliance frameworks, technologists can define a set of generic controls such that when a control is met for one objective it can meet additional objectives in other compliance frameworks. The creation of the Mother of all Control Lists (MOACL) will be a one-to-many relationship between a general control and varying compliance controls.

Simple Windows Batch Scripting for Intrusion Discovery

Sep 29, 2009 SANS Reading Room

A universal saying in the security world is that there is no completely secure system. With that realization, security practitioners should have a reoccurring procedure in place to determine if their information systems are being compromised by unauthorized individuals. This paper will discuss a procedure
that utilizes common tools in conjunction with automated batch scripting to identify successful intrusions into a Microsoft Windows environment.

Creating a Comprehensive Vulnerability Assessment Program for a Large Company Using QualysGuard

Sep 9, 2008  SANS Reading Room

With today’s global marketplace, companies cannot afford to tarnish their reputation with a public security incident. Corporations can suffer major financial losses if a security incident is encountered in the business. The fear of revenue loss should motivate companies to begin taking proactive measures against vulnerabilities in their infrastructure. The concept of vulnerability assessment is a critical process that should be followed in any organizations as a way to identify, assess and respond to new vulnerabilities before those vulnerabilities become a threat.

Creating and Maintaining Policies for Working with Law Enforcement

May 21, 2008  SANS Reading Room

Industry surveys show a wide variety of reasons why companies are reluctant to report computer incidents to law enforcement. The perception on the part of some entities is that there is little upside to reporting network intrusions. The risk presented by failing to report intrusions is tremendous. The Internet is continuing to get more complex, more interconnected and thus more vulnerable to intrusions. Connected information systems are gaining more importance to our private lives as personally identifiable information is prevalent in today’s economy.

Is Virtual Desktop Infrastructure (VDI) Right for Me?

Jul 15, 2009  SANS Newsbites

Virtual Desktop Infrastructure (VDI) is a solution for server-hosted, virtual desktop computing that leverages thin client architecture and centralizes endpoint images as virtual machines. Although VDI presents numerous and substantial benefits, is it the panacea for all types of environments? Is this technology mature enough to deliver what is virtually promising? The focus of our research is to help companies that plan to evaluate this new technology for deployment. We hope you will find it useful!

Has your sensitive data leaked into the wild?

Sep 3, 2009 Network World Magazine

Most organizations have data security policies designed to keep sensitive information from becoming publicly available. Still, you’d be surprised at the kind of information that makes its way out into the open, either accidentally or intentionally. Financial records, customer account information, product plans and roadmaps. Do you know what information your company is exposing? New “data leak detection” (not prevention) technology from Exobox Technologies can tell you what is in the public eye, and where it is.