State of the Hack - Using Known Good to Find Evil

Presented as a webinar on January 14, 2010.

Finding a needle in a haystack is really hard. Today’s attackers have developed tools and techniques to make their evil needles look like hay. (The Advanced Persistent Threat is especially good at it.)

During this State of the Hack session, MANDIANT’s Dave Merkel was joined by Harry Sverdlove of Bit9.  They discussed how you can use the known good to help identify, confirm and eliminate the possibly evil.

Dave and Harry discussed best practices for building and maintaining application whitelists, as well as how to most effectively use them in incident response.  They showed how to classify what’s good, what’s okay and what’s not.  And, they demonstrated how incident responders can use this information to identify, collect and analyze the tools the enemy is using to maintain his presence on your network.

In the webinar, we referred to several resources:

 
• MANDIANT Intelligent Response is the industry’s first enterprise-grade incident response solution. It makes incident responders faster, less disruptive and less expensive — and makes your investigations more comprehensive and accurate.
 
• Our blog, M-unition, contains information from our consulting and research operations. We welcome feedback and comment.
 
• Follow us on Twitter, www.twitter.com/mandiant, and keep up to date on our consultants take on what’s going on in the industry.
 
• We offer a number of free tools for incident responders and malware analysts in the Software section of our website.

About the speakers

Dave Merkel is Vice President of Product Development at MANDIANT. He has worked in the information security and incident response industry for over ten years. His background includes service as a federal agent in the United States Air Force and over seven years experience directing security operations at America Online (AOL).

During his tenure at AOL, Dave led a team of technologists in protecting corporate systems and network infrastructure. Prior to Dave’s experience at AOL, he was a Special Agent with the United States Air Force Office of Special Investigations, focusing on computer crime and digital forensics. Mr. Merkel holds a Bachelor of Science degree in Computer Science from the University of Colorado at Boulder and has held security clearances at Top Secret and higher levels.
 

Harry Sverdlove is Bit9’s Chief Technology Officer. Harry draws from nearly two decades of application design and analysis with industry-leading IT enterprises, adding a new layer of technical expertise and strategic vision to Bit9’s portfolio of endpoint security solutions.

Sverdlove joined McAfee through its 2006 acquisition of SiteAdvisor Inc., where he worked as Chief Scientist to develop systems for testing, detecting and analyzing any Windows-based application. Prior to joining SiteAdvisor, Harry ran his own consulting company specializing in Windows automation and spam detection. Before that he was Director of Engineering at Compuware Corporation (formerly NuMega Technologies). Prior to NuMega, Harry was Principal Architect for Rational Software, where he designed the core automation engine behind Rational Robot. Harry has a bachelor’s degree in electrical engineering from MIT.