Cailan Sacks

nav_value:
1, 1, 1

Bio

Currently working as an R&D specialist at Investec, Cailan is a technology loving, gadget fan boy, who enjoys finding elegant solutions to complex problems, all things cybersec related, tech related challenges, and pepper steak pies.

As a jack-of-all-trades kinda of guy, he has worked in both small companies (as a technical everything), as well as large corporate environments

fulfilling various roles from digital forensics investigator, computer incident response, database administrator,

software developer, penetration tester and Incident responder / threat hunter.

Talk: Making defense sexy again

You’ve heard this before right; it’s not a matter of “if you will be breached” but “when you will be breached” (or when you’ll find out you’ve been breached). So, as we rapidly scale to environments of increasing complexity, more layers of abstraction, and the weaponized “mimi-ransom-sploit” thing. How should our blue teams effectively coordinate and execute their threat hunting and incident response?

 

A really good defence in depth strategy is likely to entail a small fortune worth of really good (or capable) products including AV, HIPS, HIDS, EDR and host firewall; and that’s just on the end point.

With this much data to consume, there is plenty to keep our threat hunters busing, but busy looking for what? What will they do when they find it? How are blue teams expected to process and respond to such a wide variety of events and triggers amongst all the noise? Without proper orchestration and automation, alert fatigue is likely to rapidly set in to an IR team.

 

During the presentation, we will outline some of the issues faced by short staffed blue teams, and demo some of the investigative tools an analyst could become “stuck in” whilst performing threat hunting or IR duties. From this, we should be able to show the obvious need to go beyond the product. Effective orchestration not only increases the effectiveness of the responder, but also changes the “defender’s dilemma” into the “attacker’s dilemma”.