Intrusion Detection Along the Kill Chain - Why Your Detection System Sucks

Explore the failures of intrusion detection systems and learn innovative approaches to improve cybersecurity in this Black Hat USA 2012 conference talk. Delve into the fundamental problems plaguing the field and discover why current solutions fall short in detecting sophisticated attacks. Gain insights into the concepts of the attacker plane and kill chain, and learn how to leverage them to create more effective intrusion detection systems. Examine the security industry's shortcomings, analyze data breach reports, and understand the complexities of intrusion detection beyond binary classifications. Discover intelligence-driven detection techniques, event pipeline processes, and correlation methods. Investigate attack stages, situational awareness, and context-based approaches to enhance your organization's defense capabilities. Whether you're a seasoned professional or new to cybersecurity, this talk offers valuable perspectives on improving intrusion detection strategies.

Intro
Who am I
Why this talk
Introduction
The Security Industry
How well are they working
Verizon Data Breach Report
Intrusion DetectionEfficacy
How do they get discovered
How do we compare
Other reports
Internal process
Climate change
What can we do
What is intrusion detection
Systems are not binary affairs
The false positive fallacy
The reality is more subtle
All events are welcome
Examples
IntelligenceDriven Detection
Registry Modifications
Blank User Agents
Event Pipeline
Blacklisting
Identity Translation
Correlation
Attack Plane
HostBased Correlation
Vanilla Correlation
Kill Chain
Attack Stages
Attack Planes
Context or Out of Context
Situational Awareness
Final Thoughts
Contact Info