“You should be looking at Indicators of Compromise!” exclaims your CISO, regulator, vendor, and mom. No problem, right? You have the most expensive security intelligence vendor and all you have to do is correlate in your expensive SIEM. If you've tried this, then you are laughing with me. Come hear my exploration into implementing IOCs at a major US insurance company and a major US bank. I’ll address the differences between Indicators of Compromise vs Indicators of Attack, and I will show you how not to use the MITRE ATT&CK™ framework, plus some tips on how it use it well. My goal is to save you from falling into the same pitfalls when dealing with Indicators of Crap.

Speaker(s)
Xavier Ashe, VP, Security Engineering, SunTrust Banks

Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC1111.pdf?podcast=1577146215

Product: Splunk Enterprise, Splunk Enterprise Security

Track: Security, Compliance and Fraud

Level: Intermediate