Free Kindle book about the Value of Your Employees


Too Skilled

2 Years ago I published a book about the value of individuals and how they can make you as a leader and the company successful.

In the spirit of giving this week I’m giving away my short book (ebook) on leadership about recognizing the value in key employees.  Get you copy now! Offer expires on Friday.

Missing! Security Product Managers

Do true security product managers exist?  This is the question I began asking myself a few years now since I started to move from a pure security role into leading the effort with a team to build a product.  After a few years, I transitioned into product management and then transitioned back into full engineering.  During this time, I realized there are very few true security product managers.  Many product managers have never really penetration tested, conducted a risk assessment, taken formal security training or even attended a defcon conference.  I found it very interesting that these were the people prioritizing the solution to protect organizations.  Over the past two years I’ve searched to see are there any true security product managers and the result is not really.

The security industry is struggling to find real security people to drive the right priorities into our products.  We need people that live and breathe security.  Without the right skills building our products we will not only be 1 step behind the attackers and accidental breaches we will be several.

The Benefits of Threat Driven Security Automation

Recently I spoke with several security experts on a panel at NYU  about current trends in security.  My time on the panel was focused on trends around threat driven security process automation and changing the way companies approach incident response these days.  A recent CBS news article was written based on some of the panel’s information provided around protecting against hackers.  I wanted to expand more on the topic focusing around threat driven security automation.

What is threat driven security automation?

Threat driven security automation is currently a significant gap in the security industry.  It is a process whereas an organization looks at their threat intelligence sources and then automates the processes around that intelligence.  This approach is very different then the brick and mortar SIEM and analyst approach used today in most organizations.  The approach around a SIEM is similar to looking through a haystack trying to constantly find the needle (e.g. attacker).  On the other hand the threat driven automation approach has or knows about the needle (e.g. attacker or indicator of compromise) and reaches across other technologies to obtain more context, validate the attack, or hunt for more evidence.

How does threat driven automation work?

One example of the threat driven automation can be explained in the below sequence.

First assume you get some threat intelligence data (e.g. indicators of compromise) either via one of your key technologies or from a 3rd party organization.

Next there is a need to consume this data and keep track of it.  One of the best ways is to use a middleware solution specifically for security process automation.  For example, if you get a txt based feed you will want to parse out the indicators of compromise, perform de-duplication, and have some sort of whitelisting capability on the data.  In another example, you may get a json based data feed from an appliance.  Again you will want to perform all the similar tracking and parsing to pull out the key indicators and threat information.

Once you have the threat intelligence data feeding into one central place and you can consume it via an automated process on a regular basis the next step is to quickly check other aspects of the enterprise.  For example, did the proxy show the same user and URL context (e.g. query to see if it was blocked and get context).  Or did the AV detect or pick up this item (e.g. query to see if it was picked up, cleaned, quarantined, etc.). Maybe you also want to query other internal or external intelligence sources to understand if others have seen the indicators.  All of this can be automated and tracked in one central place and then forwarded on to a workflow or ticketing system.  Essentially reducing hours of investigation work typically done by security analysts.

Leveraging automation

Once you have an automation solution in place there are many benefits including:

  • Freeing up personal for more difficult investigation and response tasks.
  • Leveraging the data to hunt for attackers based on frequency analysis.
  • Watermarking your security technologies to identify whether or not one technology is poorly performing and possibly should be replaced or removed entirely based on the overlaps of other security detection and prevention tools.
  • Controlled intelligence sharing.
  • Customized metrics and reporting around automation integration that can help understand your environment and the threat better.

Overall there are many ways to help defend against attackers, but the reality is they are getting better all the time and organizations must move toward a more threat driven security process automation approach to reduce the time of the response and free up the skilled workers from mindless tasks.  These workers should be proactively looking or “hunting” for attackers that may already exist in the environment instead of just responding to alerts from their security tools.

Rodger Wille – Mentoring SANS Forensics Windows In-depth

One of my co-workers, Rodger Wille, will be mentoring SANS’ Computer Forensic Investigations – Windows In-Depth course (FOR408) in Atlanta, Georgia starting February 20th.  This course is great for any Intrusion and Security Analyst, Incident Handlers, and other members of the security staff (or those wishing to get a job with their security teams) who are looking to gain more information and understanding on how to conduct computer forensic investigations within the windows environment and what/where artifacts can be found within a windows system.

This course will cover forensic image acquisition, analysis techniques and tools and will utilize a full-featured forensic lab students will take with them.

Topics covered in the course will include:

  • Windows File System Foundations
  • Evidence Acquisition Tools and Techniques
  • Law Enforcement Bag and Tag
  • Evidence Integrity
  • Registry Forensics
  • Windows Artifact Analysis
    • Facebook, Gmail, Hotmail, Yahoo Chat and Webmail Analysis
    • E-Mail Forensics (Host, Server, Web)
    • Microsoft Office Document Analysis
    • Windows Link File Investigation
    • Windows Recycle Bin Analysis
    • File and Picture Metadata Tracking and Examination
    • Prefetch Analysis
    • Event Log File Analysis
    • Firefox, Chrome, and Internet Explorer Browser Forensics
    • Deleted File Recovery
    • String Searching and Data Carving
    • Examination of Cases involving Windows XP, VISTA, and Windows 7, and Windows 8
    • Media Analysis And Exploitation
    • Forensic Analysis Report Writing

In addition to the great training, each participant will also receive the following:

  • Windows version of the SIFT Workstation Virtual Machine with full Windows 8 standard license
  • Full 3 month trial license to AccessData FTK and Guidance Software EnCase
  • Full 15-day trial license to MagnetForensics Internet Evidence Finder
  • Course DVD
  • Real-world Windows XP and Windows 7 cases for examination
  • Wiebetech Ultradock v5 Write Blocker Kit

SANS Mentor students get the same great SANS content and material as they would at a traditional SANS conference event in a much more relaxed and intimate environment with classes spanning 10 weekly two hour evening sessions.  This format eliminates travel costs and impact to mission by being away from the office during normal business hours and allows students more time to learn the material.  With much smaller classes, usually no more than 8-10 participants, students have the opportunity to get their questions answered in-depth and gain more hands on experience during the labs.  The Mentor, an industry professional and GIAC Certified in the course being mentored, is often available to answer questions from students between class sessions and will highlight more salient portions of the material and lead hands-on exercises each week.

About Rodger:

Rodger has over 14 years of experience in the computer security arena as an Incident Handler and Forensic Analyst. Rodger began his career as a Signals Intelligence Analyst in the US Army conducting Cyber Threat Intelligence. After serving in the Army, Rodger continued supporting the US Army as a Defense Contractor with the Army Computer Emergency Response Team (ACERT) working as an Incident Handler and later as in a Senior Incident Handler role leading a team of incident handlers for the Regional Computer Emergency Response Team CONUS (RCERT-CONUS). Previously, Rodger was the Federal Lead for the Research and Forensics team within the US Department of Health and Human Services Computer Security Incident Response Center (CSIRC) where he was responsible for leading network, memory and disk based forensics, malware analysis and incident response activities.  Currently, Rodger is a Principal Security Consultant for FireEye Labs, where he helps his customers battle advanced threats, conduct forensic analysis, respond to security incidents and develop security policy.  – Rodger can offer special pricing of exceptional savings for up to two seats in the course and 10% discount to all others.  Follow him on Twitter @RAW4n6 and direct message him for details.

2013 –The Year of the Agents

Its official 2013 has been declared the year of the Agents.  Even though one of the world’s largest hacks occurred near the end of the year at Target, there is no competition with the NSA privacy issues and Agent Snowden’s escapade to Russia.  Thus, in spirit of Hackers & Agents this year goes to the Agents and in celebration I put together a summary of 2013.

AgentTshirtSpreadshirt Apparel

Check out the Spreadshirt shop.  There are now 25 items available for men, women, and children, including our latest Agent shirt in support of “The Year of the Agents”.  Our top seller for the year still remains the Rootkit Hoodie, but with the new additions we may see that change in 2014.




Are you looking for a new handout for your next career fair?  How about something to hand out as a part of your company security awareness program?  Well in July of 2013 Hackers & Agents and Praetorian worked together to create a co-branded card deck and website.

Social Media

This year has been a boom on the social media front.  The Facebook page is at over 600 likes for the year and recently the Google + started gaining some traction.  These two avenues continue to be the primary means for communicating updates as well as discounts to our Spreadshirt apparel.


Booster Packs

DeckCon Shop AdOriginally the plan was to release two booster packs.  The threat booster which was geared at teaching individuals the threat landscape and the Deckcon booster which was geared at providing more in-depth security awareness on many common topics.  In short, there was a problem with packing small booster packs and as a result these two boosters were combined into one pack.  This new booster pack adds two complete new game mechanic modifiers for faster and engaging play.


Gamecrafter Awardsnaquadah_seller

This turned out to be a successful year for both the Gamecrafter and our card sales.  As a result, the core game was awarded four different awards throughout the year for sales.  The Gamecrafter site where the core game and booster packs can be purchased prominently displays these awards in the top right corner or our game.


BoardGame Geek

This year the game was also put on BoardGame Geek.  There is still a lot of work to get the name out here and if you own the game we ask that you provide feedback and review.


Website Updates

As with any online presence the main Hackers&Agents website has been updated to reflect some of these changes throughout the year.