Just because the security industry touts indicators of compromise (IOCs) as much needed intelligence in the war on attackers, the fact is that not every IOC is valuable enough to trigger an incident response (IR) activity. All too often our provided indicators contain information of varying quality including expired attribution, dubious origin, and incomplete details. So how many IOCs are needed before you can confidently declare an incident? Using actual investigations and research, this session will help attendees better understand the true value of an individual IOC, how to quantify and utilize your collected indicators, and what constitutes an actual incident.
After completing this session, the learner will:
- Know to quickly determine the value of an IOC
- Understand when more information is needed (and from what source)
- Make intelligent decisions on whether or not an incident should be declared
Andrew Hay, CTO at LEO Cyber Security, is an information security industry veteran with close to 20 years of experience as a security practitioner, industry analyst, and executive. As the Co-Founder & CTO for LEO Cyber Security, he is responsible for the creation and driving of the strategic vision for the company.