SANS THIR and BSides NOLA recap

This past week I had the pleasure of heading to New Orleans, LA to speak at two exciting conferences: The SANS Threat Hunting and Incident Response Summit and Security BSides NOLA.

SANS Threat Hunting and Incident Response (THIR) Summit

Though I missed the first day, I did arrive just in time for the THIR Summit party held at the House of Blues. The next day, however, I was able to attend a few talks including Jay DiMartino’s “To Catch an APT: YARA,” Joshua Theimer and Hao Wang’s “Proactive APT Hunting Style,” and Andrew White’s “A Longitudinal Study of the Little Endian that Could.”

I also had the opportunity to present my talk entitled “DIY DNS DFIR: You’re Doing it WRONG – slides available here – where I provided tips and tricks for leveraging DNS logs and patterns to aid in incident response engagements. After my talk, I chatted with several of the conference attendees and other presenters about how they define “threat hunting” and how mature their respective incident response programs are. The answers to both questions were all over the board with the definition of a “threat” being everything from an individual, to malware, to an environmental disaster and the maturity of incident response programs ranging from non-existent to regularly battle tested.


Perhaps the most interesting commentary from several attendees was that I should pursue standup comedy. Further reinforcement of this was seen on Twitter during my talk.

Also, it appears that I now have an Internet meme of sorts.

With over 300 attendees, I highly recommend that anyone involved in incident response or threat hunting (regardless of your definition of the term) put the SANS Threat Hunting and Incident Response Summit on their radar for next year.

Security BSides New Orleans (NOLA) 2016

Next up was Security BSides NOLA. This one-day event was a relaxed event with 3 concurrent tracks. I was able to attend Hal Pomeranz’s (@hal_pomeranz) talk entitled “You Don’t Know Jack About bash_history where he explained some of the nuances related to bash timestamps and the order of how entries are logged in different situations (slides). I also attended Sarah Edwards’ (@iamevltwin) “The iOS of Sauron – How iOS Tracks Everything You Do where she introduced the audience to her research into the locations of personal data stored on iOS based devices.


I also presented my Facilitating Fluffy Forensics 2.0 talk – slides available here– which was an update on the previous version of the talk from back in 2013. The objective of this talk was to highlight evolutions (or in some cases the lack thereof) to cloud provider terms-of-service (ToS) and forensic tools. There was an all too common question from the audience regarding how one could trust cloud provider certification and accreditation (C&A) when conducting a regulatory audit of a customer’s cloud instance. Unfortunately, there is no easy way to answer that particular question as the C&A is often left to the discretion of the auditor and/or the certification body. I explained that, in some cases, a customer could request to review a cloud provider’s C&A attestation documentation under an NDA – but even that may not tell the whole story.

If you’re looking for more details from the conference, a fairly thorough writeup can be found on this blog by a fellow attendee (

Up next is Interop Las Vegas on Friday, May 6th where I’ll be presenting “Managing IT Security With a Small (Or No) Staff.” If you’re planning on attending, please come find me and say hello.

For the full list of upcoming conferences, read my blog on meeting and discussing data awareness.

  Like This
Andrew Hay

Andrew Hay

With over 15 years of data security experience in various roles inside organizations as well as advising them, Andrew serves as the chief information security officer at DataGravity. He is responsible for the development and delivery of the company’s comprehensive data security strategy. Prior to DataGravity, Andrew was the director of research at OpenDNS (acquired by Cisco) and the director of applied security research and chief evangelist at CloudPassage.