The penetration of perimeter defenses on enterprise networks is commonplace in today's security environment. The question then becomes one of quick detection and mitigation. At Los Alamos National Laboratory, we conduct research on the cutting edge of statistical methods for the rapid detection of attackers inside enterprise networks, before they compromise core network assets. Attack signals are generally weak on a per host basis, so it is necessary to combine appropriate weak signals across the network to enable high-quality detection performance. In this talk, I will demonstrate a tool, called PathScan, that uses dynamic graph theory along with sophisticated modeling techniques to combine the right behaviors on the network. I will briefly describe the method, show examples of real APT detections, and present an interactive, web-based user interface to enable incident responders to quickly identify and analyze the attack behavior. PathScan is a mature, operational tool that is undergoing commercialization currently, and will be available on the security market in the near future, providing an opportunity for security professionals to acquire bleeding edge technology. In addition, my goal with this talk is to inform the RSA Sandbox audience of the general direction of network detection research at Los Alamos, and to have an interactive discussion on the problems that Los Alamos faces, and the solutions we propose to solve them. Speaker: Joshua Neil, Los Alamos National Laboratory