[Dailydave] C2

Thomas J. Quinlan tom at thomasquinlan.com
Mon Mar 3 17:19:13 EST 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

One of the trends I looked at when I was giving a talk at Info Crime
in London is that "Big Data" will actually become "Huge Data".  Think
of everything that people are monitoring now - and then think about
what they will be monitoring in even just a year's time.

One of the most important things most people are not monitoring is SSL
- - with the new SSL visibility initiatives that most companies are
undergoing, they're going to have A LOT more data to start looking at.
 Of course, they'll have to do this responsibly - it won't do any good
to view the admin's Citibank Online transfers to her daughter at uni
when someone's in your network exfiltrating all your stuff.


On 03/03/2014 12:08, al bell wrote:
> The approach taken by many is to focus on quantity (big data)
> instead of quality (right data). Knowing where and how to
> instrument at the different layers is an art which is not being
> taught anywhere. DevOps has improved the effectiveness of software
> deployments. There is no reasonably good equivalent, no SecOps
> built with a similar mindset.
> 
> 
> 
> On Mon, Mar 3, 2014 at 9:59 AM, Dominique Brezinski 
> <dominique.brezinski at gmail.com> wrote:
>> SO true Dave. The defender's dilemma is not that they have to
>> protect everything as you note. The dilemma is choosing the
>> instrumentation that as syntactically as simple as possible while
>> being semantically rich enough to indicate (I intentionally do
>> not use the word describe) a majority, if not all, meaningful
>> attack activity in the environment. An old friend taught me that,
>> which he learned from his advisor. That is your just enough data 
>> notion. Having worked with many of the big data tools out there,
>> while focusing on security analysis and detection, I completely
>> agree with you. There are just a couple of sources of data --
>> themselves observation points -- that when threaded together give
>> a defender all the insight they need to thwart attackers. Sadly,
>> this fact is not leveraged by a majority of defenders, nor is it
>> productized meaningfully in any way.
>> 
>> Dom
>> 
>> 
>> On Mon, Mar 3, 2014 at 9:03 AM, Dave Aitel <dave at immunityinc.com>
>> wrote:
>>> 
>>> One rather facetious saying that has annoyed everyone for a
>>> while is the whole "defenders have to protect everything,
>>> attackers just have to get in once" meme. If you talk to
>>> defenders who are "leading" with new technologies and
>>> techniques, the difference really does blur quite a bit. I was
>>> happily surprised at the Tenable offsite to hear their big 
>>> customers describe their continuous monitoring and SIEM
>>> analytics techniques as their network "Command and Control".
>>> It's a useful change to a more sophisticated mindset. You don't
>>> hear people really acknowledging an advanced persistent defense
>>> that often. :>
>>> 
>>> Of course, building proper C2C while under attack is itself
>>> very hard. People very quickly fall into the "Big Data" trap -
>>> we try to caution Justin from collecting more than he has to
>>> with El Jefe. We don't want "Big Data" analysis. We want "Just
>>> enough data" analysis!
>>> 
>>> -dave
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> _______________________________________________ Dailydave
>>> mailing list Dailydave at lists.immunityinc.com 
>>> https://lists.immunityinc.com/mailman/listinfo/dailydave
>>> 
>> 
>> 
>> _______________________________________________ Dailydave mailing
>> list Dailydave at lists.immunityinc.com 
>> https://lists.immunityinc.com/mailman/listinfo/dailydave
>> 
> _______________________________________________ Dailydave mailing
> list Dailydave at lists.immunityinc.com 
> https://lists.immunityinc.com/mailman/listinfo/dailydave
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBCgAGBQJTFP/hAAoJEI8XNqYiu65CUqAH/R4d59jN7um5RXXjxc2jcVsC
1yZFEJrmzNGb1Gg8uRCuqzYDQQpfhJIv/B/JMFcFojQ8Kb1b4yfXm/W3sK92rRAu
vkx5jbnmcYnf+T+fZPBx0UmdhTwaErQEPJzgezj3kjFO7ss813U9NkO/pdmViRpN
i/ojhAqL5scR2yulGBTZMPZ3E5axNUOdzGrlv9N3fbbL4O4w89yNXxt+x2iJSErq
qzi7dVUh8o+AynVg6I+fpeqEB/JJisqA3Devt6TqNpOVKTkrTAsyVGZrzqLTewGz
yo4nWME028r7GHKM0nfNKcPwOQKB/LEIXuRMcevyFsytIEgfM+8FyOfPx/l8Eos=
=mDyW
-----END PGP SIGNATURE-----

More information about the Dailydave mailing list