[Dailydave] On Phillippe Courtot's RSAC Keynote

Dave Aitel dave at immunityinc.com
Tue Mar 25 14:24:00 EDT 2014 

http://www.rsaconference.com/videos/127/the-cloud-security-nightmare-or-our-next-great

Thoughts on Philippe Courtot's RSAC 2014 keynote.

One thing I notice about these keynotes as I go through them is that
there is a common issue with having the CEO of a company give a talk:
nobody tells them any bad news ever. So when they give talks, they are
likely to hear that the talk is amazing, and they practice it less, and
they don't edit them. I usually listen to each talk twice before I write
one of these review emails, and frankly, if anyone had done that with
the keynotes this or last year, they would have cut many minutes out of
them, and replaced them with the actual vision these executives are
trying to get across - which I guess is what I'm trying to do here, in
these emails.

So let's cut to the chase, which for Philippe's talk is about ten
minutes in:

  * "Because we have IPS/IDS, they have to scan very slowly, and so
    because we are doing continuous scanning and our scanners are
    white-listed, we can find vulnerabilities before they do". This is
    an interesting point. I think one problem is of course that
    continuous external scanning is false positive heavy. Attackers have
    no false positives - they either got inside the network or they
    didn't. It's a hole in Qualys's strategy that Rapid7 definitely saw
    - to integrate exploitation into scanning.
  * "Next-Gen firewalls brought application awareness, we need to bring
    in endpoint and threat awareness." (Yes, but easier said than done -
    this could probably have been expanded a lot during the talk at the
    expense of the first ten minutes!)
  * "Without Chip and Pin the hackers could re-invest part of their
    gains into automating their attacks"
  * With security we need real-time. ("Real-time" gets a lot of play in
    this talk. He's not wrong there, but real-time reporting is not
    going to solve anything. You have to layer on a level of automated
    response, which means a language of which machines and networks can
    be turned off or disconnected, or just disinfected. This is a huge
    task and I don't know any company on it at all. Qualys would be a
    good fit probably because it feeds into their asset management
    strengths.)
  * "Insist from the vendors that they have open architectures"
  * Brain in the cloud -> Significant advantage. There was a lot of
    "let's put smaller agents back on all the endpoints and roll all
    that data into the cloud and then magic analysis happens!"
  * There was a lot of talk of exfiltration filters, network sniffing
    and "open ports" which frankly I think is a bit old fashioned, or
    perhaps just focused more on effective network configuration
    management than security per-se. Hackers don't open ports any more.
    And modern implants (like INNUENDO) exfil over the protocols that
    you use.
  * Cost effective scalability by trimming down the complexity of OpenIOC

Also, I have to admit, I love that he puts his own email in the talk.
Not many CEOs do that. I CCed him on this email. :>

From a vision and strategy standpoint there are perhaps a few
interesting areas. First of all, what Qualys excels at is "Security at
Cost-effective Scale". You can feel this current throughout the talk.
But there is no magic security data analysis brain in the cloud, and
it's not clear there WILL be for some time. What data you capture, and
when, and how you format that data, and how that data changes over time,
is all a very complex subject matter. Do you capture what binaries are
running, like El Jefe
<https://www.immunityinc.com/products-eljefe.shtml> does? Do you capture
what web sites people visit? Do you capture every system call or file
the endpoints access? Do you just capture everything willy nilly and
send that data as unstructured text to the cloud for processing?

Likewise, Mandiant and Crowdstrike and Terremark and every other company
selling or using Indications of Compromise have explicit and deep
reasons to avoid cooperating on OpenIOC, and I don't see that changing
any time soon. Because they know the minute they do, Qualys is going to
eat their lunch.

After watching a lot of these talks I think what you have to do is ask
each executive at RSA how their vision differs from modern
reputation-system, brain-in-the-cloud, heuristics-based AV.

-dave


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20140325/4a8d8a9b/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: OpenPGP digital signature
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20140325/4a8d8a9b/attachment-0001.sig>

More information about the Dailydave mailing list