[Dailydave] A summary of all the RSA Keynotes and the future we have to beat.
Dave Aitel
dave at immunityinc.com
Wed Apr 16 13:11:07 EDT 2014
Links you should hit first:
http://immunityproducts.blogspot.com/2014/04/revamping-el-jefe.html
http://www.rsaconference.com/videos/122/stop-looking-for-the-silver-bullet-start-thinking
One thing I noticed from watching all of the RSA keynotes is that they
all said the exact same things, often in the same words. For example, in
the HP keynote (above) you'll see the threads of "We're getting
outmatched" with we need to move to "real-time + big data
understanding". This is the exact same speech that Philippe Courtot
gave, that Stephen Trilling gave, that Kevin Mandia gave, that the Cisco
team gave. They were all the same. Which is interesting in and of
itself. All the big companies are moving in the same direction, or at
least want to.
But here is where they will potentially fail, in my opinion. First of
all, real time response is incredibly hard, since nobody is sure what
response means beyond "kill that process". If you take a machine
offline, you might interrupt a critical business function in a way that
is not predictable. Likewise, the big data you rely on is going to be
fed to you by your attackers once they penetrate a box.
And deep down, without an offensive team, you don't know what you're
really looking for in the first place. For example, attackers are
quickly going to move to "C2C-less trojans" and "faster real time
attack". There's a great talk at INFILTRATE this year on how trojans are
going to use DRM techniques to frustrate automated analysis (INNUENDO is
the only commercial penetration testing tool I know that does this at
the moment, but soon it will be everywhere).
Immunity's efforts in the automated malicious activity detection area
can be seen in the El Jefe blog post above - El Jefe is free, but more
importantly you can start to see the benefits of using process-chain
analysis as we develop the product. The next release will tie in some
statistical analysis to provide adaptive anomaly detection (malicious
activity does not always mean malware - it can also mean someone just
sitting at your desk typing weird commands!). The Cuckoo integration in
the current release is pretty smooth as well, and we're hoping to have
this available to the public sometime next week!
Thanks,
Dave Aitel
Immunity, Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: OpenPGP digital signature
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20140416/ed6a0784/attachment.sig>
More information about the Dailydave
mailing list