[Dailydave] What is the next step?

[Dave Aitel]

When we sell people El Jefe related services (which we call "Digital
Executive Protection") the first thing they ask is "Can we also have the
data". And the answer is, surprising everyone, "yes". There's no reason
a company in this day and age can't have their own Splunk or
ElasticSearch engine that allows them to search and sort a complete
history of every program anyone in the company has ever executed. It's
just so easy. I don't believe Crowdstrike and Mandiant allow you to do
that yet, but I could be wrong.

And of course, from the other side, that kind of complete ongoing
historical data makes life a lot harder for the attackers. Because
there's a difference between being able to Hide, to be unnoticed or
unnoticable, and being forced to win a race. Races cost lot of energy
and things can go wrong a lot faster. I'm on a panel with Bruce Potter
and a few other people this week and they gave us the questions ahead of
time (which is a good idea I think) and frankly I think just forcing the
offense into a race is changing the game a bit.

One interesting thing is that it probably didn't used to be the case
that when your trojan was caught in one country, it was instantly caught
in every country. AV, and in particular Kaspersky, have gotten quite
good at really putting some pressure down here in a way that I think is
quite new.


-dave


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: OpenPGP digital signature
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20140218/b6da3b58/attachment.sig>