[Dailydave] Drinking the Cool-aid

yersinia yersinia.spiros at gmail.com
Sat Feb 22 15:14:43 EST 2014 

Good post. Well written, Clear, many agree of the contents. I have a
Question, probably Basic.  If everything is encrypted how the poor sysadmin
can do some Basic troubleshotting ? I have to be an hacker and doing an
mitm for this ?  I Dunno
Il 22/feb/2014 16:28 "Dave Aitel" <dave at immunityinc.com> ha scritto:

>   *Security Technology*
>  *What am I blind to?*
>  *Benefits*
>   Email Gateway (FireEye, TrendMicro, etc.)
>  Best practices for sensitive information recommends endpoint to endpoint
> encryption such as GPG/PGP/SMIME. These completely blind any email gateway.
> Virtualization based gateways trivial to detect and evade by malware;
> signature based gateways trivial to bypass by being 0day.
>  Can catch things headed inbound before they are on your network - and
> directly effect the way the majority of attacks happen.
>   Network Sniffers (Netwitness, Tenable PVS, IDS, IPS)
>  Proper networks, even internally, should use IPSEC, HTTPS, or other
> cryptographic technology, which completely blinds these things. Archiving
> large amounts of traffic is insanely expensive and requires massive
> analytics to process (which makes you blind in retrospect even if you have
> the data, since you can't find it or draw conclusions off it). High level
> of false positives since you cannot account for host configuration when on
> the network when not correlated properly with SIEM (which cuts into your
> trust of these products).
>  Forces attackers to learn how to tunnel into innocuous traffic, which is
> a very good thing.
>   Network Scanners (Qualys, Nessus, Rapid7)
>  Authenticated scanners are a bad practice (imho), but non-authenticated
> scanners have huge amounts of false positives. Continuous monitoring
> required to capture devices as they pop up and down on the lan, but proper
> network segmentation makes this extremely expensive. Again, with massive
> amounts of scan data comes massive responsibility for purchasing storage
> and analytics (aka, it's expensive). IPv6 makes scanning much more
> difficult as well. Likewise scanners can interfere with the ability to do
> active response.
>  Continuous monitoring allows good situational awareness of when assets
> are placed on your network in a historical way that can be very useful
> later.
>   WAF
>  Might protect you from input validation vulnerabilities without having
> to change source code and without impacting customer experience. But then
> again, might not. No way to know! Keeps life exciting.
>  Makes attackers uncertain if their attack will work. Directly addresses
> your ability to rapidly put defenses in place in one of the most vulnerable
> areas of your network (web apps).
>   Exploit Scanners (CORE, Rapid7, Immunity CANVAS)
>  Might crash stuff. Using EMET or other host protection measures (ACLs,
> NAC, AV, etc.) can cause high false negative rates.
>  Can often surprise you with how limited your host protection really is.
>   Modern HIPS (AV, Mandiant/Crowdstrike/El Jefe)
>  Reputational systems blind to powershell or AutoIT. Once attacker is on
> the box, they can of course turn the software off.
>  Attacker has to spend a lot of time writing things that turn off HIPS.
>
> So one exercise I was going through in my head yesterday during this
> little mini-con is trying to figure out what the "Security Best Practices"
> were that would invalidate any given product category. These are usually
> pretty simple. Just as an example: Sniffing products are invalidated by
> proper network  crypto, and scanners are invalidated by proper network
> segmentation, etc.
>
> Just something to think about in the product whirlyhaze that is RSA. It
> doesn't mean you shouldn't buy one of these product categories, but knowing
> where you are blind is a good thing, even if it sounds very negative for
> California.
>
> -dave
>
>
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunityinc.com
> https://lists.immunityinc.com/mailman/listinfo/dailydave
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20140222/ccc0bca8/attachment.html>

More information about the Dailydave mailing list