[Dailydave] C2

[al bell]

The approach taken by many is to focus on quantity (big data) instead
of quality (right data). Knowing where and how to instrument at the
different layers is an art which is not being taught anywhere. DevOps
has improved the effectiveness of software deployments. There is no
reasonably good equivalent, no SecOps built with a similar mindset.



On Mon, Mar 3, 2014 at 9:59 AM, Dominique Brezinski
<dominique.brezinski at gmail.com> wrote:
> SO true Dave. The defender's dilemma is not that they have to protect
> everything as you note. The dilemma is choosing the instrumentation that as
> syntactically as simple as possible while being semantically rich enough to
> indicate (I intentionally do not use the word describe) a majority, if not
> all, meaningful attack activity in the environment. An old friend taught me
> that, which he learned from his advisor. That is your just enough data
> notion. Having worked with many of the big data tools out there, while
> focusing on security analysis and detection, I completely agree with you.
> There are just a couple of sources of data -- themselves observation points
> -- that when threaded together give a defender all the insight they need to
> thwart attackers. Sadly, this fact is not leveraged by a majority of
> defenders, nor is it productized meaningfully in any way.
>
> Dom
>
>
> On Mon, Mar 3, 2014 at 9:03 AM, Dave Aitel <dave at immunityinc.com> wrote:
>>
>> One rather facetious saying that has annoyed everyone for a while is the
>> whole "defenders have to protect everything, attackers just have to get
>> in once" meme. If you talk to defenders who are "leading" with new
>> technologies and techniques, the difference really does blur quite a
>> bit. I was happily surprised at the Tenable offsite to hear their big
>> customers describe their continuous monitoring and SIEM analytics
>> techniques as their network "Command and Control". It's a useful change
>> to a more sophisticated mindset. You don't hear people really
>> acknowledging an advanced persistent defense that often. :>
>>
>> Of course, building proper C2C while under attack is itself very hard.
>> People very quickly fall into the "Big Data" trap - we try to caution
>> Justin from collecting more than he has to with El Jefe. We don't want
>> "Big Data" analysis. We want "Just enough data" analysis!
>>
>> -dave
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> Dailydave mailing list
>> Dailydave at lists.immunityinc.com
>> https://lists.immunityinc.com/mailman/listinfo/dailydave
>>
>
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunityinc.com
> https://lists.immunityinc.com/mailman/listinfo/dailydave
>