[Dailydave] Improvements

Wim Remes wremes at gmail.com
Wed Feb 15 13:59:22 EST 2017


Isn't this what Phantom and other "security orchestration" companies are
pushing right now?

The biggest roadblock is that every traditional security vendor is trying
to be the "data hub", hoarding information. Badly constructed and horribly
documented APIs, stupid myopic dashboards, rate limiting on APIs, etc. etc.
are the trademarks of those data hoarders. I wonder how long it takes
before they realize they're contributing more by becoming data providers.
Hell, every RFP for security products should score their ability to provide
data.

Cheers,
Wim
On Wed, 15 Feb 2017 at 19:51, Jordan Wiens <jordan at psifertex.com> wrote:

> When I last played defender over a decade ago at a large university, we
> built what sounds like exactly the same sort of system. It was an ugly mess
> of perl and it worked fantastically. The rules were crude and didn't have
> nearly the visibility into the network (partially because the host
> inspection technologies didn't exist and partially because as a university
> security engineering you often don't have permission to touch most of the
> endpoints on your network), but we were wiring up the more reliable IDS
> signatures, DNS queries, and flow data indicators to:
>
> - our campus captive portal to de-auth
> - automatic emails to users and network administrators with specific
> remediation information
> - blackhole routes for managed machines until the local admin
> self-certified the host was cleaned
> - or in some cases, disable the user's login for repeat offenders of
> non-university machines until they visited the helpdesk to get cleaned
>
> At the time the signatures that were effective were mostly super dumb.
> Stuff like visiting known IRC C&C servers and channels, but it worked. It
> required manual effort to constantly tune actions and inputs, but it was a
> heck of a lot easier than trying to fight that flood by hand.
>
> It sounds like the specific actions and data ingests might be different,
> but the idea of rolling your own automated system hasn't changed a bit in
> ten years. Surprised to not hear more about the approach, but agree
> completely that no one vendor does it, and yet every vendor can easily be a
> part of it.
>
>
> On Wed, Feb 15, 2017 at 10:59 AM, Dave Aitel <dave.aitel at gmail.com> wrote:
>
>
> http://www.securityweek.com/crowdstrike-sues-nss-labs-prevent-publication-test-results
>
> [image: fRPrLXf.jpg]
> One thing I've had problems with is learning that people can "get gud".
> It's one of the reasons I always cringe at the inevitable policy trope of
> "Cyber war is easier for attackers than defenders. Yesterday I was talking
> to a professional CISO - one of the ones I've known for years out of the
> NYC scene. He's like "Yes, individually none of the stuff anyone sells you
> works at all. But once you connect, say, Bromium, to the BlueCoat API with
> a bit of analysis glue you can have five minute response metrics, where
> once you find any anomaly, you can do memory searches for that running
> anywhere in your org, then automatically stuff those machines on their own
> VLANS.
>
> "When I join a new org, whatever random vendors they've bought into, I can
> make that really work. It does't really matter what they have, as long as
> they have something."
>
> Automated response has always been the real market. I can see people
> actually DOING it now, even though no product vendor wants to talk about
> it. And it's one of the few things that actually scares me as an attacker.
>
> -dave
>
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunityinc.com
> https://lists.immunityinc.com/mailman/listinfo/dailydave
>
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunityinc.com
> https://lists.immunityinc.com/mailman/listinfo/dailydave
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20170215/89514736/attachment.html>


More information about the Dailydave mailing list