<div dir="ltr">When I last played defender over a decade ago at a large university, we built what sounds like exactly the same sort of system. It was an ugly mess of perl and it worked fantastically. The rules were crude and didn't have nearly the visibility into the network (partially because the host inspection technologies didn't exist and partially because as a university security engineering you often don't have permission to touch most of the endpoints on your network), but we were wiring up the more reliable IDS signatures, DNS queries, and flow data indicators to:<div><br></div><div>- our campus captive portal to de-auth</div><div>- automatic emails to users and network administrators with specific remediation information</div><div>- blackhole routes for managed machines until the local admin self-certified the host was cleaned</div><div>- or in some cases, disable the user's login for repeat offenders of non-university machines until they visited the helpdesk to get cleaned</div><div><br></div><div>At the time the signatures that were effective were mostly super dumb. Stuff like visiting known IRC C&C servers and channels, but it worked. It required manual effort to constantly tune actions and inputs, but it was a heck of a lot easier than trying to fight that flood by hand. <div><br></div><div>It sounds like the specific actions and data ingests might be different, but the idea of rolling your own automated system hasn't changed a bit in ten years. Surprised to not hear more about the approach, but agree completely that no one vendor does it, and yet every vendor can easily be a part of it. </div></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Feb 15, 2017 at 10:59 AM, Dave Aitel <span dir="ltr"><<a href="mailto:dave.aitel@gmail.com" target="_blank">dave.aitel@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><a href="http://www.securityweek.com/crowdstrike-sues-nss-labs-prevent-publication-test-results" target="_blank">http://www.securityweek.com/<wbr>crowdstrike-sues-nss-labs-<wbr>prevent-publication-test-<wbr>results</a><br><div><br></div><div><img alt="fRPrLXf.jpg" style="max-width:100%;opacity:1"><br></div><div>One thing I've had problems with is learning that people can "get gud". It's one of the reasons I always cringe at the inevitable policy trope of "Cyber war is easier for attackers than defenders. Yesterday I was talking to a professional CISO - one of the ones I've known for years out of the NYC scene. He's like "Yes, individually none of the stuff anyone sells you works at all. But once you connect, say, Bromium, to the BlueCoat API with a bit of analysis glue you can have five minute response metrics, where once you find any anomaly, you can do memory searches for that running anywhere in your org, then automatically stuff those machines on their own VLANS.</div><div><br></div><div>"When I join a new org, whatever random vendors they've bought into, I can make that really work. It does't really matter what they have, as long as they have something."</div><div><br></div><div>Automated response has always been the real market. I can see people actually DOING it now, even though no product vendor wants to talk about it. And it's one of the few things that actually scares me as an attacker.</div><span class="HOEnZb"><font color="#888888"><div><br></div><div>-dave</div><div><br></div></font></span></div>
<br>______________________________<wbr>_________________<br>
Dailydave mailing list<br>
<a href="mailto:Dailydave@lists.immunityinc.com">Dailydave@lists.immunityinc.<wbr>com</a><br>
<a href="https://lists.immunityinc.com/mailman/listinfo/dailydave" rel="noreferrer" target="_blank">https://lists.immunityinc.com/<wbr>mailman/listinfo/dailydave</a><br>
<br></blockquote></div><br></div>