Dailydave mailing list archives
Solutions
From: dave <dave () immunityinc com>
Date: Fri, 25 Jun 2010 16:52:23 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 So when I gave the FIRST talk, one of the questions was "What is the solution?" which when people ask that usually has a slight overtone of "It's easy to knock the blocks down, but not to set them up!" to it. Here's what I see: The major problem with 90's era technology (i.e. scanners/sniffers!) is that they are in a very high noise/low signal environment. This is as true for static code analysers as it is for IDSs and Web Application Firewalls. Immunity sees lots of success (and has for many years) with organizations that have done high level instrumentations against their applications, and then used powerful data mining tools to look at that data. But with all Things That Really Work (tm), there are many traps: 1. Analysis is mind bogglingly expensive. It takes lots of time, you never know if you're going to find something useful, and the people and tools to do it are expensive. Palantir is just one example of how hard this problem is in general, but even just having the DISK SPACE to do it on is prohibitive. 2. Choosing what to instrument is extremely hard as well. There's some work being done on this: http://www.owasp.org/index.php/Category:OWASP_AppSensor_Project 3. Visualization is hard - security visualization often is great once you already have found something (i.e. "Here it is in a pretty graph"). If you haven't already found something, visualization is a hard thing to make "exploratory". Especially with lots of data. ___________________________________________________________________________________ So what you see is the start up of what I like to call the "Application SOC". It's like a network SOC, but way more expensive, and with the chance of being actually useful! :> I'll go more into this whole thing when El Jefe goes into Beta, but for now, who has gotten caught by something like this? - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkwlFwcACgkQtehAhL0gheqOvgCePCS/kIQtKIhj6jPm5yjC+axm 340AmwS1Fxj+QFm9+hZiTIoZ2dDrj083 =ULVq -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Solutions dave (Jun 25)