Dailydave mailing list archives
On Phillippe Courtot's RSAC Keynote
From: Dave Aitel <dave () immunityinc com>
Date: Tue, 25 Mar 2014 14:24:00 -0400
http://www.rsaconference.com/videos/127/the-cloud-security-nightmare-or-our-next-great Thoughts on Philippe Courtot's RSAC 2014 keynote. One thing I notice about these keynotes as I go through them is that there is a common issue with having the CEO of a company give a talk: nobody tells them any bad news ever. So when they give talks, they are likely to hear that the talk is amazing, and they practice it less, and they don't edit them. I usually listen to each talk twice before I write one of these review emails, and frankly, if anyone had done that with the keynotes this or last year, they would have cut many minutes out of them, and replaced them with the actual vision these executives are trying to get across - which I guess is what I'm trying to do here, in these emails. So let's cut to the chase, which for Philippe's talk is about ten minutes in: * "Because we have IPS/IDS, they have to scan very slowly, and so because we are doing continuous scanning and our scanners are white-listed, we can find vulnerabilities before they do". This is an interesting point. I think one problem is of course that continuous external scanning is false positive heavy. Attackers have no false positives - they either got inside the network or they didn't. It's a hole in Qualys's strategy that Rapid7 definitely saw - to integrate exploitation into scanning. * "Next-Gen firewalls brought application awareness, we need to bring in endpoint and threat awareness." (Yes, but easier said than done - this could probably have been expanded a lot during the talk at the expense of the first ten minutes!) * "Without Chip and Pin the hackers could re-invest part of their gains into automating their attacks" * With security we need real-time. ("Real-time" gets a lot of play in this talk. He's not wrong there, but real-time reporting is not going to solve anything. You have to layer on a level of automated response, which means a language of which machines and networks can be turned off or disconnected, or just disinfected. This is a huge task and I don't know any company on it at all. Qualys would be a good fit probably because it feeds into their asset management strengths.) * "Insist from the vendors that they have open architectures" * Brain in the cloud -> Significant advantage. There was a lot of "let's put smaller agents back on all the endpoints and roll all that data into the cloud and then magic analysis happens!" * There was a lot of talk of exfiltration filters, network sniffing and "open ports" which frankly I think is a bit old fashioned, or perhaps just focused more on effective network configuration management than security per-se. Hackers don't open ports any more. And modern implants (like INNUENDO) exfil over the protocols that you use. * Cost effective scalability by trimming down the complexity of OpenIOC Also, I have to admit, I love that he puts his own email in the talk. Not many CEOs do that. I CCed him on this email. :> From a vision and strategy standpoint there are perhaps a few interesting areas. First of all, what Qualys excels at is "Security at Cost-effective Scale". You can feel this current throughout the talk. But there is no magic security data analysis brain in the cloud, and it's not clear there WILL be for some time. What data you capture, and when, and how you format that data, and how that data changes over time, is all a very complex subject matter. Do you capture what binaries are running, like El Jefe <https://www.immunityinc.com/products-eljefe.shtml> does? Do you capture what web sites people visit? Do you capture every system call or file the endpoints access? Do you just capture everything willy nilly and send that data as unstructured text to the cloud for processing? Likewise, Mandiant and Crowdstrike and Terremark and every other company selling or using Indications of Compromise have explicit and deep reasons to avoid cooperating on OpenIOC, and I don't see that changing any time soon. Because they know the minute they do, Qualys is going to eat their lunch. After watching a lot of these talks I think what you have to do is ask each executive at RSA how their vision differs from modern reputation-system, brain-in-the-cloud, heuristics-based AV. -dave
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- On Phillippe Courtot's RSAC Keynote Dave Aitel (Mar 25)
- Re: On Phillippe Courtot's RSAC Keynote Marc Maiffret (Mar 26)