Dailydave mailing list archives
Re: Improvements
From: Wim Remes <wremes () gmail com>
Date: Wed, 15 Feb 2017 18:59:22 +0000
Isn't this what Phantom and other "security orchestration" companies are pushing right now? The biggest roadblock is that every traditional security vendor is trying to be the "data hub", hoarding information. Badly constructed and horribly documented APIs, stupid myopic dashboards, rate limiting on APIs, etc. etc. are the trademarks of those data hoarders. I wonder how long it takes before they realize they're contributing more by becoming data providers. Hell, every RFP for security products should score their ability to provide data. Cheers, Wim On Wed, 15 Feb 2017 at 19:51, Jordan Wiens <jordan () psifertex com> wrote:
When I last played defender over a decade ago at a large university, we built what sounds like exactly the same sort of system. It was an ugly mess of perl and it worked fantastically. The rules were crude and didn't have nearly the visibility into the network (partially because the host inspection technologies didn't exist and partially because as a university security engineering you often don't have permission to touch most of the endpoints on your network), but we were wiring up the more reliable IDS signatures, DNS queries, and flow data indicators to: - our campus captive portal to de-auth - automatic emails to users and network administrators with specific remediation information - blackhole routes for managed machines until the local admin self-certified the host was cleaned - or in some cases, disable the user's login for repeat offenders of non-university machines until they visited the helpdesk to get cleaned At the time the signatures that were effective were mostly super dumb. Stuff like visiting known IRC C&C servers and channels, but it worked. It required manual effort to constantly tune actions and inputs, but it was a heck of a lot easier than trying to fight that flood by hand. It sounds like the specific actions and data ingests might be different, but the idea of rolling your own automated system hasn't changed a bit in ten years. Surprised to not hear more about the approach, but agree completely that no one vendor does it, and yet every vendor can easily be a part of it. On Wed, Feb 15, 2017 at 10:59 AM, Dave Aitel <dave.aitel () gmail com> wrote: http://www.securityweek.com/crowdstrike-sues-nss-labs-prevent-publication-test-results [image: fRPrLXf.jpg] One thing I've had problems with is learning that people can "get gud". It's one of the reasons I always cringe at the inevitable policy trope of "Cyber war is easier for attackers than defenders. Yesterday I was talking to a professional CISO - one of the ones I've known for years out of the NYC scene. He's like "Yes, individually none of the stuff anyone sells you works at all. But once you connect, say, Bromium, to the BlueCoat API with a bit of analysis glue you can have five minute response metrics, where once you find any anomaly, you can do memory searches for that running anywhere in your org, then automatically stuff those machines on their own VLANS. "When I join a new org, whatever random vendors they've bought into, I can make that really work. It does't really matter what they have, as long as they have something." Automated response has always been the real market. I can see people actually DOING it now, even though no product vendor wants to talk about it. And it's one of the few things that actually scares me as an attacker. -dave _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Improvements Dave Aitel (Feb 15)
- Re: Improvements Jordan Wiens (Feb 15)
- Re: Improvements Wim Remes (Feb 16)
- Re: Improvements J. Oquendo (Feb 23)
- Re: Improvements Oliver Friedrichs (Feb 24)
- Re: Improvements Chris Kuethe (Feb 23)
- Re: Improvements Wim Remes (Feb 16)
- Re: Improvements Tracy Reed (Feb 16)
- Re: Improvements Andrew Becherer (Feb 23)
- Re: Improvements Andre Gironda (Feb 23)
- Re: Improvements Jimmy D (Feb 23)
- Re: Improvements Dominique Brezinski (Feb 23)
- Message not available
- Re: Improvements Dominique Brezinski (Feb 24)
- Re: Improvements Laurens Vets (Mar 01)
- Re: Improvements Jordan Wiens (Feb 15)