Dailydave mailing list archives
What is the next step?
From: Dave Aitel <dave () immunityinc com>
Date: Tue, 18 Feb 2014 17:04:22 -0500
When we sell people El Jefe related services (which we call "Digital Executive Protection") the first thing they ask is "Can we also have the data". And the answer is, surprising everyone, "yes". There's no reason a company in this day and age can't have their own Splunk or ElasticSearch engine that allows them to search and sort a complete history of every program anyone in the company has ever executed. It's just so easy. I don't believe Crowdstrike and Mandiant allow you to do that yet, but I could be wrong. And of course, from the other side, that kind of complete ongoing historical data makes life a lot harder for the attackers. Because there's a difference between being able to Hide, to be unnoticed or unnoticable, and being forced to win a race. Races cost lot of energy and things can go wrong a lot faster. I'm on a panel with Bruce Potter and a few other people this week and they gave us the questions ahead of time (which is a good idea I think) and frankly I think just forcing the offense into a race is changing the game a bit. One interesting thing is that it probably didn't used to be the case that when your trojan was caught in one country, it was instantly caught in every country. AV, and in particular Kaspersky, have gotten quite good at really putting some pressure down here in a way that I think is quite new. -dave
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- What is the next step? Dave Aitel (Feb 18)