Dailydave mailing list archives
Drinking the Cool-aid
From: Dave Aitel <dave () immunityinc com>
Date: Sat, 22 Feb 2014 10:28:28 -0500
/Security Technology// / /What am I blind to?// / /Benefits// / Email Gateway (FireEye, TrendMicro, etc.) Best practices for sensitive information recommends endpoint to endpoint encryption such as GPG/PGP/SMIME. These completely blind any email gateway. Virtualization based gateways trivial to detect and evade by malware; signature based gateways trivial to bypass by being 0day. Can catch things headed inbound before they are on your network - and directly effect the way the majority of attacks happen. Network Sniffers (Netwitness, Tenable PVS, IDS, IPS) Proper networks, even internally, should use IPSEC, HTTPS, or other cryptographic technology, which completely blinds these things. Archiving large amounts of traffic is insanely expensive and requires massive analytics to process (which makes you blind in retrospect even if you have the data, since you can't find it or draw conclusions off it). High level of false positives since you cannot account for host configuration when on the network when not correlated properly with SIEM (which cuts into your trust of these products). Forces attackers to learn how to tunnel into innocuous traffic, which is a very good thing. Network Scanners (Qualys, Nessus, Rapid7) Authenticated scanners are a bad practice (imho), but non-authenticated scanners have huge amounts of false positives. Continuous monitoring required to capture devices as they pop up and down on the lan, but proper network segmentation makes this extremely expensive. Again, with massive amounts of scan data comes massive responsibility for purchasing storage and analytics (aka, it's expensive). IPv6 makes scanning much more difficult as well. Likewise scanners can interfere with the ability to do active response. Continuous monitoring allows good situational awareness of when assets are placed on your network in a historical way that can be very useful later. WAF Might protect you from input validation vulnerabilities without having to change source code and without impacting customer experience. But then again, might not. No way to know! Keeps life exciting. Makes attackers uncertain if their attack will work. Directly addresses your ability to rapidly put defenses in place in one of the most vulnerable areas of your network (web apps). Exploit Scanners (CORE, Rapid7, Immunity CANVAS) Might crash stuff. Using EMET or other host protection measures (ACLs, NAC, AV, etc.) can cause high false negative rates. Can often surprise you with how limited your host protection really is. Modern HIPS (AV, Mandiant/Crowdstrike/El Jefe) Reputational systems blind to powershell or AutoIT. Once attacker is on the box, they can of course turn the software off. Attacker has to spend a lot of time writing things that turn off HIPS. So one exercise I was going through in my head yesterday during this little mini-con is trying to figure out what the "Security Best Practices" were that would invalidate any given product category. These are usually pretty simple. Just as an example: Sniffing products are invalidated by proper network crypto, and scanners are invalidated by proper network segmentation, etc. Just something to think about in the product whirlyhaze that is RSA. It doesn't mean you shouldn't buy one of these product categories, but knowing where you are blind is a good thing, even if it sounds very negative for California. -dave
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Drinking the Cool-aid Dave Aitel (Feb 22)
- Re: Drinking the Cool-aid yersinia (Feb 24)
- Re: Drinking the Cool-aid Alfonso De Gregorio (Feb 24)
- Re: Drinking the Cool-aid dan (Mar 21)
- Re: Drinking the Cool-aid Scharf, Stephen (Mar 24)
- Re: Drinking the Cool-aid dan (Mar 24)
- Re: Drinking the Cool-aid dan (Mar 21)
- Re: Drinking the Cool-aid Andreas Lindh (Mar 03)
- Re: Drinking the Cool-aid Joe Gatt (Mar 03)
- Re: Drinking the Cool-aid Andre Gironda (Mar 03)
- Message not available
- Re: Drinking the Cool-aid Eggensperger, Roy E (Mar 03)