Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Re: C2

From: Dominique Brezinski <dominique.brezinski () gmail com>
Date: Mon, 3 Mar 2014 09:59:23 -0800
SO true Dave. The defender's dilemma is not that they have to protect
everything as you note. The dilemma is choosing the instrumentation that as
syntactically as simple as possible while being semantically rich enough to
indicate (I intentionally do not use the word describe) a majority, if not
all, meaningful attack activity in the environment. An old friend taught me
that, which he learned from his advisor. That is your just enough data
notion. Having worked with many of the big data tools out there, while
focusing on security analysis and detection, I completely agree with you.
There are just a couple of sources of data -- themselves observation points
-- that when threaded together give a defender all the insight they need to
thwart attackers. Sadly, this fact is not leveraged by a majority of
defenders, nor is it productized meaningfully in any way.

Dom


On Mon, Mar 3, 2014 at 9:03 AM, Dave Aitel <dave () immunityinc com> wrote:


One rather facetious saying that has annoyed everyone for a while is the
whole "defenders have to protect everything, attackers just have to get
in once" meme. If you talk to defenders who are "leading" with new
technologies and techniques, the difference really does blur quite a
bit. I was happily surprised at the Tenable offsite to hear their big
customers describe their continuous monitoring and SIEM analytics
techniques as their network "Command and Control". It's a useful change
to a more sophisticated mindset. You don't hear people really
acknowledging an advanced persistent defense that often. :>

Of course, building proper C2C while under attack is itself very hard.
People very quickly fall into the "Big Data" trap - we try to caution
Justin from collecting more than he has to with El Jefe. We don't want
"Big Data" analysis. We want "Just enough data" analysis!

-dave








_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave



_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: