Dailydave mailing list archives
Re: C2
From: "Thomas J. Quinlan" <tom () thomasquinlan com>
Date: Mon, 03 Mar 2014 14:19:13 -0800
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 One of the trends I looked at when I was giving a talk at Info Crime in London is that "Big Data" will actually become "Huge Data". Think of everything that people are monitoring now - and then think about what they will be monitoring in even just a year's time. One of the most important things most people are not monitoring is SSL - - with the new SSL visibility initiatives that most companies are undergoing, they're going to have A LOT more data to start looking at. Of course, they'll have to do this responsibly - it won't do any good to view the admin's Citibank Online transfers to her daughter at uni when someone's in your network exfiltrating all your stuff. On 03/03/2014 12:08, al bell wrote:
The approach taken by many is to focus on quantity (big data) instead of quality (right data). Knowing where and how to instrument at the different layers is an art which is not being taught anywhere. DevOps has improved the effectiveness of software deployments. There is no reasonably good equivalent, no SecOps built with a similar mindset. On Mon, Mar 3, 2014 at 9:59 AM, Dominique Brezinski <dominique.brezinski () gmail com> wrote:SO true Dave. The defender's dilemma is not that they have to protect everything as you note. The dilemma is choosing the instrumentation that as syntactically as simple as possible while being semantically rich enough to indicate (I intentionally do not use the word describe) a majority, if not all, meaningful attack activity in the environment. An old friend taught me that, which he learned from his advisor. That is your just enough data notion. Having worked with many of the big data tools out there, while focusing on security analysis and detection, I completely agree with you. There are just a couple of sources of data -- themselves observation points -- that when threaded together give a defender all the insight they need to thwart attackers. Sadly, this fact is not leveraged by a majority of defenders, nor is it productized meaningfully in any way. Dom On Mon, Mar 3, 2014 at 9:03 AM, Dave Aitel <dave () immunityinc com> wrote:One rather facetious saying that has annoyed everyone for a while is the whole "defenders have to protect everything, attackers just have to get in once" meme. If you talk to defenders who are "leading" with new technologies and techniques, the difference really does blur quite a bit. I was happily surprised at the Tenable offsite to hear their big customers describe their continuous monitoring and SIEM analytics techniques as their network "Command and Control". It's a useful change to a more sophisticated mindset. You don't hear people really acknowledging an advanced persistent defense that often. :> Of course, building proper C2C while under attack is itself very hard. People very quickly fall into the "Big Data" trap - we try to caution Justin from collecting more than he has to with El Jefe. We don't want "Big Data" analysis. We want "Just enough data" analysis! -dave _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
-----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.19 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCgAGBQJTFP/hAAoJEI8XNqYiu65CUqAH/R4d59jN7um5RXXjxc2jcVsC 1yZFEJrmzNGb1Gg8uRCuqzYDQQpfhJIv/B/JMFcFojQ8Kb1b4yfXm/W3sK92rRAu vkx5jbnmcYnf+T+fZPBx0UmdhTwaErQEPJzgezj3kjFO7ss813U9NkO/pdmViRpN i/ojhAqL5scR2yulGBTZMPZ3E5axNUOdzGrlv9N3fbbL4O4w89yNXxt+x2iJSErq qzi7dVUh8o+AynVg6I+fpeqEB/JJisqA3Devt6TqNpOVKTkrTAsyVGZrzqLTewGz yo4nWME028r7GHKM0nfNKcPwOQKB/LEIXuRMcevyFsytIEgfM+8FyOfPx/l8Eos= =mDyW -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave