mailing list archives
On Phillippe Courtot's RSAC Keynote
From: Dave Aitel <dave () immunityinc com>
Date: Tue, 25 Mar 2014 14:24:00 -0400
Thoughts on Philippe Courtot's RSAC 2014 keynote.
One thing I notice about these keynotes as I go through them is that
there is a common issue with having the CEO of a company give a talk:
nobody tells them any bad news ever. So when they give talks, they are
likely to hear that the talk is amazing, and they practice it less, and
they don't edit them. I usually listen to each talk twice before I write
one of these review emails, and frankly, if anyone had done that with
the keynotes this or last year, they would have cut many minutes out of
them, and replaced them with the actual vision these executives are
trying to get across - which I guess is what I'm trying to do here, in
So let's cut to the chase, which for Philippe's talk is about ten
* "Because we have IPS/IDS, they have to scan very slowly, and so
because we are doing continuous scanning and our scanners are
white-listed, we can find vulnerabilities before they do". This is
an interesting point. I think one problem is of course that
continuous external scanning is false positive heavy. Attackers have
no false positives - they either got inside the network or they
didn't. It's a hole in Qualys's strategy that Rapid7 definitely saw
- to integrate exploitation into scanning.
* "Next-Gen firewalls brought application awareness, we need to bring
in endpoint and threat awareness." (Yes, but easier said than done -
this could probably have been expanded a lot during the talk at the
expense of the first ten minutes!)
* "Without Chip and Pin the hackers could re-invest part of their
gains into automating their attacks"
* With security we need real-time. ("Real-time" gets a lot of play in
this talk. He's not wrong there, but real-time reporting is not
going to solve anything. You have to layer on a level of automated
response, which means a language of which machines and networks can
be turned off or disconnected, or just disinfected. This is a huge
task and I don't know any company on it at all. Qualys would be a
good fit probably because it feeds into their asset management
* "Insist from the vendors that they have open architectures"
* Brain in the cloud -> Significant advantage. There was a lot of
"let's put smaller agents back on all the endpoints and roll all
that data into the cloud and then magic analysis happens!"
* There was a lot of talk of exfiltration filters, network sniffing
and "open ports" which frankly I think is a bit old fashioned, or
perhaps just focused more on effective network configuration
management than security per-se. Hackers don't open ports any more.
And modern implants (like INNUENDO) exfil over the protocols that
* Cost effective scalability by trimming down the complexity of OpenIOC
Also, I have to admit, I love that he puts his own email in the talk.
Not many CEOs do that. I CCed him on this email. :>
From a vision and strategy standpoint there are perhaps a few
interesting areas. First of all, what Qualys excels at is "Security at
Cost-effective Scale". You can feel this current throughout the talk.
But there is no magic security data analysis brain in the cloud, and
it's not clear there WILL be for some time. What data you capture, and
when, and how you format that data, and how that data changes over time,
is all a very complex subject matter. Do you capture what binaries are
running, like El Jefe
<https://www.immunityinc.com/products-eljefe.shtml> does? Do you capture
what web sites people visit? Do you capture every system call or file
the endpoints access? Do you just capture everything willy nilly and
send that data as unstructured text to the cloud for processing?
Likewise, Mandiant and Crowdstrike and Terremark and every other company
selling or using Indications of Compromise have explicit and deep
reasons to avoid cooperating on OpenIOC, and I don't see that changing
any time soon. Because they know the minute they do, Qualys is going to
eat their lunch.
After watching a lot of these talks I think what you have to do is ask
each executive at RSA how their vision differs from modern
reputation-system, brain-in-the-cloud, heuristics-based AV.
Description: OpenPGP digital signature
Dailydave mailing list
Dailydave () lists immunityinc com
- On Phillippe Courtot's RSAC Keynote Dave Aitel (Mar 25)