Dailydave mailing list archives
Re: So, the security industry has given up on the principles of least privilege and separation?
From: Bob Mahoney <bob () zanshinsecurity com>
Date: Tue, 17 Feb 2009 12:14:02 -0500
In 2006, my company did a project for Dan, looking at the possibility
of crafting a zero-day deflecting rule set for the Verdasys Digital
Guardian product.
Dan allowed me to present an overview of the work at MIT's "Security
Camp" that summer, along with my thoughts on how the product might
enhance/improve incident response capability. PDF version, with
speaker's notes, but w/o clever animation, is available at:
http://www.zanshinsecurity.com/archive/Zanshin-DigitalGuardian-IR.pdf
Targeted for an audience of mostly security staff, from Boston-area
universities. The incident response thoughts are largely based in our
experiences "managing" MIT's response to Blaster. (we got *hurt*, in
about the $1 million range... a link to our paper on that subject is
in the notes, as well as other references, some to members of this
list) I wish I'd had this tool available for Blaster, damage would
have been minimized, and my team would have gotten a little sleep.
Years of watching people deploying the wrong things, and being unable
to grasp how poorly they perform, is just depressing. But I was
genuinely impressed by DG (circa 2006, at least- I'm sure it's
continued to evolve) If I was offered a job today running a large
network of Windows machines, I'd probably want to negotiate the
purchase/deployment of DG up front. More importantly, it's a product
I think I could coexist peacefully with as an end user...
The product is interesting, and we had fun thinking up ways to do
useful things with it.
Disclaimer: Zanshin got paid for this work, although we're no longer
active under that name. I have never had a financial interest of any
sort in Verdasys or DG.
-Bob
On Feb 16, 2009, at 9:45 AM, dan () geer org wrote:
Digital Guardian is a recording reference monitor: an agent on every surveilled host communicating periodically with a no-wait-state collection depot arbitrarily located. The agent is small, tight, invisible, tamper-resistant, and low-load. Any touch whatsoever of local data is captured at the innermost operating system levels. Agents do 20,000-to-1 continuous log reduction, compress and encrypt bundles of these results, and push them to the collection system with end-to-end assurance, adapting to intermittent connectivity without intervention.
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- So, the security industry has given up on the principles of least privilege and separation? Dave Korn (Feb 14)
- Re: So, the security industry has given up on the principles of least privilege and separation? Michal Zalewski (Feb 16)
- Re: So, the security industry has given up on the principles of least privilege and separation? dan (Feb 17)
- Re: So, the security industry has given up on the principles of least privilege and separation? Bob Mahoney (Feb 17)
- Re: So, the security industry has given up on the principles of least privilege and separation? dan (Feb 17)
- Re: So, the security industry has given up on the principles of least privilege and separation? Joanna Rutkowska (Feb 16)
- Re: So, the security industry has given up on the principles of least privilege and separation? Andre Gironda (Feb 16)
- Re: So, the security industry has given up on the principles of least privilege and separation? Michal Zalewski (Feb 17)
- Re: So, the security industry has given up on the principles of least privilege and separation? Michal Zalewski (Feb 16)