Drinking the Cool-aid

[Dave Aitel <dave () immunityinc com>]

/Security Technology//
/       /What am I blind to?//
/       /Benefits//
/
Email Gateway (FireEye, TrendMicro, etc.)
        Best practices for sensitive information recommends endpoint to
endpoint encryption such as GPG/PGP/SMIME. These completely blind any
email gateway. Virtualization based gateways trivial to detect and evade
by malware; signature based gateways trivial to bypass by being 0day.
        Can catch things headed inbound before they are on your network - and
directly effect the way the majority of attacks happen.
Network Sniffers (Netwitness, Tenable PVS, IDS, IPS)
        Proper networks, even internally, should use IPSEC, HTTPS, or other
cryptographic technology, which completely blinds these things.
Archiving large amounts of traffic is insanely expensive and requires
massive analytics to process (which makes you blind in retrospect even
if you have the data, since you can't find it or draw conclusions off
it). High level of false positives since you cannot account for host
configuration when on the network when not correlated properly with SIEM
(which cuts into your trust of these products).
        Forces attackers to learn how to tunnel into innocuous traffic, which
is a very good thing.
Network Scanners (Qualys, Nessus, Rapid7)
        Authenticated scanners are a bad practice (imho), but non-authenticated
scanners have huge amounts of false positives. Continuous monitoring
required to capture devices as they pop up and down on the lan, but
proper network segmentation makes this extremely expensive. Again, with
massive amounts of scan data comes massive responsibility for purchasing
storage and analytics (aka, it's expensive). IPv6 makes scanning much
more difficult as well. Likewise scanners can interfere with the ability
to do active response.
        Continuous monitoring allows good situational awareness of when assets
are placed on your network in a historical way that can be very useful
later.
WAF
        Might protect you from input validation vulnerabilities without having
to change source code and without impacting customer experience. But
then again, might not. No way to know! Keeps life exciting.
        Makes attackers uncertain if their attack will work. Directly addresses
your ability to rapidly put defenses in place in one of the most
vulnerable areas of your network (web apps).
Exploit Scanners (CORE, Rapid7, Immunity CANVAS)
        Might crash stuff. Using EMET or other host protection measures (ACLs,
NAC, AV, etc.) can cause high false negative rates.
        Can often surprise you with how limited your host protection really is.
Modern HIPS (AV, Mandiant/Crowdstrike/El Jefe)
        Reputational systems blind to powershell or AutoIT. Once attacker is on
the box, they can of course turn the software off.
        Attacker has to spend a lot of time writing things that turn off HIPS.


So one exercise I was going through in my head yesterday during this
little mini-con is trying to figure out what the "Security Best
Practices" were that would invalidate any given product category. These
are usually pretty simple. Just as an example: Sniffing products are
invalidated by proper network  crypto, and scanners are invalidated by
proper network segmentation, etc.

Just something to think about in the product whirlyhaze that is RSA. It
doesn't mean you shouldn't buy one of these product categories, but
knowing where you are blind is a good thing, even if it sounds very
negative for California.

-dave

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave