Dailydave mailing list archives

Re: Drinking the Cool-aid

From: yersinia <yersinia.spiros () gmail com>
Date: Sat, 22 Feb 2014 21:14:43 +0100

Good post. Well written, Clear, many agree of the contents. I have a
Question, probably Basic.  If everything is encrypted how the poor sysadmin
can do some Basic troubleshotting ? I have to be an hacker and doing an
mitm for this ?  I Dunno
Il 22/feb/2014 16:28 "Dave Aitel" <dave () immunityinc com> ha scritto:

  *Security Technology*
 *What am I blind to?*
 *Benefits*
  Email Gateway (FireEye, TrendMicro, etc.)
 Best practices for sensitive information recommends endpoint to endpoint
encryption such as GPG/PGP/SMIME. These completely blind any email gateway.
Virtualization based gateways trivial to detect and evade by malware;
signature based gateways trivial to bypass by being 0day.
 Can catch things headed inbound before they are on your network - and
directly effect the way the majority of attacks happen.
  Network Sniffers (Netwitness, Tenable PVS, IDS, IPS)
 Proper networks, even internally, should use IPSEC, HTTPS, or other
cryptographic technology, which completely blinds these things. Archiving
large amounts of traffic is insanely expensive and requires massive
analytics to process (which makes you blind in retrospect even if you have
the data, since you can't find it or draw conclusions off it). High level
of false positives since you cannot account for host configuration when on
the network when not correlated properly with SIEM (which cuts into your
trust of these products).
 Forces attackers to learn how to tunnel into innocuous traffic, which is
a very good thing.
  Network Scanners (Qualys, Nessus, Rapid7)
 Authenticated scanners are a bad practice (imho), but non-authenticated
scanners have huge amounts of false positives. Continuous monitoring
required to capture devices as they pop up and down on the lan, but proper
network segmentation makes this extremely expensive. Again, with massive
amounts of scan data comes massive responsibility for purchasing storage
and analytics (aka, it's expensive). IPv6 makes scanning much more
difficult as well. Likewise scanners can interfere with the ability to do
active response.
 Continuous monitoring allows good situational awareness of when assets
are placed on your network in a historical way that can be very useful
later.
  WAF
 Might protect you from input validation vulnerabilities without having
to change source code and without impacting customer experience. But then
again, might not. No way to know! Keeps life exciting.
 Makes attackers uncertain if their attack will work. Directly addresses
your ability to rapidly put defenses in place in one of the most vulnerable
areas of your network (web apps).
  Exploit Scanners (CORE, Rapid7, Immunity CANVAS)
 Might crash stuff. Using EMET or other host protection measures (ACLs,
NAC, AV, etc.) can cause high false negative rates.
 Can often surprise you with how limited your host protection really is.
  Modern HIPS (AV, Mandiant/Crowdstrike/El Jefe)
 Reputational systems blind to powershell or AutoIT. Once attacker is on
the box, they can of course turn the software off.
 Attacker has to spend a lot of time writing things that turn off HIPS.

So one exercise I was going through in my head yesterday during this
little mini-con is trying to figure out what the "Security Best Practices"
were that would invalidate any given product category. These are usually
pretty simple. Just as an example: Sniffing products are invalidated by
proper network  crypto, and scanners are invalidated by proper network
segmentation, etc.

Just something to think about in the product whirlyhaze that is RSA. It
doesn't mean you shouldn't buy one of these product categories, but knowing
where you are blind is a good thing, even if it sounds very negative for
California.

-dave



_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave

Current thread:

Drinking the Cool-aid Dave Aitel (Feb 22)
- Re: Drinking the Cool-aid yersinia (Feb 24)
- Re: Drinking the Cool-aid Alfonso De Gregorio (Feb 24)
  - Re: Drinking the Cool-aid dan (Mar 21)
    - Re: Drinking the Cool-aid Scharf, Stephen (Mar 24)
    - Re: Drinking the Cool-aid dan (Mar 24)
- Re: Drinking the Cool-aid Andreas Lindh (Mar 03)
- Re: Drinking the Cool-aid Joe Gatt (Mar 03)
  - Re: Drinking the Cool-aid Andre Gironda (Mar 03)
- Message not available
  - Re: Drinking the Cool-aid Eggensperger, Roy E (Mar 03)