Good post. Well written, Clear, many agree of the contents. I have a Question, probably Basic. If everything is encrypted how the poor sysadmin can do some Basic troubleshotting ? I have to be an hacker and doing an mitm for this ? I Dunno Il 22/feb/2014 16:28 "Dave Aitel" <[email protected]> ha scritto:
> *Security Technology* > *What am I blind to?* > *Benefits* > Email Gateway (FireEye, TrendMicro, etc.) > Best practices for sensitive information recommends endpoint to endpoint > encryption such as GPG/PGP/SMIME. These completely blind any email gateway. > Virtualization based gateways trivial to detect and evade by malware; > signature based gateways trivial to bypass by being 0day. > Can catch things headed inbound before they are on your network - and > directly effect the way the majority of attacks happen. > Network Sniffers (Netwitness, Tenable PVS, IDS, IPS) > Proper networks, even internally, should use IPSEC, HTTPS, or other > cryptographic technology, which completely blinds these things. Archiving > large amounts of traffic is insanely expensive and requires massive > analytics to process (which makes you blind in retrospect even if you have > the data, since you can't find it or draw conclusions off it). High level > of false positives since you cannot account for host configuration when on > the network when not correlated properly with SIEM (which cuts into your > trust of these products). > Forces attackers to learn how to tunnel into innocuous traffic, which is > a very good thing. > Network Scanners (Qualys, Nessus, Rapid7) > Authenticated scanners are a bad practice (imho), but non-authenticated > scanners have huge amounts of false positives. Continuous monitoring > required to capture devices as they pop up and down on the lan, but proper > network segmentation makes this extremely expensive. Again, with massive > amounts of scan data comes massive responsibility for purchasing storage > and analytics (aka, it's expensive). IPv6 makes scanning much more > difficult as well. Likewise scanners can interfere with the ability to do > active response. > Continuous monitoring allows good situational awareness of when assets > are placed on your network in a historical way that can be very useful > later. > WAF > Might protect you from input validation vulnerabilities without having > to change source code and without impacting customer experience. But then > again, might not. No way to know! Keeps life exciting. > Makes attackers uncertain if their attack will work. Directly addresses > your ability to rapidly put defenses in place in one of the most vulnerable > areas of your network (web apps). > Exploit Scanners (CORE, Rapid7, Immunity CANVAS) > Might crash stuff. Using EMET or other host protection measures (ACLs, > NAC, AV, etc.) can cause high false negative rates. > Can often surprise you with how limited your host protection really is. > Modern HIPS (AV, Mandiant/Crowdstrike/El Jefe) > Reputational systems blind to powershell or AutoIT. Once attacker is on > the box, they can of course turn the software off. > Attacker has to spend a lot of time writing things that turn off HIPS. > > So one exercise I was going through in my head yesterday during this > little mini-con is trying to figure out what the "Security Best Practices" > were that would invalidate any given product category. These are usually > pretty simple. Just as an example: Sniffing products are invalidated by > proper network crypto, and scanners are invalidated by proper network > segmentation, etc. > > Just something to think about in the product whirlyhaze that is RSA. It > doesn't mean you shouldn't buy one of these product categories, but knowing > where you are blind is a good thing, even if it sounds very negative for > California. > > -dave > > > > _______________________________________________ > Dailydave mailing list > [email protected] > https://lists.immunityinc.com/mailman/listinfo/dailydave > >
_______________________________________________ Dailydave mailing list [email protected] https://lists.immunityinc.com/mailman/listinfo/dailydave
