-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 One of the trends I looked at when I was giving a talk at Info Crime in London is that "Big Data" will actually become "Huge Data". Think of everything that people are monitoring now - and then think about what they will be monitoring in even just a year's time.
One of the most important things most people are not monitoring is SSL - - with the new SSL visibility initiatives that most companies are undergoing, they're going to have A LOT more data to start looking at. Of course, they'll have to do this responsibly - it won't do any good to view the admin's Citibank Online transfers to her daughter at uni when someone's in your network exfiltrating all your stuff. On 03/03/2014 12:08, al bell wrote: > The approach taken by many is to focus on quantity (big data) > instead of quality (right data). Knowing where and how to > instrument at the different layers is an art which is not being > taught anywhere. DevOps has improved the effectiveness of software > deployments. There is no reasonably good equivalent, no SecOps > built with a similar mindset. > > > > On Mon, Mar 3, 2014 at 9:59 AM, Dominique Brezinski > <[email protected]> wrote: >> SO true Dave. The defender's dilemma is not that they have to >> protect everything as you note. The dilemma is choosing the >> instrumentation that as syntactically as simple as possible while >> being semantically rich enough to indicate (I intentionally do >> not use the word describe) a majority, if not all, meaningful >> attack activity in the environment. An old friend taught me that, >> which he learned from his advisor. That is your just enough data >> notion. Having worked with many of the big data tools out there, >> while focusing on security analysis and detection, I completely >> agree with you. There are just a couple of sources of data -- >> themselves observation points -- that when threaded together give >> a defender all the insight they need to thwart attackers. Sadly, >> this fact is not leveraged by a majority of defenders, nor is it >> productized meaningfully in any way. >> >> Dom >> >> >> On Mon, Mar 3, 2014 at 9:03 AM, Dave Aitel <[email protected]> >> wrote: >>> >>> One rather facetious saying that has annoyed everyone for a >>> while is the whole "defenders have to protect everything, >>> attackers just have to get in once" meme. If you talk to >>> defenders who are "leading" with new technologies and >>> techniques, the difference really does blur quite a bit. I was >>> happily surprised at the Tenable offsite to hear their big >>> customers describe their continuous monitoring and SIEM >>> analytics techniques as their network "Command and Control". >>> It's a useful change to a more sophisticated mindset. You don't >>> hear people really acknowledging an advanced persistent defense >>> that often. :> >>> >>> Of course, building proper C2C while under attack is itself >>> very hard. People very quickly fall into the "Big Data" trap - >>> we try to caution Justin from collecting more than he has to >>> with El Jefe. We don't want "Big Data" analysis. We want "Just >>> enough data" analysis! >>> >>> -dave >>> >>> >>> >>> >>> >>> >>> >>> >>> _______________________________________________ Dailydave >>> mailing list [email protected] >>> https://lists.immunityinc.com/mailman/listinfo/dailydave >>> >> >> >> _______________________________________________ Dailydave mailing >> list [email protected] >> https://lists.immunityinc.com/mailman/listinfo/dailydave >> > _______________________________________________ Dailydave mailing > list [email protected] > https://lists.immunityinc.com/mailman/listinfo/dailydave > -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.19 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCgAGBQJTFP/hAAoJEI8XNqYiu65CUqAH/R4d59jN7um5RXXjxc2jcVsC 1yZFEJrmzNGb1Gg8uRCuqzYDQQpfhJIv/B/JMFcFojQ8Kb1b4yfXm/W3sK92rRAu vkx5jbnmcYnf+T+fZPBx0UmdhTwaErQEPJzgezj3kjFO7ss813U9NkO/pdmViRpN i/ojhAqL5scR2yulGBTZMPZ3E5axNUOdzGrlv9N3fbbL4O4w89yNXxt+x2iJSErq qzi7dVUh8o+AynVg6I+fpeqEB/JJisqA3Devt6TqNpOVKTkrTAsyVGZrzqLTewGz yo4nWME028r7GHKM0nfNKcPwOQKB/LEIXuRMcevyFsytIEgfM+8FyOfPx/l8Eos= =mDyW -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list [email protected] https://lists.immunityinc.com/mailman/listinfo/dailydave
