Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Note To Vendors: CISOs Dont Want Your Analytical Tools
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
5/4/2015 | 11:43:39 AM
What if the needle isn't there?
Rick, great article and spot on.  My issue with most of the Big Data Analytic solutions is their dependence on logs and alerts.  Malware and malicious insiders are becoming increasingly good at NOT generating log entries, and obfuscating their actions.  What this means is it doesn't matter how good a haystack puller you have, if the needles aren't there, you won't find anything.   We need solutions that detect malicious behaviors in real-time even when there are no log entries. 
User Rank: Apprentice
4/29/2015 | 10:33:55 AM
Could Not Agree More
You are spot on Sir.

I would add that containment security can no longer be an emergency response plan or have udder absence from the IT security vocabulary.  I have been writing about containment fro over two years so it is great to find people that actually get it and care about it.  

There are two types of containment approaches. 1) Spot or Surgical Containment - which is dependent on SIEM functionality to enable a containmenmt action (note this approach is only as good as the data loaded in the SIEM).  2) Structural - which relies on physical or virtual end-to-end segmentation of the networks to eliminate shared routing and security elements that can be exploited for breach propagation.  Quite frankly both are required and they are harmoniuos if implemented correctly.

When I was at Cybera we pioneered containment through virtual application networks (SDN WANs) and had implemented over 70,000 sites implemented globally with companies like Shell, Verifone, ExxonMobil and Little Ceasers.  I have yet to see a viable structural containment solution on the market besides Cybera's.

If you want to read more about containment security see my blog at containmentsecurity . net
User Rank: Apprentice
4/28/2015 | 8:32:27 PM
Lets not get lost in the semantics
Containment (post-initial compromise and prior to data exfiltration) is just about only thing all of us should be focused on. Those that think they can Prevent attacks believe the hype from perimeter security solution vendors who are still selling security products built on top of constructs from the 1990s. There will be no silver bullet solution due to an ever expanding attack surface, the creativity of the attacker, and human IT services users that will always click on something, surf to a bad website and down load malicious code.


Containment means we (finally) acknowledge that attackers know we all have the basic stuff at the perimeter and what they want to hack a human for credentials or have malware do it for them. In many organizations this is a fundamental disconnect. I don't think anyone can say that businesses have any real strategy for detecting attackers that leverage stolen valid user credentials.


The key is to be able to have a system that understand and learns what credential activities and access characteristics are normal for all an organization's users, peel all that away and see what's left. This leads to the identification of compromised user accounts. With this visibility we can draw conclusions about what assets have been compromised before the data walks out the door. There were a few of these user behavior intelligence solutions on exhibit at RSA.
User Rank: Ninja
4/28/2015 | 1:35:57 PM
Re: Spare Us the Sales Hype
When it comes down to it any informed individual understands that there is no silver bullet. With these solutions however there needs to be a cost model for implementing security safeguards and the value cannot outweigh business values such as revenue, etc. As much as we instill value into the business side of organizations we need to acknowledge and understand their justifications as well. If business generation becomes unsustainable due to cost of implemented solutions, then security will indefinitely take a step backwards as the business goes under. As stated, many smaller organizations do not have the financial backing to implement a comprehensive security solution so they do the best of breed approach while although optimal will not yield the best results.

Education is a huge need as its inexpensive and its not as prevalent as it should be. This is a great point as education can help alleviate some of the pitfalls from a light security blueprint.
User Rank: Apprentice
4/28/2015 | 12:56:08 PM
What's wrong with "Response"?

One could argue that "Containment, Identification and Control" are all part of "Response," or even take a more nuanced view and say that it's just an extension of Prevent-Detect-Respond.

IMHO, the issue isn't that Bruce Schneier's description of the procses of security is wrong, it's simply that HOW we Prevent, Detect and Respond have evolved with better tools over the last 15 years (thanks, in part, to better vendor tools - an opposite conclusion of this article). One could argue Containment is a form of Prevention, such as through virtual segmentation and other layer 2-7 adaptive security measures not available 15 years ago. Identification is a form of Detection - while some companies may struggle with traditional SIEM-in-a-SOC approaches, there are many that are have excellent SIEM deployments including layering on machine learning anomaly detection, sandbox technologies, and data recording/analysis. Lastly, Control is just another part of Response, towards the tail end of the typical IR cycle.

I'd like to see a matrix of benefits of both approaches. I think the heavy overlap will show that there's nothing wrong with the original Process of Security. From Bruce in 2000: https://www.schneier.com/essays/archives/2000/04/the_process_of_secur.html

User Rank: Ninja
4/28/2015 | 12:23:24 PM
Spare Us the Sales Hype
In addition to methodology, the Security industry needs to be rid of the software outfits that are all hype.  As anyone who has sat in front of a pentesting GNU/Linux distro, no one tool does it all.  What you need are experienced programmers/hackers/techs who understand how to address each ecosystem and the context of potential or actual intrusion events, review the data, select the tools required for each situation/ecosystem/device, and implement an evolving strategy.  But unfortunately, many of those disillusioned business owners are also victims of sales hype, having purchased software solutions that don't offer evolving strategy, don't offer people with experience, and claim or suggest they have "the" fixall solution.  We need more education out there as to what Information Security is and how to do it properly.

I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Incorporating a Prevention Mindset into Threat Detection and Response
Threat detection and response systems, by definition, are reactive because they have to wait for damage to be done before finding the attack. With a prevention-mindset, security teams can proactively anticipate the attacker's next move, rather than reacting to specific threats or trying to detect the latest techniques in real-time. The report covers areas enterprises should focus on: What positive response looks like. Improving security hygiene. Combining preventive actions with red team efforts.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2022-05-27
The package protobufjs before 6.11.3 are vulnerable to Prototype Pollution which can allow an attacker to add/modify properties of the Object.prototype. This vulnerability can occur in multiple ways: 1. by providing untrusted user input to util.setProperty or to ReflectionObject.setParsedOption ...
PUBLISHED: 2022-05-27
The software may be vulnerable to both Un-Auth XML interaction and unauthenticated device enrollment.
PUBLISHED: 2022-05-27
The Master operator may be able to embed script tag in HTML with alert pop-up display cookie.
PUBLISHED: 2022-05-27
Out-of-bounds Write in GitHub repository vim/vim prior to 8.2.
PUBLISHED: 2022-05-27
Multiple vulnerabilities in the web-based management interface of Cisco Common Services Platform Collector (CSPC) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. These vulnerabilities are due to insufficient va...