[Dailydave] Going against the Gradient

[Richard Bejtlich]

Dave Aitel wrote:

> I posted a quick paper which I wrote for a private newsletter that
> went out in December.
> Quicky link is here:
> http://www.immunityinc.com/downloads/GoingAgainstTheGradient.pdf

Hi Dave,

In your paper you wrote:

"If you're wondering about this, just turn around and ask your million
dollars worth of IDS equipment and personnel when the last time they
caught a hacker was."

My answer: today.

I am not joking.  The question is knowing what to look for
(processes), tools that capture and inspect the right data (products),
and analysts who can analyze and escalate (people).

Can I deploy all three in a cost-effective manner, such that they will
be 100% effective at time of initial exploitation?  Of course not.

Can I use some combination to increase visibility and awareness, and
drive incident detection and response?  Of course!  I may not know
exactly what I need  to immediately detect (much less prevent) an
intrusion, but given the right process-products-people it is possible
to at least do retrospective analysis, damage assessment, and then
improve resistance to future attack.

This is why I have advocated Network Security Monitoring for the last
six years as a "beyond IDS" methodology.  I've always acknowledged
that some intruders are ahead of defenders, but that's not a static
condition.

This has been an old story for the last ten years, but some of us are
still catching real bad guys for a living.

You finish by writing:

"Encryption, network protocol complexity, and continued attacker
innovation have rendered your existing security arsenal useless. This
year's question is: What are you going to do about it?"

Seriously (not sarcastically), what is your answer?  We do need help out here.

Sincerely,

Richard