<br><br>---------- Forwarded message ----------<br><span class="gmail_quote">From: <b class="gmail_sendername">Xu He</b> <<a href="mailto:xuminator@gmail.com">xuminator@gmail.com</a>><br>Date: May 8, 2007 9:03 AM<br>
Subject: Re: [Dailydave] Punching above your weight class<br>To: "Adriel T. Desautels" <<a href="mailto:adriel@netragard.com">adriel@netragard.com</a>><br><br></span>Threat Intelligence is expensive to obtain in-house, requires dedicated people who don't mind the tedious work of trolling on boards and forums, and who also actually understand threats and their implication to their business. To the C-levle execs, most threats just bullet points on a powerpoint to sell a product or project. This is the reason there are plenty of companies that offer intelligences, like Cyota, Cyveillance, iDefenses, etc. However, they are commercial entities and their goal is to generate profit, so they eventually adopt the mass market model like the AV companies. It's about covering the top 50% of "Threats", which at this time is mostly virus and trojans, and market the hell out of it for a quick buck.
<br><br>To truly understand threats to a business, you need passionate people who care and have the drive to not only collect the data, but also understand the data and how it applies to a particular business. CTO, CIO, CISO wants actionable data, information they can either use to get headcount, help elevate a project, or stop fraud, most of which these intelligence companies can't provide, because they don't understand and don't have the resource to understand the risk tolerance of each business.
<br><br>There is a place for the intelligence companies for data collection. However, if the companies don't have internal staff that can interpret the data properly and act on the data in a timely manner, then the intelligence is just an bombardment of useless information, just like all of those signs that pointed to the hijackers in 9/11.
<br><br><br>Accurate, Appropriate, Actionable (AAA), should be the three essential qualities of good intelligence. <br><span class="sg"><br>X</span><div><span class="e" id="q_1126bc99ec76c8dd_2"><br><br><br><br><div><span class="gmail_quote">
On 5/7/07, <b class="gmail_sendername">Adriel T. Desautels
</b> <<a href="mailto:adriel@netragard.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">adriel@netragard.com</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Dave,
<br> I couldn't agree with you more. When my partner and I founded Netragard<br>we did it with the intention of addressing the issue that you talk about<br>below.<br><br> Specifically, there is a significant gap in the level and the quality of
<br>security services being offered to businesses internationally, and the<br>actual threat level created by malicious hackers... To make matters worse,<br>that gap is growing rapidly.<br><br> *** A quick story...<br><br>
About three weeks ago I spoke on a panel during a CIO conference with Steve<br>Wozniak. Before my panel went up I was listening to the first panel present<br>their ideas about corporate security. One of the panelists began talking
<br>about defining "Acceptable Risk Levels" within organizations. (These were<br>CIO's, CTO's, CSO's etc for multi billion/million dollar companies.)<br><br>When I heard these people speaking I realized that they never got into
<br>anything specific. Instead it was as if they were just talking about ideas<br>that they briefly read about in magazines or online articles. So I decided<br>to ask them something specific.<br><br>My first question to them was "In order to properly understand your
<br>acceptable risk level you must first understand the threats faced by your<br>business, correct?"<br><br>They all nodded in agreement.<br><br>My second question to them was "Where do you get your threat intelligence?"
<br><br>None of them could answer the question, instead they tried to "market" their<br>way around it, or provided answers that were not at all related to the<br>question. Later I was accused of asking a "trick question", when there was
<br>nothing trick about it.<br><br> *** End of my quick story...<br><br>That's when it hit me. I've always known that a very significant gap existed<br>between the capabilities of malicious hackers and the IT defense
<br>capabilities of businesses and government agencies. What I never realized<br>was how little "good" threat intelligence was available to the people trying<br>to defend themselves against malicious hackers.<br>
<br>I've made it a point to always have good threat intelligence by maintaining<br>a team of people to harvest the intelligence for my business. So I suppose<br>that I just take the intelligence capability for granted, but what has the
<br>rest of the world been doing? Who are they trying to protect themselves<br>against if they don't have that capability?<br><br>I'm sure that many of the people on this list also have ways of collecting<br>threat intelligence, but then again the people on this list are most
<br>probably an acceptation. Am I wrong?<br><br>I'm very curious...<br><br><br>On 5/3/07 11:05 AM, "Dave Aitel" <<a href="mailto:dave@immunityinc.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
dave@immunityinc.com</a>> wrote:<br><br>> -----BEGIN PGP SIGNED MESSAGE-----
<br>> Hash: SHA1<br>><br>> The best hacker teams in the world right now may belong to organized<br>> crime groups. In my spare time in between packing lunch boxes and<br>> cleaning the floor under the high chair, I've been thinking about ways
<br>> in which these organizations differ from most commercial companies who<br>> do penetration testing. A company has a rather large budget, dedicated<br>> infrastructure, and an experienced and skilled staff. So why do so
<br>> many of them fight like flabby novices? The fact is, giving someone a<br>> LOT of money, and a big mission to solve, often gives them a good<br>> excuse to get fat and useless. I don't know how to solve your problem
<br>> if you're a hundred million dollar attack team yet. But if you're at<br>> ten million or less, these are the rules I've come up with.<br>><br>><br>> Six Rules for Punching Above Your Weight Class:
<br>> o Never use an exploit in the wild you don't completely understand. If<br>> you can't debug it on the fly, you can't use it<br>> o Don't split up research from attack. Your research team needs to be
<br>> focused on the mission.<br>> o Develop a fast-reaction team that can hit easy or very time critical<br>> vulnerabilities within 8 hours or less.<br>> o Be target focused<br>> o Develop technical partnerships with other people who can write
<br>> exploits. There just aren't that many of them.<br>> o One team, one mission. People naturally want to work on only Windows<br>> or only Unix, but that's not the way to success. Find people who can<br>
> work on the whole picture.<br>><br>> - -dave<br>> -----BEGIN PGP SIGNATURE-----<br>> Version: GnuPG v1.4.6 (GNU/Linux)<br>><br>> iD8DBQFGOfo7B8JNm+PA+iURAmnWAJ9fMkFiaNwsiOsiKUqgq2p3bJsv9QCg6u+7<br>
> Yc5yKpsBP3b857WvhQRtXkc=
<br>> =rzBU<br>> -----END PGP SIGNATURE-----<br>><br>> _______________________________________________<br>> Dailydave mailing list<br>> <a href="mailto:Dailydave@lists.immunitysec.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
Dailydave@lists.immunitysec.com
</a><br>> <a href="http://lists.immunitysec.com/mailman/listinfo/dailydave" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://lists.immunitysec.com/mailman/listinfo/dailydave</a><br><br>--<br>
<br>Regards,<br> Adriel T. Desautels<br> Chief Technology Officer - Netragard, LLC
<br> Office: 617-934-0269 || Mobile : 857-636-8882<br> <a href="http://www.linkedin.com/pub/1/118/a45" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://www.linkedin.com/pub/1/118/a45</a>
<br> <a href="http://www.netragard.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://www.netragard.com</a>
<br> -------------------------<br> "We make IT secure."<br><br><br>_______________________________________________<br>Dailydave mailing list<br><a href="mailto:Dailydave@lists.immunitysec.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
Dailydave@lists.immunitysec.com
</a><br><a href="http://lists.immunitysec.com/mailman/listinfo/dailydave" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://lists.immunitysec.com/mailman/listinfo/dailydave</a><br></blockquote>
</div><br>
</span></div>