I went to a meeting of the local Infraguard chapter (http://www.infragard.net/) today.
Couple of interesting things: a presentation by one of the agents that worked on the zotob case. That case resulted in the arrest and conviction of a Morrocan citizen (and the ongoing prosecution of a Turkish citizen). It didn't hurt the investigation that the bots phoned home to a server in a domain named for one of the suspects. (Note to self: don't set up a botnet that uses irc.jimmythegeek.com for command and control. Other note to self: don't use the googlemaps link to my house for a domain name for botnet C&C, either. Other, other note to self: don't set up a botnet at all)
A Cisco guy gave a presentation on "Self-defending" networks, with the usual credibility- augmenting bashing of his own company's marketing department. Overall, I'd say there's a case to be made for multiple layers/levels of defense, all coordinated. The guy cited a competitor's approach (ISS?) that's "all about the math". No layer has to be perfect, if in the aggregate the layers reduce successful exploitation chances to near zero. There was a little magic security spray (http://www.ranum.com/security/computer_security/marketing/index.html) but I suspect the claimed 1,500 programmers/researchers are able to gin up some useful behavioral characteristics to alert on. It would take time I don't have to evaluate whether it actually worked well.
Besides, it's unafforable and annoyingly a-la-carte. Want an IPS? Sure! Just send massive ducats. Want reports out of it? That's extra. Want stats from the router or switch? That's extra. Ick. I don't want to spend another minute of my life managing licenses for tools to manage my real work.
Couple of interesting things: a presentation by one of the agents that worked on the zotob case. That case resulted in the arrest and conviction of a Morrocan citizen (and the ongoing prosecution of a Turkish citizen). It didn't hurt the investigation that the bots phoned home to a server in a domain named for one of the suspects. (Note to self: don't set up a botnet that uses irc.jimmythegeek.com for command and control. Other note to self: don't use the googlemaps link to my house for a domain name for botnet C&C, either. Other, other note to self: don't set up a botnet at all)
A Cisco guy gave a presentation on "Self-defending" networks, with the usual credibility- augmenting bashing of his own company's marketing department. Overall, I'd say there's a case to be made for multiple layers/levels of defense, all coordinated. The guy cited a competitor's approach (ISS?) that's "all about the math". No layer has to be perfect, if in the aggregate the layers reduce successful exploitation chances to near zero. There was a little magic security spray (http://www.ranum.com/security/computer_security/marketing/index.html) but I suspect the claimed 1,500 programmers/researchers are able to gin up some useful behavioral characteristics to alert on. It would take time I don't have to evaluate whether it actually worked well.
Besides, it's unafforable and annoyingly a-la-carte. Want an IPS? Sure! Just send massive ducats. Want reports out of it? That's extra. Want stats from the router or switch? That's extra. Ick. I don't want to spend another minute of my life managing licenses for tools to manage my real work.
posted by JimmytheGeek at 4:04 PM
0 Comments:
Post a Comment
<< Home