tag:blogger.com,1999:blog-4088979.post616852371850086718..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: Simple Questions, Difficult AnswersRichard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger7125tag:blogger.com,1999:blog-4088979.post-80736898524869612432010-06-11T07:36:01.818-04:002010-06-11T07:36:01.818-04:00Check this swiss software company, NEXThink.
I'...Check this swiss software company, NEXThink.<br />I'm using them to have answers to a lot of the questions that you made in a simple 2 mouse clicks.<br /><br />They are doing real-time monitoring on the destkops, so even i can say imidiately who is connected to all the servers, what is the used account, what is the applications, etc, etc...Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-34303867724900317532010-06-07T08:44:04.314-04:002010-06-07T08:44:04.314-04:00Not to complicate things, but what happens once th...Not to complicate things, but what happens once the same application is moved to a private, internal, shared cloud? Does figuring out if something bad happened become easier or harder - easier because you would have more control over the environment - harder because you don't necessarily know exactly where the application is running, what else is running on the same hardware, or a host of other things.Brianhttps://www.blogger.com/profile/16640260999072144665noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-70955704557388931812010-06-07T03:07:08.452-04:002010-06-07T03:07:08.452-04:00To Anon: There is a certain truth to "Prevent...To Anon: There is a certain truth to "Prevention eventually fails", but I think that those implementations are predestined to fail - either because of a flawed implementation and/or a misguided belief that certain security measures/tools are actually effective and infallible. <br /><br />We all know that compromise is inevitable and unavoidable, so we need to start architecting our network and security with that mindset. Protect the information at all costs, realize that certain assets will be compromised no matter what we do, and minimize the impact of those compromises until we can identify those assets and shut them down. And of course we need the right detection capabilities to do that the latter. Ha ha. ;)Mister Reinerhttp://misterreiner.wordpresss.comnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-10040067269882104542010-06-06T22:35:09.420-04:002010-06-06T22:35:09.420-04:00in logs section ....
is necesary a ntp server, fo...in logs section ....<br /><br />is necesary a ntp server, for synchronize events.<br /><br />regards richard.<br /><br />j.c.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-71624458437977789622010-06-06T19:16:58.352-04:002010-06-06T19:16:58.352-04:00Actually...both are equally important. As the sayi...Actually...both are equally important. As the saying goes, "Prevention eventually fails". Spend too much money on the prevention, and the detection won't exist. Standard trade-off that never seems to occur under the 'risk management' umbrella.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-12221474234492326602010-06-06T17:23:31.511-04:002010-06-06T17:23:31.511-04:00All good questions indeed.
This is an oversimplif...All good questions indeed.<br /><br />This is an oversimplification, but there are really only two things people want to prevent when it comes to servers - unauthorized control and unauthorized transfer of information. Unauthorized control can be achieved by injection of code or by compromising enabled remote control capabilities. One way unauthorized transfer of information can be achieved, is by compromising the workstations of users that have authorized access to the information, which means having control of those workstations.<br /><br />My questions for your CISO are:<br /><br />1. What is in place to prevent/detect the injection of code and what is the system's response to code injects?<br /><br />2. How are you preventing exploitation of enabled remote control capabilities?<br /><br />If you need to be called in, it means that security measures have been inadequate in preventing the above. It's like the owner of a bodyguard service asking, "Can you give me a call if you're out on a job and the client is killed?"<br /><br />People need to change their mindset from being reactive to proactive. Too many people are focused on detecting things after the fact - well after the damage is already done. It's time for folks like your CISO to start asking different questions.<br /><br />Don't get me wrong, I feel compromise detection capabilities are EXTREMELY important, but enabling more capability to detect things after the fact isn't making things more secure. Prevention should still be the number one priority.<br /><br />Mister Reiner<br />http://misterreiner.wordpress.comMister Reinerhttp://misterreiner.wordpress.comnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-34448716918834313182010-06-06T16:16:32.194-04:002010-06-06T16:16:32.194-04:00I agree 100% this is the type of info an analyst o...I agree 100% this is the type of info an analyst or CIRT team needs in order to categorize events, view them within the context of their environment and "expected" traffic pattern and behavior. I would really like to see how these ideals and other "TAO" concepts scale in huge globally diverse networks, especially if this type of visibility does not already exists.Anonymousnoreply@blogger.com