20130911 playing defense - plembo/onemoretech GitHub Wiki
title: Playing defense link: https://onemoretech.wordpress.com/2013/09/11/playing-defense/ author: phil2nc description: post_id: 6325 created: 2013/09/11 12:32:22 created_gmt: 2013/09/11 16:32:22 comment_status: closed post_name: playing-defense status: publish post_type: post
Playing defense
Defense is everything when it comes to system security. Unfortunately the really big (government) money appears to be (foolishly) concentrated on offense. Some good news below from this year's DEFCON. Over the last few days we've discovered that the offense-centric strategies being employed by the U.S. and its allies have actually degraded our ability to effectively defend against attacks by other states and even economic competitors. Sort of like pulling the trigger and hitting your friend in the face with bird shot because you had insufficient situational awareness. Taking no account for predictable consequences is a key indicator of incompetence, or anarchy. Where I come that kind of thing gets you hired. Apparently in other places it gets you a government pension. Alexandre Pinto's talk at DEFCON 21 focused on using machine learning in defending networks. Defending Networks with Incomplete Information runs under an hour and could provide hope for those who have tried SEIM (Security Event and Incident Management) solutions and found them wanting. I especially appreciated his comparison of SEIM with Identity Management projects for their budget-busting qualities. From Alexandre's video notes:
Let's face it: we may win some battles, but we are losing the war pretty badly. Regardless of the advances in malware and targeted attacks detection technologies, our top security practitioners can only do so much in a 24 hour day. Even less, if you let them eat and sleep. On the other hand, there is a severe shortage of capable people to do "simple" security monitoring effectively, let alone complex incident detection and response. Enter the use of Machine Learning as a way to automatically prioritize and classify potential events and attacks as something can could potentially be blocked automatically, is clearly benign, or is really worth the time of your analyst.
Copyright 2004-2019 Phil Lembo