Fwd: Punching above your weight class

["Xu He" <xuminator () gmail com>]

---------- Forwarded message ----------
From: Xu He <xuminator () gmail com>
Date: May 8, 2007 9:03 AM
Subject: Re: [Dailydave] Punching above your weight class
To: "Adriel T. Desautels" <adriel () netragard com>

Threat Intelligence is expensive to obtain in-house, requires dedicated
people who don't mind the tedious work of trolling on boards and forums, and
who also actually understand threats and their implication to their
business.  To the C-levle execs, most threats just bullet points on a
powerpoint to sell a product or project.  This is  the reason there are
plenty of companies that offer intelligences, like Cyota, Cyveillance,
iDefenses, etc.  However, they are commercial entities and their goal is to
generate profit, so they eventually adopt the mass market model like the AV
companies.  It's about covering the top 50% of "Threats", which at this time
is mostly virus and trojans, and market the hell out of it for a quick buck.


To truly understand threats to a business, you need passionate people who
care and have the drive to not only collect the data, but also understand
the data and how it applies to a particular business.  CTO, CIO, CISO wants
actionable data, information they can either use to get headcount, help
elevate a project, or stop fraud, most of which these intelligence companies
can't provide, because they don't understand and don't have the resource to
understand the risk tolerance of each business.

There is a place for the intelligence companies for data collection.
However, if the companies don't have internal staff that can interpret the
data properly and act on the data in a timely manner, then the intelligence
is just an bombardment of useless information, just like all of those signs
that pointed to the hijackers in 9/11.


Accurate, Appropriate, Actionable (AAA), should be the three essential
qualities of good intelligence.

X



On 5/7/07, Adriel T. Desautels <adriel () netragard com> wrote:
> Dave,
>    I couldn't agree with you more.  When my partner and I founded
> Netragard
> we did it with the intention of addressing the issue that you talk about
> below.
>
>   Specifically, there is a significant gap in the level and the quality of
>
> security services being offered to businesses internationally, and the
> actual threat level created by malicious hackers... To make matters worse,
> that gap is growing rapidly.
>
>    *** A quick story...
>
> About three weeks ago I spoke on a panel during a CIO conference with
> Steve
> Wozniak.  Before my panel went up I was listening to the first panel
> present
> their ideas about corporate security. One of the panelists began talking
> about defining "Acceptable Risk Levels" within organizations. (These were
> CIO's, CTO's, CSO's etc for multi billion/million dollar companies.)
>
> When I heard these people speaking I realized that they never got into
> anything specific. Instead it was as if they were just talking about ideas
> that they briefly read about in magazines or online articles. So I decided
> to ask them something specific.
>
> My first question to them was "In order to properly understand your
> acceptable risk level you must first understand the threats faced by your
> business, correct?"
>
> They all nodded in agreement.
>
> My second question to them was "Where do you get your threat
> intelligence?"
>
> None of them could answer the question, instead they tried to "market"
> their
> way around it, or provided answers that were not at all related to the
> question. Later I was accused of asking a "trick question", when there was
>
> nothing trick about it.
>
>     *** End of my quick story...
>
> That's when it hit me. I've always known that a very significant gap
> existed
> between the capabilities of malicious hackers and the IT defense
> capabilities of businesses and government agencies. What I never realized
> was how little "good" threat intelligence was available to the people
> trying
> to defend themselves against malicious hackers.
>
> I've made it a point to always have good threat intelligence by
> maintaining
> a team of people to harvest the intelligence for my business. So I suppose
> that I just take the intelligence capability for granted, but what has the
>
> rest of the world been doing? Who are they trying to protect themselves
> against if they don't have that capability?
>
> I'm sure that many of the people on this list also have ways of collecting
> threat intelligence, but then again the people on this list are most
> probably an acceptation. Am I wrong?
>
> I'm very curious...
>
>
> On 5/3/07 11:05 AM, "Dave Aitel" <dave () immunityinc com> wrote:
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > The best hacker teams in the world right now may belong to organized
> > crime groups. In my spare time in between packing lunch boxes and
> > cleaning the floor under the high chair, I've been thinking about ways
> > in which these organizations differ from most commercial companies who
> > do penetration testing. A company has a rather large budget, dedicated
> > infrastructure, and an experienced and skilled staff. So why do so
> > many of them fight like flabby novices? The fact is, giving someone a
> > LOT of money, and a big mission to solve, often gives them a good
> > excuse to get fat and useless. I don't know how to solve your problem
> > if you're a hundred million dollar attack team yet. But if you're at
> > ten million or less, these are the rules I've come up with.
> >
> >
> > Six Rules for Punching Above Your Weight Class:
> > o Never use an exploit in the wild you don't completely understand. If
> > you can't debug it on the fly, you can't use it
> > o Don't split up research from attack. Your research team needs to be
> > focused on the mission.
> > o Develop a fast-reaction team that can hit easy or very time critical
> > vulnerabilities within 8 hours or less.
> > o Be target focused
> > o Develop technical partnerships with other people who can write
> > exploits. There just aren't that many of them.
> > o One team, one mission. People naturally want to work on only Windows
> > or only Unix, but that's not the way to success. Find people who can
> > work on the whole picture.
> >
> > - -dave
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.6 (GNU/Linux)
> >
> > iD8DBQFGOfo7B8JNm+PA+iURAmnWAJ9fMkFiaNwsiOsiKUqgq2p3bJsv9QCg6u+7
> > Yc5yKpsBP3b857WvhQRtXkc=
> > =rzBU
> > -----END PGP SIGNATURE-----
> >
> > _______________________________________________
> > Dailydave mailing list
> > Dailydave () lists immunitysec com
> > http://lists.immunitysec.com/mailman/listinfo/dailydave
>
> --
>
> Regards,
>     Adriel T. Desautels
>     Chief Technology Officer - Netragard, LLC
>     Office: 617-934-0269 || Mobile : 857-636-8882
>     http://www.linkedin.com/pub/1/118/a45
>     http://www.netragard.com
>     -------------------------
>     "We make IT secure."
>
>
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunitysec com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave