Dailydave mailing list archives
Fwd: Punching above your weight class
From: "Xu He" <xuminator () gmail com>
Date: Tue, 8 May 2007 09:04:16 -0400
---------- Forwarded message ---------- From: Xu He <xuminator () gmail com> Date: May 8, 2007 9:03 AM Subject: Re: [Dailydave] Punching above your weight class To: "Adriel T. Desautels" <adriel () netragard com> Threat Intelligence is expensive to obtain in-house, requires dedicated people who don't mind the tedious work of trolling on boards and forums, and who also actually understand threats and their implication to their business. To the C-levle execs, most threats just bullet points on a powerpoint to sell a product or project. This is the reason there are plenty of companies that offer intelligences, like Cyota, Cyveillance, iDefenses, etc. However, they are commercial entities and their goal is to generate profit, so they eventually adopt the mass market model like the AV companies. It's about covering the top 50% of "Threats", which at this time is mostly virus and trojans, and market the hell out of it for a quick buck. To truly understand threats to a business, you need passionate people who care and have the drive to not only collect the data, but also understand the data and how it applies to a particular business. CTO, CIO, CISO wants actionable data, information they can either use to get headcount, help elevate a project, or stop fraud, most of which these intelligence companies can't provide, because they don't understand and don't have the resource to understand the risk tolerance of each business. There is a place for the intelligence companies for data collection. However, if the companies don't have internal staff that can interpret the data properly and act on the data in a timely manner, then the intelligence is just an bombardment of useless information, just like all of those signs that pointed to the hijackers in 9/11. Accurate, Appropriate, Actionable (AAA), should be the three essential qualities of good intelligence. X On 5/7/07, Adriel T. Desautels <adriel () netragard com> wrote:
Dave, I couldn't agree with you more. When my partner and I founded Netragard we did it with the intention of addressing the issue that you talk about below. Specifically, there is a significant gap in the level and the quality of security services being offered to businesses internationally, and the actual threat level created by malicious hackers... To make matters worse, that gap is growing rapidly. *** A quick story... About three weeks ago I spoke on a panel during a CIO conference with Steve Wozniak. Before my panel went up I was listening to the first panel present their ideas about corporate security. One of the panelists began talking about defining "Acceptable Risk Levels" within organizations. (These were CIO's, CTO's, CSO's etc for multi billion/million dollar companies.) When I heard these people speaking I realized that they never got into anything specific. Instead it was as if they were just talking about ideas that they briefly read about in magazines or online articles. So I decided to ask them something specific. My first question to them was "In order to properly understand your acceptable risk level you must first understand the threats faced by your business, correct?" They all nodded in agreement. My second question to them was "Where do you get your threat intelligence?" None of them could answer the question, instead they tried to "market" their way around it, or provided answers that were not at all related to the question. Later I was accused of asking a "trick question", when there was nothing trick about it. *** End of my quick story... That's when it hit me. I've always known that a very significant gap existed between the capabilities of malicious hackers and the IT defense capabilities of businesses and government agencies. What I never realized was how little "good" threat intelligence was available to the people trying to defend themselves against malicious hackers. I've made it a point to always have good threat intelligence by maintaining a team of people to harvest the intelligence for my business. So I suppose that I just take the intelligence capability for granted, but what has the rest of the world been doing? Who are they trying to protect themselves against if they don't have that capability? I'm sure that many of the people on this list also have ways of collecting threat intelligence, but then again the people on this list are most probably an acceptation. Am I wrong? I'm very curious... On 5/3/07 11:05 AM, "Dave Aitel" <dave () immunityinc com> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > The best hacker teams in the world right now may belong to organized > crime groups. In my spare time in between packing lunch boxes and > cleaning the floor under the high chair, I've been thinking about ways > in which these organizations differ from most commercial companies who > do penetration testing. A company has a rather large budget, dedicated > infrastructure, and an experienced and skilled staff. So why do so > many of them fight like flabby novices? The fact is, giving someone a > LOT of money, and a big mission to solve, often gives them a good > excuse to get fat and useless. I don't know how to solve your problem > if you're a hundred million dollar attack team yet. But if you're at > ten million or less, these are the rules I've come up with. > > > Six Rules for Punching Above Your Weight Class: > o Never use an exploit in the wild you don't completely understand. If > you can't debug it on the fly, you can't use it > o Don't split up research from attack. Your research team needs to be > focused on the mission. > o Develop a fast-reaction team that can hit easy or very time critical > vulnerabilities within 8 hours or less. > o Be target focused > o Develop technical partnerships with other people who can write > exploits. There just aren't that many of them. > o One team, one mission. People naturally want to work on only Windows > or only Unix, but that's not the way to success. Find people who can > work on the whole picture. > > - -dave > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > > iD8DBQFGOfo7B8JNm+PA+iURAmnWAJ9fMkFiaNwsiOsiKUqgq2p3bJsv9QCg6u+7 > Yc5yKpsBP3b857WvhQRtXkc= > =rzBU > -----END PGP SIGNATURE----- > > _______________________________________________ > Dailydave mailing list > Dailydave () lists immunitysec com > http://lists.immunitysec.com/mailman/listinfo/dailydave -- Regards, Adriel T. Desautels Chief Technology Officer - Netragard, LLC Office: 617-934-0269 || Mobile : 857-636-8882 http://www.linkedin.com/pub/1/118/a45 http://www.netragard.com ------------------------- "We make IT secure." _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Punching above your weight class Dave Aitel (May 03)
- Re: Punching above your weight class Adriel T. Desautels (May 07)
- Re: Punching above your weight class Security Admin (NetSec) (May 08)
- Message not available
- Fwd: Punching above your weight class Xu He (May 08)
- Re: Punching above your weight class Adriel T. Desautels (May 07)