Slashdot Mirror
EndGame CEO: Root Out Hackers Before They Strike (qz.com)
The CEO of Endgame, Inc. is calling for an "offensive mindset" to defend enterprises from hackers. An anonymous reader quotes Nate Fick's article on Quartz:
Rather than relying on imperfect prevention techniques, or waiting for a breach to happen and then reacting to it, defenders need to 'turn the map around' and hunt proactively for the attackers in order to root out adversaries before they have a chance to do real damage. This is the next frontier of cybersecurity... the vast majority of cybersecurity spending is still going to prevention and perimeter security. Prevention is necessary, but it's not sufficient and it certainly doesn't justify 90 cents of every security dollar...
The government has already figured this out. Across the Department of Defense, the intelligence community, and other forward-leaning agencies, this proactive hunting is already happening, and it's becoming more widespread. Enterprises need to embrace the same mindset.
Fick points out that despite $75 billion on enterprise-level security spending, more than three-quarters of Fortune 500 companies have been breached within the last year.
The government has already figured this out. Across the Department of Defense, the intelligence community, and other forward-leaning agencies, this proactive hunting is already happening, and it's becoming more widespread. Enterprises need to embrace the same mindset.
Fick points out that despite $75 billion on enterprise-level security spending, more than three-quarters of Fortune 500 companies have been breached within the last year.
All well and good for nation states, but typically pro-active "defense" is known as 'attacking', which is almost always against the law when not done by a nation state...
Just stop babbling nonsense. It seems that "we gotta get 'em basterds" makes for a better headline, but... every breach I've seen in the last years is due to *catastrophic negligence*. Including the (admittedly, for the time) very high tech Stuxnet thingie in Natanz. I mean: a SCADA for a friggin' enrichment facility hanging off fucking Windows computers with open USB ports? And operators willing to stuff a $RANDOM_USB_STICK into that? Seriously?
How many levels of fail was this?
Now go through all the last breaches, and think again: how many levels of fail?
> Fick points out that despite $75 billion on enterprise-level security spending, more than three-quarters of Fortune 500 companies have been breached within the last year.
So stop buying snake oil and take your security seriously. It starts by educating your people, thinking hard about (gasp!) social factors, investing in people (double gasp!).
Next step is implementing technical measures. Make sure that someone in-house understands thoroughly what's going on. Resist the urge to buy the next shiny thing because the salespeople of this company look smartest: remember that the investment in those smart salespeople isn't going into hard core development -- and that's what you want.
Fick's an idiot. This kind of sabre-rattling is just a way to divert from realizing how sad the state of our industry is, where well-known "products" often enlarge your attack surface instead of reducing it.
Fick reminds me of some dictator in some semi-failed state making up an Enemy of the Nation to make people forget that their actual problem is internal corruption and missing crops.
Yeah, requires three things: time, effort and money
1. Time and effort: Any IT working "looking for hackers attacking the network" is automatically assumed to be doing unproductive work by their immediate supervisor. Or by their supervisor. It is also pretty likely that none of his bosses will not understand anything he has done to stop a hacker, and they are also unlikely to believe him. Released to look for other opportunities.
2. Money: any money spent on this "looking for a problem proactively" is money not available for the executive bonus pool. Since the result of anyone working on doing this at best can only claim to have stopped someone, and only MAY have prevented a loss of some kind, clearly the first executive that realizes this deserves a bonus at least equal to the budget of the department he just cut, because that is real, verifiable savings going hundreds of years into the future. He basically has just saved the company from bankruptcy.
Sleep your way to a whiter smile...date a dentist!
Read the article, and I honestly don't see his end goal.
Got the impression all he wants is penetration testing and security through obscurity, or monitor incoming traffic for "malicious intent".
I could be mistaken as the whole article was a bit of a buzzword bonanza.
Threat Hunting isn't exactly a new concept, it's been around for ages.
But it seems someone, somewhere decided it is going to be the new "hype-base" for magical next generation boxes.. because the previous hype (Threat Intelligence) is dying.
So yeah, cue 2-3 years of "you must hunt proactively with our products"-hype
End-users, the "layer 8" of the OSI model. One way to stop a good chunk of intrusions: force everyone in your organization to go back to plain-text email. No more HTML emails, no more files attached to emails, no embedded links or graphics. Almost every time I read about some new ransomware hit, or most break-ins, it's always some phishing attack via email. Obviously these end-users aren't capable of being educated how to recognize them, so to me the only way to "fix" the problem is to BOFH the situation and remove the most commonly used paths of attack. Anyone who demands these "enhanced capabilities" should also be made to sign an addendum to their employment contract that they are financially responsible for any attacks that they allowed because they just "had to have the ability for people to send them files in their Outlook".
We should also root out murderers before they strike, by "determining" who will commit murder and punishing them while they are still innocent. Or maybe not.
Maybe this CEO is phenomenally dumb?
But the companies' (Endgame) blog pages has some actual concrete info. Reading over the site, much of what he talks about is already implemented, or at least there is software out there that companies can get (much of it open source). To quote his page Hunting on hosts:" running processes, active network connections, listening ports, artifacts in the file system, user logs, autoruns", using Yari, etc. BUT, at least this page isn't just "buy my product" but does give some tutorials / examples of how to use various free utilities (like Sysinternals, Yari with Powershell, Elasticsearch) and he even includes CLI examples. I'm bookmarking this and will read over it later when it's not 04:32 and I should be asleep instead of posting on Slashdot LOL.
There are about 2 million sixteen year old boys in the USA (alone). Of these a bunch are interested in computers. Just because "that's a large enough group", I'm ignoring the 15 year olds, 17 year olds and the girls.
And one day, one of them will spot a uid=1234 in the URL and try what happens if you change that into uid=1235. According to current laws that is considered hacking, and the culprit needs to go to jail. And you're going to predict which one of the two hundred thousand computer-interested sixteen year olds is going to do that? Good luck!
Here in Holland a some students noted that if they ordered pizza from a certain shop, they got sent to a page: "You owe us $15.60, how are you going to pay?". And the URL clearly had that 15.60 visible. So they decided to change that to "0.10". So then the page said: "You owe us $0.10, how are you going to pay?". So they chose a payment method, paid $0.10 and.... they got redirected to the pizza-site where it said: Thank you for your payment, your pizza is on its way!
In the case of the free pizzas, the company who created that stupid "don't check the amount" code should be liable. Checking that the right amount was paid is elementary to a payment system. Similarly not only checking that a user is logged in, but also checking that he/she is logged in as the RIGHT user is elementary.
You cannot blame the guy who stumbled upon this issue for "hacking". Sure, getting almost-free pizzas for a year is a bit unethical. It would be nice to inform the maintainers of the issue, but since when is being "not nice" going to land you in jail? Well, I'll tell you: since they adopted those anti-hacking laws. And for those, it doesn't matter if you're nice. If you ARE nice and report it, they can (and often do) throw you in jail anyway.
How about rooting out future CEOs before they have harebrained ideas. It's also much easier to predict. Just shoot every CEO during his inaugural speech.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Buying security from security firms gives very little bang for the buck. Security isn't a commodity any more than love is. You can only buy fake versions of either.
Spend the same on security minded employees and individualized training. Spearfish your employees and require mandatory training of anyone caught. Hold security training without powerpoint, and keep your employees informed with facts. Pay out small bonuses to people who display awareness. Post the name of departments where anyone has attempted to run malware or otherwise shown gross negligence. Make it a people thing, not a box in the server room and some licenses.
When TFA says "Prevention is necessary, but it's not sufficient and it certainly doesn't justify 90 cents of every security dollar...", they were dead wrong. It should be closer to 100%, with almost all going to internal resources.