Splunk CTO Urges Collaboration Against Cyberattacks - And 'Shapeshifting' Networks

"The cost of cyber attacks is 1/10th to 1/100th the cost of cyber defense," says the CTO of Splunk -- because the labor is cheap, the tools are free, and the resources are stolen. "He says what's needed to bring down the cost of defense is collaboration between the public sector, academia and private industry...the space race for this generation," reports Slashdot reader davidmwilliams.

Splunk CTO Snehal Antani suggests earlier "shift left" code testing and continuous delivery, plus a wider use of security analytics. But he also suggests a moving target defense "in which a shapeshifting network can prevent reconnaissance attacks" with software defined networks using virtual IP addresses that would change every 10 seconds. "This disrupts reconnaissance attacks because a specific IP address may be a Windows box one moment, a Linux box another, a mainframe another."

Sounds like IPv6 security extensions

Sounds like the IPv6 security extensions. While we're at it, with IPv6 you can spawn a new address for every single network connection. Why not? There are enough of 'em. ..but IPv6 isn't happening, so I won't get my hopes up. I'll go drown my IPv6 sorrows in my apple juice.. Sigh..

Re:Sounds like IPv6 security extensions

[eyepeepackets]

It's getting so bad that I can see a forced implementation: Either switch or you're un-connected until you do. Set a switch date and enforce it. Thing is, will IPv6 really be the fix needed? I don't see how anything short of hardware built specifically for security on a secure network can be secure.

Re:Sounds like IPv6 security extensions

[pete6677]

IPv6 is a very typical problem, in that if you continue to ignore it, it will eventually go away.

Or just use ipv6

Just use ipv6 with privacy extensions. No one can scan that entire subnet space anytime, soon.

1/100th the cost?

[hsmith]

Depends on the industry. Yahoo? will pay $0 in fines for their breach. If you were a hospital you'd see $50k per patient, which adds up quite fast, and doesn't include stupid things like credit monitoring.

Good infosec doesn't cost a lot - the problem is no one gives a shit until after something happens. Then you shit can your CISO, who you ignored the entire time, because you need someone to take the blame.

Re:1/100th the cost?

[ark1]

Even when something happens, people pretend to care then go on with business as usual.

Re:1/100th the cost?

[geekmux]

Good infosec doesn't cost a lot - the problem is no one gives a shit until after something happens. Then you shit can your CISO, who you ignored the entire time, because you need someone to take the blame.

I wonder if companies have discovered the cost of their reputation, especially after they're forced to hired a CISO due to massive security breaches. (cough, Target, Home Depot, cough).

Sadly, the consumer attention span already forgot about their favorite stores getting hacked not long ago, so the business will hardly view security as a necessary evil going forward, unless the insurance company says otherwise.

Starting to wonder if this needs to be a change in mentality where insurance companies are the ones who should be insisting on CISOs.

Re:1/100th the cost?

[Tharkkun]

Good infosec doesn't cost a lot - the problem is no one gives a shit until after something happens. Then you shit can your CISO, who you ignored the entire time, because you need someone to take the blame.

I wonder if companies have discovered the cost of their reputation, especially after they're forced to hired a CISO due to massive security breaches. (cough, Target, Home Depot, cough).

Sadly, the consumer attention span already forgot about their favorite stores getting hacked not long ago, so the business will hardly view security as a necessary evil going forward, unless the insurance company says otherwise.

Starting to wonder if this needs to be a change in mentality where insurance companies are the ones who should be insisting on CISOs.

Target lost a shit ton of customer not to mention they closed stores due to people abandoning them during the holidays last year.

Does it really?

All an attacker has to do is find a funky acting network to know it's valuable. And if it's changing every 10 seconds it's gotta be kept track of somehow or it's useless to the people who need it. Also doesn't help much against attacks originating from the inside, in other words it does nothing about malware or rogue hotspots.

Coming from an information security academic

What he proposes is infeasible.

Think about a simple shipping trip to amazon. If your DNS cache is wrong after 9.2 seconds, how are you going to maintain your session long enough to finish your purchase?

The CTO here is confused as to how virtual IP addresses work. The virtual IP doesn't change, the actual IP of the servers in the cluster does. Without a reasonably constant IP, the availability portion of the CIA triad does not exist.

Secondly, "reconnaissance attacks"- footprinting, is reasonably handled with traditional techniques. Stopping what comes after is much harder. Stopping the easiest to exploit attack vector, the human factor, is orders of magnitude harder than that.

Re:Coming from an information security academic

[lucm]

Who cares what the Splunk CEO has to say? Splunk is a tool that is supposed to make it easy to search and aggregate logs, but it sucks at searching and aggregating logs. It's so slow and clunky that most people at the office ignore it and use awk or vi.

The day his company creates something useful maybe I will pay attention to him.

Re:Coming from an information security academic

[ark1]

There is plenty of snake and oil within security industry. It does not matter if it is feasible or not as long as you can sell it.

Re: Coming from an information security academic

https://gcn.com/articles/2012/08/03/army-morphinator-cyber-maneuver-network-defense.aspx?sc_lang=en&m=1

Re: Coming from an information security academic

Shapeshifting falls under the emerging idea of "moving target defense", here's a paper on it: https://gcn.com/articles/2012/08/03/army-morphinator-cyber-maneuver-network-defense.aspx?sc_lang=en&m=1

Re:Coming from an information security academic

And even suppose we make some new protocols that allows the client to keep up with a fast changing destination (and source?) IP, what stops the attacker from using this protocol to keep track of the addresses?

Re:Coming from an information security academic

Nothing compared to the fever dreams of delusional space fanatics.

Re:Coming from an information security academic

I'm a bit biased since I am dedicated to my employer's Splunk implementation, but Splunk allows us to do things that are not easily done with any other tools. It is invaluable as a tool to correlate logs across thousands of devices. While it may not be quicker than grep on a single file, it is much quicker than trying to search across many systems even if there is a centralized log server.

If your implementation is slow, I would question if you have provisioned it appropriately. The old suggestion was 100GB/day per indexer but the key thing is making sure you have enough IOPS since that is almost always going to be your bottle neck.

Re:Coming from an information security academic

Um... All I can say is that if vi and awk are outperforming your Splunk setup, then you did something very, very wrong and your blame is completely misdirected.

Re: Coming from an information security academic

I've found that it actually is faster than grepping single large files, particularly if you are interested in a particular field. However splunk requires a lot of hardware to be thrown at the problem otherwise performance isn't great.

Re:Coming from an information security academic

Who cares what the Splunk CEO has to say? Splunk is a tool that is supposed to make it easy to search and aggregate logs, but it sucks at searching and aggregating logs. It's so slow and clunky that most people at the office ignore it and use awk or vi.

The day his company creates something useful maybe I will pay attention to him.

Your office buys an expensive product you claim sucks and is never used, and you feel this is the best time to bash the shit out of another company?

Speaking of useful, you can stop wondering now why people won't pay attention to you.

Re:Coming from an information security academic

[lucm]

Your office buys an expensive product you claim sucks and is never used

Yes, that's very common in large organizations. In order to save $50 per quarter they will buy cheap whiteboard markers that stop working within minutes of being pulled from the box, and at the same time they will have no problem buying expensive "enterprise" software with annual licenses more expensive than a condo because it's in Gartner's magic quadrant for whatever buzzword they heard at a conference. Then they bring in the vendor to do an implementation that never works, and if you're lucky the project will fade in the corporate ether after a year or two. They'll keep renewing licenses, of course, because otherwise it would be acknowledging a mistake, and once in a while in a meeting the CTO will ask to see if the product could be "leveraged" for such or such project, but that's shelfware and everyone knows it.

Organizations are penny wise and pound foolish like that.

Re: Coming from an information security academic

[lucm]

We have terabytes of logs in Splunk, and the servers are some of the biggest we have for utilities, something like 64GB RAM and who knows how many cores. Performance is usually bad, unless you just use the same dashboards over and over.

For correlations across a large number of devices Splunk works (slowly) as long as no fields are added or reordered too often.

So yeah, if you want to count useragents in Apache logs or do pie charts to show hits per url, you can do that. And you can add plugins to have heatmaps (as long as the lat/long is in your log because looking it up is way to slow). But is that worth the price tag? Absolutely not.

There are signifiicantly superior products out there, such as the ELK stack that will allow you to do *actual* search in your logs, not just run regexes on terabytes of flat text files like Splunk does. There are even free versions, and various Apache projects (flume, solr) that will offer vastly superior capabilities.

Re:Coming from an information security academic

[lucm]

I've dealt with Splunk for almost 7 years now, saw it growing and evolving, and from a user point of view I can tell you that there are two types of people who like Splunk:

1) managers who like the pie charts and dashboards
2) people who spend their days in the web console, mastering the proprietary syntax for search

Anyone else tend to try a few times then give up and access the log files directly. And if their only access is via Splunk they hate you.

It sucks because not only do you need to know the magical keywords, you also need to know how they've been implemented. ex: what are the sources you can search, etc. And you have to use the web page because there's no good command-line tool, and the semi-REST api sucks, and it makes it hard to pipe results and do something with them.

Re: Coming from an information security academic

[Eosi]

Sounds like you do not have your build setup correctly. If you scale out Splunk correctly, 3 8 core / 8 gig of ram boxes in a Search head cluster, can pull MILLIONS of records in seconds. We went from 2 indexers and one search head, to a Index cluster and Search head cluster, and noticed a 1000% increase in performance. Also pulling in billions of log records a day with no issues. All of our indexers are recycled servers that were EOL.

Re: Coming from an information security academic

[lucm]

Well, it has been installed and configured by their Professional Services and they're the one tuning and upgrading it.

Yes you can pull a billion records as long as you're using the same queries over and over, and as long as your log file structure doesn't change. But those are lab/demo conditions, in real life things don't happen like that.

Re:Coming from an information security academic

[Mjlner]

Who cares what the Splunk CEO has to say? Splunk is a tool that is supposed to make it easy to search and aggregate logs, but it sucks at searching and aggregating logs. It's so slow and clunky that most people at the office ignore it and use awk or vi.

You forgot: grep, sed, perl, crontab and bunch of other tools. I'm sorry, but you have no comprehension of scale. The normal *nix tools are good enough at what they do for individual files, but once your infrastructure grows beyond a handful of hosts, the management becomes a major pain in the ass. I guess you've never even contemplated having to solve the issues like "Something weird happened in one of 20 application servers some time last week when user X logged in."

Just because you don't like a certain technology and are ignorant about it doesn't mean that the technology sucks.

Re:Coming from an information security academic

[geekmux]

There is plenty of snake and oil within security industry. It does not matter if it is feasible or not as long as you can sell it.

Security is nothing more than another form of insurance. In other words, it is essentially a snake oil industry, built on a foundation of FUD sales tactics, not unlike the insurance industry. This is why it continues to be very difficult to justify and implement, regardless of perceived or actual risk.

Re: Coming from an information security academic

[Eosi]

It seems you do not understand how Splunk runs entirely. Running the same searches over and over does nothing to improve performance. Its when you "accelerate" them or add them to a summary index that speeds it up. In a VERY real world environment, I search millions of records many times an hour, depending on what I am looking for or the request I get, Some of these are even over several (or all) of my indexes. Currently my install averages 130 million records a day, from about 15 different source feeds (with many source types per, such as Network gear). When I run some monthly data that is a LOT of records, which pulls in minutes or less.

I would suggest reviewing your SOW with their professional services and asking them to build you out a Index and Search Head cluster. Heck even just separating the search head and indexes to separate servers will improve your performance.

Re:Coming from an information security academic

[MachineShedFred]

That's because the value-add that Splunk gives you is the draconian and super expensive licensing quotas. Oh, your servers did more than your per-day data allotment? Well, you better call us and get a code so that you can look at any of your logs at all. And yes, if you do that more than a few times, we're charging you more.

Fuck Splunk.

Re: Coming from an information security academic

So your solution to the problem THEY (Splunk PS) implemented is to throw more money and hardware at it? Great strategy, I think I'll recommend splunk to everyone.

Sounds like a complete cluster fuck to me. Why is someone from splunk commenting on security issues? Who is he to propose such solutions? Fix your own product first.

Re:Coming from an information security academic

[MachineShedFred]

The funny thing is that you can spend a day with Elasticsearch and Logstash and come up with the same thing for essentially free.

Re:Coming from an information security academic

[MachineShedFred]

I have a slightly different take on it - Splunk sucks because of their licensing and cost, not the tech. The tech is merely "ok".

If I'm spending money for log aggregation and searching, I'd be throwing that money towards SumoLogic.

If I'm not spending money, then it's Elasticsearch / Logstash / Kibana, which still works better than Splunk most of the time, without the thing holding my data hostage if we should actually have servers logging things and overrun the daily quota.

Re: Coming from an information security academic

"Something weird happened in one of 20 application servers some time last week when user X logged in."

If that is the feedback you get and have to go on then no wonder your company uses splunk. All splunk does is help disorganized companies, which it seems you work for one of them.

Re: Coming from an information security academic

Sounds like the lucm asked for a solution but did not understand what he was getting. Likely was to meet some management goal, so it was under spec'ed, under priced, and did not meeting the real world needs of the company. This is way too common anymore among management and leads, who focus on compliance versus security. Just remember, if you ask for a shit design, you get shit.

Re: Coming from an information security academic

[t0rkm3]

Other folks here have provided insight and commentary that you likely have no clue as to what you are talking about, but who doesn't love a dogpile?

I have implemented MANY very large Splunk and ELK implementations. ELK will almost always ask for MORE hardware to get search performance. I agree that ELK scales out more quickly, but far less efficiently than Splunk does. If your sole criteria is search speed and you have unlimited hardware capacity then ELK is the way to go.

However, doing calculations on the logs, presenting the logs, transforming the data (geo IP lookups, changing the message so that it reads more easily), and doing multivariable comparison for either human or automated response is vastly superior in Splunk. In both the functions and toolkits available and the ability to front load a lot of your search work so that your performance is outstanding.

Cost wise... it's usually a wash. I have customers that have looked at the cost of installing and maintaining an ELK stack and replacing the lost features and ran away quickly. This is for >500GB/day infrastructures with a dedicated dev team of >3 people.

If your Splunk implementation is sucking wind that badly, then it is likely that whoever is paying for your implementation has expressed goals that are counter to your goals and thus you are ill served. If you are the payer, then you have done poorly at describing your desired outcome and approx 50% of the result is your fault.

Continuing on... You mention Flume and Solr. Solr, if you buy the production implementation (last time I looked) doesn't have a good flow control and message verification platform and is thus dependent on the messaging bus within Flume or the implementation of an outside message bus (Kafka, Redis). This results in another set of configurations to maintain, and a good place for logs to be lost in the ether. Flume itself is awesome, although the parsing recipes could use some work. If I were looking outside of Logstash/Beats (which is advisable as Logstash seems to still have some memory management issues) I would favor Fluent as the ingest process is less of a pain in the neck.

However, I've only done hundreds of implementations of log management infrastructures using logstash, ElasticSearch, Kibana, flume, kafka, redis, fluent, syslog-ng, and/or Splunk... so there are likely some options I haven't mentioned.

Re:Coming from an information security academic

[rhazz]

If you don't want to pay the licensing fee for the amount of data you're collecting, you could always trim what you're collecting to stay below the threshold?

Re:Coming from an information security academic

Or I could use a Splunk alternative that doesn't hold data hostage, and is actually better.

Re:Coming from an information security academic

You could explore yet another solution which replaces Splunk and doesn't force you to sell your kids for searching your logs ... X15 Software

Re:Coming from an information security academic

So your primary complaint is that in 7 years you've never bothered to learn how to use it?

K.

Re: Coming from an information security academic

[lucm]

You mention yourself a flock of FOSS products that are vastly superior to Splunk, but somehow in your organization it's a daunting task to manage multiple configuration files so you buy Splunk instead. I'm guessing that you're mostly a Windows guy.

So let's agree that Splunk is an overpriced regex script with a lousy web frontend, sub-par command line capabilities and slow, row-by-row transformation features, but comes with a convenient central config file. If your use cases are satisfied with these limitations, knock yourself out, keep doing hundreds of implementations. There's no shame in that, some people make a living installing Oracle or Groupwise, it's not like you're the first person to waste your employer's money on expensive commercial software that is inferior to FOSS alternatives.

To the point: even if Splunk was good at doing that (which it's not) that would still not make their CEO an authority about security.

Re:Coming from an information security academic

[lucm]

It's also like that with TeamCity: annual license per agent (which runs on your own machine) and only 1 concurrent build per agent. So essentially they force you to pay for rush hour usage.

Meanwhile Jenkins is free and scales a lot better.

Re:Coming from an information security academic

[lucm]

No, my primary complaint is that it sucks. I've had the "pleasure" of learning and using the proprietary query language and the half-baked API, that's why I'm comfortable to say that it's a piece of shit.

I also had the opportunity to work extensively with the dashboarding tools, and those make SharePoint look like a marvel of UX engineering.

Re: Coming from an information security academic

Dude, hard to listen to your comment when you cannot even get who at Splunk was listed in the article.

There is not one FOSS tool that does Everything Splunk does, as well, with less work. Splunk rocks, if you know how to use it, and set it up correctly.

Re:Coming from an information security academic

Who cares what the Splunk CEO has to say? Splunk is a tool that is supposed to make it easy to search and aggregate logs, but it sucks at searching and aggregating logs. It's so slow and clunky that most people at the office ignore it and use awk or vi.

The day his company creates something useful maybe I will pay attention to him.

So you think people should care about what you think/say about Splunk? Being ignorant of one thing doesn't make a case for dumping it....

Re: Coming from an information security academic

Actually because of a poor back-end architecture over the years Splunk configuration files have grown in numbers and in settings. There is no such thing as a "central config file".

Re: Coming from an information security academic

Look Splunk signed up to address 'big data' and their architecture simply cannot scale very well and it is clunky with only a few hundred well-powered servers. Also you seem to misunderstand the role of multiple search-heads. This simply facilitates the number of user logins, it does not make your searches faster. A single search-head in the cluster is still responsible for delivering all the results to you and doing all the aggregation which is why performance sucks at large scale.
Summary index is a hack around the problem, although a useful one for many other reasons.
Here you are talking about separating search-heads from indexers and you should know that most customers already have small clusters with that separation, and yes performance still sucks.

Re: Coming from an information security academic

[Eosi]

Actually, I understand exactly what a Search Head cluster (put it behind a Load Balancer to handle the traffic, not the DNS round robin) with multiple Search Heads does. It allows you to share all your user load over several servers, which does help performance, when some people are doing huge searches and some just want to watch a dashboard. Beyond that, not everyone understands that separating your apps over multiple search heads actually helps as well. DBConnect for instance, if you have that on a SH with some other apps, you have a lot of back end work, which will lower your performance. Of course, using Heavy Forwarders to gather data and do some preparsing helps even better.

Having used numerous other SIEM or Log aggregation tools on the market over the last 10 years, I can say that Splunk does scale better than any other commercial SIEM. It also allows you to take any data feed and get results and mappings faster with a lot less work. But just as with any other SIEM, you have to plan out your install and run before you build it or you will kill your performance.

You also have to understand the search formatting. The order of things like Deduping data (or using the NOT perm in a search) matters with Splunk, and affects your performance big time.

As for your statement "Here you are talking about separating search-heads from indexers and you should know that most customers already have small clusters with that separation, and yes performance still sucks." This is contrary to what I have heard. Of the people I know who run Splunk, many did not separate out their install until a year or so into the install. This I think is a failing of the Splunk documentation for real world load. Once you go beyond the 10 gig a day license you MUST separate the servers to keep performance higher. Just like how you should not put ES and the PCI app on the same server (even though its supported)

The SIEMs that use a SQL backend (like LogRhythm) cannot return data as fast as Splunk, nor are they are versatile in allowing searches.

Re:Coming from an information security academic

[lucm]

Apparently *you* care.

Isn't it easier...

[ZenShadow]

...to keep them out of your network in the first place?

The shifting addresses could only apply to internal systems. Externally available systems (like, say, web servers) have to have known addresses for access, or you've defeated the entire purpose of having them externally accessible.

Which leads us back to firewalls and IDS and such.

Re:Isn't it easier...

[turbidostato]

"The shifting addresses could only apply to internal systems. Externally available systems (like, say, web servers) have to have known addresses for access"

Internally available systems have to have known addresses for access too: "a specific IP address may be a Windows box one moment, a Linux box another, a mainframe another." funny if you try to get a CIFS mount point out of your mainframe instead of your Windows server.

Re:Isn't it easier...

[The-Ixian]

I think the easiest fix would be to stop spoofed packets at the egress boarder router.

This would eliminate reflection attacks and a whole lot of other nastiness.

Of course, this would require every ISP to get on board and not let packets which do not belong to their IP space to leave their network.

I currently do this for our small network. No spoofed packets can leave our network. I am trying to do my small part in case any of our computers become compromised.

Godel's hand reaches from the grave

[Etcetera]

...to keep them out of your network in the first place?

The shifting addresses could only apply to internal systems. Externally available systems (like, say, web servers) have to have known addresses for access, or you've defeated the entire purpose of having them externally accessible.

Which leads us back to firewalls and IDS and such.

Shape-shifting has to "bottom out" somewhere with known addresses, and that's where you're going to be vulnerable. You can test this now with low TTL DNS servers and (assuming your TTL is respected) you just send the traffic over to the new destination. If he's referring to external services, that about covers it. If it's external access to internal networks, then why are you running IPv6? Use NAT and a FW like everyone else and get that stuff off the internet. If he's referring to internal services, they're just as vulnerable for the same reason. Your internal services will have to have a lookup system (DNS, or your super-awesome low latency replacement for DNS because what good is a wheel if it isn't being reinvented), and that can be used for following whatever you need around. You've added one small, boring step for your hackers that's just as HOBE as anything else because the lookup has to be automated to make all your systems work internally.

Hosts aren't going away any time soon because they're an architecture more than anything else. There's this wacky vision some in the industry have of containers running on top of Cisco gear that they seem to think will be a panacea for all of their tech issues. Software-defined stacks won't fix everything, and they really won't fix this.

buzzword collection

[manu0601]

Perhaps Snehal Antani's original ideas were interesting, but linked article turns everything into a buzzword collection that makes little sense.

Spare your time, skip article. Slashdot summary contains all relevant information.

Re:buzzword collection

Are you saying that the slashdot editors are doing a good job?

I miss the old slashdot...

Possible reduction in attacks

[frnic]

Put together a special forces team to find the hackers and the make a video of them being lowered slowly feet first into tree shredders and publish the video online.

One thing you can blame on our government

[MikeRT]

Since about 2007, we have been doing almost nothing but poke the Russians with a sharp stick in our foreign policy. The fact is, we need normalized and warm relations with Russia to fight this sort of crime. If the Russians could actually trust us on most things and know that we aren't trying to press them against the wall, you might see deep collaboration between their national law enforcement agencies and ours on this issue.

This is one of the many reasons I will be voting for Trump over Clinton. The neocons hate Trump because Trump is skeptical of antagonizing Russia and continuing the GWoT (at least to the Bush and Obama extent). Clinton is not only a vote for the status quo, but one of turning the dial up a notch. If she wins, I will not be surprised if by the end of her term she makes things so bad that the Russian government hates us so openly and fiercely that Putin is giving medals to the most prolific hackers.

Buzzword salad

[geek]

Seriously, Splunk is probably the most expensive SIEM out there so for him to bitch about costs rings hallow to me. Bring the price down on your shit before lecturing me on costs.

Networks nobody can debug anymore. Great!

[gweihir]

Sounds like somebody is pushing an utterly stupid and destructive idea to earn a lot of money.

rotate shield frequencies....

[magical+liopleurodon]

This sounds like rotating shield frequencies every 10 seconds to keep the borg from adapting. I saw that episode of Star Trek: V'ger, they end up adapting

Obvious Solution

because the labor is cheap, the tools are free, and the resources are stolen

I think he is on to something here. The cyber defense is economically sustainable only if the work is outsourced, tools are free and the resources are stolen.

Shapeshifting is part of Moving Target Defense

It's an emerging area of cyber defense, some articles:

https://www.dhs.gov/science-and-technology/csd-mtd

http://blog.morphisec.com/moving-target-defense-common-practices

http://blog.morphisec.com/moving-target-defense-common-practices

http://www.depts.ttu.edu/cs/research/csecs/workshop/docs/2014/Keynote/MTD-Overview.pptx

Re: Shapeshifting is part of Moving Target Defense

Maidsafe.

Public sector? Academia?

Public sector and Academia don't exist anymore.

It's hilarious -- in a bittersweet sense -- when some company doing its best to avoid taxes invokes the "public sector" and "academia".

In times of the Anorectic State, those don't exist anymore. *You* killed them, long time ago.

My vote for the dumbest suggestion ever.

Seriously, we are now dumber for having seen this suggestion.

Hey anonymous

Can we ddos any and all people that use the word cyber in any context, i'm willing to take the first hit if it will start a trend.

"We need to bring down the cost of defense"

[Opportunist]

Does that mean Splunk will no longer charge you through the nose for every fart you might want to pass through their software?

Didn't think so.

Preaching water, drinking wine, thanks, but we have enough assholes that already do that, we'd much appreciate if you just kept your mouth shut, Snehal.

Dynamic networks

I guess quite close to the SDNs went mainstream I proposed in a UE networking commission the idea of going for a totally dynamic Internet (dynamic network protocols, model driving networking) One of the advantages was being able to change the whole protocol stack when compromised. The routers could generate their own firmware after receiving the new Internet protocol (model) or even creating a full new layer to manage a new service. Drafted in the following document: "Towards a Dynamic Internet Model" The pdf is accessible searching in the Internet with that title.

Score: 5 - Horseshit!

Can we run Splunk on Windows? Can we run Splunk on z/OS? How do I find Splunk when its IP address changes every 10 seconds? If the answer to the former to to use DNS - as if it could work at a 10 second lifespan - what prevents the attackers from finding it equally easily.

This guy is spouting fantasy. His ideas are not JUST impossible at a collaborative scale, they are impossible for his own product. Perhaps Snehal Antani should show the world by example with his own product and stop spouting bullshit that will never happen/work.

Re:Score: 5 - Horseshit!

"Can we run Splunk on Windows?"

That would be a resounding "YES"!

Your credibility is now shot, so the rest of your statement will fall on deaf ears.

Let me be the first to congratulate you, dumbass!

How would DNS propogate it in time?

See subject: DNS takes up to 24 hrs. to send a new IP address to subordinate DNS servers (non-root ones) so changing it every 10 seconds (IP address of ANY given host-domain name).

* I.E. It wouldn't work...

APK

P.S.=> It'd be TOO SLOW (DNS) TO KEEP UP... apk

Re: How would DNS propogate it in time?

We will bypass DNS completely and use a HOSTS file that updates every 10 seconds!
Now if only someone had a program that would auto update the HOSTS file...

Seems fitting.

[jnngill]

1) Dodge 2) Duck 3) Dip 4) Dive 5) Dodge. ... 2) Duck 3) Dip 4) Dive 5) Dodge. remember the 5 D's of dodgeball! thats the key to victory

You've got to be fucking kidding.

[thermowax]

And now you've got to shell out for an SDN infrastructure, too.

That's a cute idea, but he's obviously never had to operate or troubleshoot issues on a production enterprise network. What happens when an machine changes IPs in mid-tcp conversation? I have stuff that maintains ssh sessions for days, the client isn't doing constant nslookups to see where the server has gone. Not to mention the fact that sshd is going to interpret the client IP changing as a session-hijacking attack.

That's just one example, the more I think about it leads me to downgrade my opinion to "dumbass".

J-.

Re:You've got to be fucking kidding.

[Tharkkun]

And now you've got to shell out for an SDN infrastructure, too.

That's a cute idea, but he's obviously never had to operate or troubleshoot issues on a production enterprise network. What happens when an machine changes IPs in mid-tcp conversation? I have stuff that maintains ssh sessions for days, the client isn't doing constant nslookups to see where the server has gone. Not to mention the fact that sshd is going to interpret the client IP changing as a session-hijacking attack.

That's just one example, the more I think about it leads me to downgrade my opinion to "dumbass".

J-.

Let's invest. I'll bet we can make millions off the stock before people see through this vaporware idea!!!

$5,000 steel safe vs $25 demolition saw rental

[raymorris]

The claim is that breaking security is cheaper than creating security. For $5,000, I can buy a steel safe reinforced with concrete. For $25, I can rent a saw designed for cutting steel and concrete.

Breaking things has always been cheaper than building them, and probably always will be. As you hinted, that's the wrong comparison. The comparison that drives decisions is:
A) The cost to avoid a breech (the cost of security at a given level).
Vs
B) The cost of having a breech (reputation, down time, etc).

In almost all cases, the lowest total cost is a certain degree of security, neither ignoring security nor obsessing about it. You put a lock on your door, you don't normally hire armed guards to guard the door.

One of the best and cheapest approaches to information security is to reduce the cost of a breech - don't store plaintext passwords, don't store credit card numbers and social security numbers of you don't abaolutely have to. They can't steal what you don't have.

More corporate welfare

[mea2214]

"Collaboration between public and private sectors" is word salad that really means he wants taxpayers to fund his enterprise and lifestyle.

Won't work reliably either

See subject: Changes'd occur too fast on the public internet for DNS as I said - though it MAY work for internal to corporate or home LAN/WAN though.

* My hosts program's BLOCKING vs. known bad things online would still work (works by host-domain names) but hardcoded favorite sites (where you spend most time online) wouldn't - they're verified correct by reverse DNS validations is why & when those change every 10 seconds? Not only would DNS be adversely affected WORLDWIDE on the public internet, but so would my using favorites placed @ the TOP of hosts cached in RAM for fastest resolutions (minus slow faulty dnscache/dnsapi.dll in Windows using RAM/CPU/I-O & instead opting to go PURE kernelmode no context-switch speedhit (as dnscache has & is) using the kernelmode diskcaching subsystem to work in combination w/ the kernelmode IP stack (tcpip.sys as resolver)).

APK

"the space race for this generation"

[neo-mkrey]

Then I guess this generation is well and truly f*cked!

cyberattacks are organised crime

Cyberattacks are organised crime. The underlying cause is criminal, not technological. Therefore, the solution is not technological. It is a problem of law enforcement and political courage.

Simply put: Attackers need to be tracked down and, idealy, shot. But I'll settle for arrested, prosecuted and sent to jail.

Having IP numbers change every 10 seconds

really doesn't work.

TCP connections are continuous - same IP number from start to finish, otherwise you get an aborted connection or timeout after 10+ minutes of non function.

do it at a VPN level doesn't work either - once the connection to the VPN is accomplished the changes don't matter.

Splunk!

Sounds like spunk!

wakkkkkk

Hey I thought of this one two years ago! The problem is to maintain an ongoing set of the current ip landscape. The traditional standard and process, siloed networks, means no one wants to take on additional work.

Further Explanation

[snehalantani]

Thanks for all of the comments. Let me further explain, and I'm excited to hear more ideas from the community on the topic. First, to clarify the point I made about collaboration across public sector, academia, and private sector. Government agencies like DHS, NSA's IAD, universities like MIT's CSAIL, and hundreds of private sector companies are doing some amazing work in the area of breach detection, incident response, and security analytics. The challenge is that these efforts aren't synchronized or coordinated, and as a result, we are not as effective as we could otherwise be in transforming our national & critical infrastructure cyber defense capabilities. The collaboration required across public sector, academia, and private sector has not been seen since the Space Race, hence why I believe the effort to transform cyber defense will be the "Space Race" of our generation. With regard to "shape shifting networks", this is an idea that falls within the domain of "Moving Target Defense" (MTD), an emerging area of cyber defense, that is still in its early days, and has the potential to be a game changer in how we defend our critical systems. The concept of MTD, and the specific idea of shape-shifting networks, is not yet in production anywhere (as far as I know), but this work is in prototype and in research. If you're interested in diving into this topic, here are some resources to get you started:

• Problem statement from DHS: In the current environment, information technology systems are built to operate in a relatively static configuration. For example, addresses, names, software stacks, networks and various configuration parameters remain more or less the same over long periods of time. This static approach is a legacy of information technology systems designed for simplicity in a time when malicious exploitation of system vulnerabilities was not a concern
• Solution approach from DHS: Moving Target Defense (MTD) is the concept of controlling change across multiple system dimensions in order to increase uncertainty and apparent complexity for attackers, reduce their window of opportunity and increase the costs of their probing and attack efforts. MTD assumes that perfect security is unattainable. Given that starting point, and the assumption that all systems are compromised, research in MTD focuses on enabling the continued safe operation in a compromised environment and to have systems that are defensible rather than perfectly secure.
• “[MTD] Enables us to create, analyze, evaluate, and deploy mechanisms and strategies that are diverse and that continually shift and change over time to increase complexity and cost for attackers, limit the exposure of vulnerabilities and opportunities for attack, and increase system resiliency.” – Trustworthy Cyberspace: Strategic Plan for the Federal Cybersecurity Research and Development Program published by the Executive Office of the President, National Science and Technology Council, December 2011
• Links to additional reading material
  1. 1. DHS overview: https://www.dhs.gov/science-an...
  2. 2. Morphisec's blog on MTD: http://blog.morphisec.com/movi...
  3. 3. Details on Morphisec's solution (one of many in this space): http://www.morphisec.com/how-i...
  4. 4. The "Morphinator" project sponsored by the Army for shape-shifting networks: https://gcn.com/articles/2012/...
• It is the combination of at least 6 key initiatives that will fundamentally disrupt and transform the cyber defense capabilities of our critical infrastructure and beyond:
  1. 1. "Shift left" by applying Continuous Delivery, Architecture-as-Code, and other

"Thru the mystic arts..." apk

See subject - "We harness energy & shape reality + "We travel great distances in an instant" - The Ancient One

Sanctifying it in front of us & making it FASTER (than you can go by default using remote DNS)!

"How do I get there from here? - Dr. Strange

THIS APK Hosts File Engine 9.0++ SR-4 32/64-bit https://www.google.com/search?...

* THIS ACTUALLY WORKS DOING MORE THAN ANY SINGLE OTHER SO-CALLED SOLUTION DOES, NATIVELY FOR LESS (on many levels) + for more speed, security & reliability than illogically "Bolted on 'MoAr'" so-called 'solutions' that are full of security issues galore (DNS, antivirus) & bloated as hell (dns, antivirus, browser addons (crippled by default & 'souled-out')) too many moving parts bloat + room for exploitations.

APK

P.S.=> For reference' sake (Nov. 4 2016 Dr. Strange?) -> https://www.youtube.com/watch?v=HSzx-zryEgM/ ... apk

Addendum to my last post (same theme)

I've used "moving target defense" for AGES albeit as an enduser consumer of internet services (by shifting IP addresses constantly) which I mentioned to Coren22 (1 method I've used in the past)-> https://slashdot.org/comments.pl?sid=9636049&cid=52886229/ since he's TRIED TO STOP ME (so has whipslash, both failed) @ that posts' conclusion...

HOWEVER imo?

You're SORT OF "on the right track" albeit @ the WRONG time (as Howard Stark said, in keeping w/ my "marvel" theme here, lol) He was constrained by the technology of his time... so are you!

How so? Ok:

I hit on 1 thing that messes you up (& your methods CAN BE ABUSED FOR MALWARE BIGTIME so you know, as well) in DNS propogation-> https://developers.slashdot.org/comments.pl?sid=9725875&cid=53003527/

So have others (even TTL alteration doesn't help) -> https://developers.slashdot.or...

APK

P.S.=> Last quote from Dr. Strange for you: "Dr. Strange, you *THINK* you know how this world works..." & I'm sorry to say, that due to those 2 points above alone? I don't think you do

OR

You haven't thought this thru completely considering those 2 constraints above alone I noted (still good idea, but how DNS works on the public internet won't let it, but POSSIBLY it would in internal networks but it'd mean notifying the IP stack (specifically the tcpip.sys driver since it's the REAL workhorse on resolutions) & telling it to requery (possibly upping network chatter unfortunately as well)... apk

Lastly, on "unification"

See subject: That's exactly what APK Hosts File Engine 9.0++ SR-4 32/64-bit https://www.google.com/search?... is about - consolidating reputable & reliable sources of data vs. threats online, blocking them out from threatening users (the rest for more speed is done by the user himself - "want to do a job RIGHT? Do it yourself!")

* I've got 10 in there but there are ~5 more I do NOT have in there (I wasn't aware of them @ the time during the program's creation) - & I'd love to see all the SECURITY SITES contribute their data vs. malicious stuff online consolidated there too OR in some single spot (they don't coordinate their findings that way either, often operating independently of one another).

APK

P.S.=> You're not the ONLY ONE thinking the way you do on things of this nature ("join the club" in other words, but I've started to do something about it that gives users more speed, security, reliability & even anonymity online for LESS using what you have natively that really works doing more for far less vs. other methods)... apk