Contribuez à SecuObs en envoyant des bitcoins ou des dogecoins.
Nouveaux articles (fr): 1pwnthhW21zdnQ5WucjmnF3pk9puT5fDF
Amélioration du site: 1hckU85orcGCm8A9hk67391LCy4ECGJca

Contribute to SecuObs by sending bitcoins or dogecoins.

Chercher :
Newsletter :  


Revues :
- Presse
- Presse FR
- Vidéos
- Twitter
- Secuobs





Sommaires :
- Tendances
- Failles
- Virus
- Concours
- Reportages
- Acteurs
- Outils
- Breves
- Infrastructures
- Livres
- Tutoriels
- Interviews
- Podcasts
- Communiques
- USBsploit
- Commentaires


Revue Presse:
- Tous
- Francophone
- Par mot clé
- Par site
- Le tagwall


Top bi-hebdo:
- Ensemble
- Articles
- Revue
- Videos
- Twitter
- Auteurs


Articles :
- Par mot clé
- Par auteur
- Par organisme
- Le tagwall


Videos :
- Toutes
- Par mot clé
- Par site
- Le tagwall


Twitter :
- Tous
- Par mot clé
- Par compte
- Le tagwall


Commentaires :
- Breves
- Virus
- Failles
- Outils
- Tutoriels
- Tendances
- Acteurs
- Reportages
- Infrastructures
- Interviews
- Concours
- Livres
- Communiques


RSS/XML :
- Articles
- Commentaires
- Revue
- Revue FR
- Videos
- Twitter


RSS SecuObs :
- sécurité
- exploit
- windows
- attaque
- outil
- microsoft


RSS Revue :
- security
- microsoft
- windows
- hacker
- attack
- network


RSS Videos :
- curit
- security
- biomet
- metasploit
- biometric
- cking


RSS Twitter :
- security
- linux
- botnet
- attack
- metasploit
- cisco


RSS Comments :
- Breves
- Virus
- Failles
- Outils
- Tutoriels
- Tendances
- Acteurs
- Reportages
- Infrastructures
- Interviews
- Concours
- Livres
- Communiques


RSS OPML :
- Français
- International











Revue de presse francophone :
- Appaloosa AppDome nouent un partenariat pour accompagner les entreprises dans le déploiement et la protection des applications mobiles
- D-Link offre une avec un routeur VPN sans fil AC
- 19 mai Paris Petit-Déjeuner Coreye Développer son business à l'abri des cyberattaques
- POYNTING PRESENTE LA NOUVELLE ANTENNE OMNI-291, SPECIALE MILIEU MARITIME, CÔTIER ET MILIEU HUMIDE
- Flexera Software Les utilisateurs français de PC progressent dans l'application de correctifs logiciels, mais des défis de tailles subsistent
- Riverbed lance SD-WAN basé sur le cloud
- Fujitsu multi-récompensé VMware lui décerne plusieurs Partner Innovation Awards à l'occasion du Partner Leadership Summit
- Zscaler Private Access sécuriser l'accès à distance en supprimant les risques inhérents aux réseaux privés virtuels
- QNAP annonce la sortie de QTS 4.2.1
- Une enquête réalisée par la société de cyber sécurité F-Secure a décelé des milliers de vulnérabilités graves, potentiellement utilisables par des cyber criminels pour infiltrer l'infrastru
- Trouver le juste équilibre entre une infrastructure dédiée et cloud le dilemme de la distribution numérique
- 3 juin - Fleurance - Cybersécurité Territoires
- Cyber-assurances Seules 40 pourcents des entreprises françaises sont couvertes contre les violations de sécurité et les pertes de données
- Des étudiants de l'ESIEA inventent CheckMyHTTPS un logiciel qui vérifie que vos connexions WEB sécurisées ne sont pas interceptées
- Les produits OmniSwitch d'Alcatel-Lucent Enterprise ALE gagnent en sécurité pour lutter contre les cyber-attaques modernes

Dernier articles de SecuObs :
- DIP, solution de partage d'informations automatisée
- Sqreen, protection applicative intelligente de nouvelle génération
- Renaud Bidou (Deny All): "L'innovation dans le domaine des WAFs s'oriente vers plus de bon sens et d'intelligence, plus de flexibilité et plus d'ergonomie"
- Mises à jour en perspective pour le système Vigik
- Les russes ont-ils pwn le système AEGIS ?
- Le ministère de l'intérieur censure une conférence au Canada
- Saut d'air gap, audit de firmware et (in)sécurité mobile au programme de Cansecwest 2014
- GCHQ: Le JTRIG torpille Anonymous qui torpille le JTRIG (ou pas)
- #FIC2014: Entrée en territoire inconnu
- Le Sénat investit dans les monnaies virtuelles

Revue de presse internationale :
- VEHICLE CYBERSECURITY DOT and Industry Have Efforts Under Way, but DOT Needs to Define Its Role in Responding to a Real-world Attack
- Demand letter served on poll body over disastrous Comeleak breach
- The Minimin Aims To Be The Simplest Theremin
- Hacking group PLATINUM used Windows own patching system against it
- Hacker With Victims in 100 Nations Gets 7 Years in Prison
- HPR2018 How to make Komboucha Tea
- Circuit Bender Artist bends Fresnel Lens for Art
- FBI Director Suggests iPhone Hacking Method May Remain Secret
- 2016 Hack Miami Conference May 13-15, 2016
- 8-bit Video Wall Made From 160 Gaming Keyboards
- In An Era Of Decline, News Sites Can t Afford Poor Web Performance
- BeautifulPeople.com experiences data breach 1m affected
- Swedish Air Space Infringed, Aircraft Not Required
- Why cybercriminals attack healthcare more than any other industry
- Setting the Benchmark in the Network Security Forensics Industry

Annuaire des videos
- FUZZING ON LINE PART THREE
- Official Maltego tutorial 5 Writing your own transforms
- Official Maltego tutorial 6 Integrating with SQL DBs
- Official Maltego tutorial 3 Importing CSVs spreadsheets
- install zeus botnet
- Eloy Magalhaes
- Official Maltego tutorial 1 Google s websites
- Official Maltego tutorial 4 Social Networks
- Blind String SQL Injection
- backdoor linux root from r57 php shell VPS khg crew redc00de
- How To Attaque Pc With Back Track 5 In Arabique
- RSA Todd Schomburg talks about Roundup Ready lines available in 2013
- Nessus Diagnostics Troubleshooting
- Panda Security Vidcast Panda GateDefender Performa Parte 2 de 2
- MultiPyInjector Shellcode Injection

Revue Twitter
- RT @fpalumbo: Cisco consistently leading the way ? buys vCider to boost its distributed cloud vision #CiscoONE
- @mckeay Looks odd... not much to go on (prob some slideshow/vid app under Linux)
- [SuggestedReading] Using the HTML5 Fullscreen API for Phishing Attacks
- RT @BrianHonan: Our problems are not technical but cultural. OWASP top 10 has not changed over the years @joshcorman #RSAC
- RT @mikko: Wow. Apple kernels actually have a function called PE_i_can_has_debugger:
- [Blog Spam] Metasploit and PowerShell payloads
- PinkiePie Strikes Again, Compromises Google Chrome in Pwnium Contest at Hack in the Box: For the second time thi...
- @mikko @fslabs y'all wldn't happen to have lat/long data sets for other botnets, wld you? Doing some research (free/open info rls when done)
- RT @nickhacks: Want to crash a remote host running Snow Leopard? Just use: nmap -P0 -6 --script=targets-ipv6-multicast-mld #wishiwaskidding
- An inexpensive proxy service called is actually a front for #malware distribution -

Mini-Tagwall
Revue de presse : security, microsoft, windows, hacker, attack, network, vulnerability, google, exploit, malware, internet, remote, iphone

+ de mots clés pour la revue de presse

Annuaires des videos : curit, security, biomet, metasploit, biometric, cking, password, windows, botnet, defcon, tutorial, crypt, xploit

+ de mots clés pour les videos

Revue Twitter : security, linux, botnet, attack, metasploit, cisco, defcon, phish, exploit, google, inject, server, firewall

+ de mots clés pour la revue Twitter

Top bi-hebdo des articles de SecuObs
- [Ettercap – Partie 2] Ettercap par l'exemple - Man In the Middle et SSL sniffing
- [Infratech - release] version 0.6 de Bluetooth Stack Smasher
- [IDS Snort Windows – Partie 2] Installation et configuration
- [Infratech - vulnérabilité] Nouvelle version 0.8 de Bluetooth Stack Smasher
- Mises à jour en perspective pour le système Vigik
- USBDumper 2 nouvelle version nouvelles fonctions !
- EFIPW récupère automatiquement le mot de passe BIOS EFI des Macbook Pro avec processeurs Intel
- La sécurité des clés USB mise à mal par USBDUMPER
- Une faille critique de Firefox expose les utilisateurs de Tor Browser Bundle
- Installation sécurisée d'Apache Openssl, Php4, Mysql, Mod_ssl, Mod_rewrite, Mod_perl , Mod_security

Top bi-hebdo de la revue de presse
- StackScrambler and the Tale of a Packet Parsing Bug

Top bi-hebdo de l'annuaire des videos
- DC++ Botnet. How To DDos A Hub With Fake IPs.
- Comment creer un server botnet!!!!(Réseau de pc zombies)
- Defcon 14 Hard Drive Recovery Part 3

Top bi-hebdo de la revue Twitter
- RT @secureideas: I believe that all the XSS flaws announced are fixed in CVS. Will test again tomorrow if so, release 1.4.3. #BASESnort
- Currently, we do not support 100% of the advanced PDF features found in Adobe Reader... At least that's a good idea.
- VPN (google): German Foreign Office Selects Orange Business for Terrestrial Wide: Full
- @DisK0nn3cT Not really, mostly permission issues/info leak...they've had a couple of XSS vulns but nothing direct.
- Swatting phreaker swatted and heading to jail: A 19-year-old American has been sentenced to eleven years in pris..
- RT @fjserna You are not a true hacker if the calc.exe payload is not the scientific one... infosuck.org/0x0035.png

Top des articles les plus commentés
- [Metasploit 2.x – Partie 1] Introduction et présentation
- Microsoft !Exploitable un nouvel outil gratuit pour aider les développeurs à évaluer automatiquement les risques
- Webshag, un outil d'audit de serveur web
- Les navigateurs internet, des mini-systèmes d’exploitation hors de contrôle ?
- Yellowsn0w un utilitaire de déblocage SIM pour le firmware 2.2 des Iphone 3G
- CAINE un Live[CD|USB] pour faciliter la recherche légale de preuves numériques de compromission
- Nessus 4.0 placé sous le signe de la performance, de l'unification et de la personnalisation
- [Renforcement des fonctions de sécurité du noyau Linux – Partie 1] Présentation
- [IDS Snort Windows – Partie 1] Introduction aux IDS et à SNORT
- Origami pour forger, analyser et manipuler des fichiers PDF malicieux

Network-based Threat Detection Overcoming the Limitations of Prevention

Si vous voulez bloquer ce service sur vos fils RSS
Si vous voulez nous contacter ou nous proposer un fil RSS

Menu > Articles de la revue de presse : - l'ensemble [tous | francophone] - par mots clé [tous] - par site [tous] - le tagwall [voir] - Top bi-hebdo de la revue de presse [Voir]

S'abonner au fil RSS global de la revue de presse



Network-based Threat Detection Overcoming the Limitations of Prevention

Par Security Bloggers Network
Le [2015-03-26] à 01:19:04



Présentation : Organizations continue to invest heavily to block advanced attacks, both on the endpoints and on the network. Despite all of this investment, devices continue to be compromised in increasing numbers and high profile breaches continue unabated. Something isn t adding up. It gets down to psychology, as security practitioners want to believe that the latest shiny means of preventing compromise will finally work and stop their pain. Of course, we re still waiting for effective prevention, right So we ve been advocating to shift security spending away from ineffective prevention and towards detection and investigation of active adversaries within your networks and systems. Yes, many organizations have spent a bunch of money on detection in the form of intrusion detection or it s big brother intrusion prevention and SIEM. Yet, these detection techniques haven t really worked effectively either, so it s time to look at the issue with fresh eyes. In the Network-based Threat Detection series, we re going to do just that. By taking a look at detection not from the standpoint of what we ve done and implemented IDS and SIEM , but what we need to do to isolate and identify adversary activity, we ll be able to look at the kinds of technologies needed right now to deal with modern day attacks. The times have changed, the attackers have advanced, and the detection techniques used to find adversaries need to change as well. As always, we wouldn t be able to publish our research for the awesome price of zero without having our clients support what we do. So we d like to thank Damballa and Vectra Networks for potentially licensing the content at the end of the series. We ll develop the content using our Totally Transparent Research methodology, so everything is done in the open and objectively. Threat Management Reimagined ---------------------------- Let s revisit how we re thinking about threat management nowadays. As we first documented in Advanced Endpoint and Server Protection, as the threats have changed you ve got to change the way you handle them. Thus we believe threat management needs to evolve as follows 1. Assessment You cannot protect what you don t know about that hasn t changed and isn t about to. So the first step is gaining visibility into all devices, data sources, and applications that present risk to your environment. Additionally you need to understand the security posture of anything you have to protect. 2. Prevention Next you try to stop attacks from succeeding. This is where most of the effort in security has been for the past decade, with mixed actually, lousy results. A number of new tactics and techniques are modestly increasing effectiveness, but the simple fact is that you cannot prevent every attack. It is now a question of reducing your attack surface as much as practical. If you can stop the simplistic attacks, you can focus on the advanced ones. 3. Detection You cannot prevent every attack, so you need a way to detect attacks after they get through your defenses. There are a number of different options for detection most based on watching for patterns that indicate a compromised device. The key is to shorten the time between when the device is compromised and when you discover it has been compromised. 4. Investigation Once you detect an attack you need to verify the compromise and understand what it actually did. This typically involves a formal investigation, including a structured process to gather forensic data from devices, triage to determine the root cause of the attack, and a search to determine how widely the attack spread within your environment. 5. Remediation Once you understand what happened you can put a plan in place to recover the compromised device. This might involve cleaning the machine, or more likely re-imaging it and starting over again. This step can leverage ongoing hygiene activities such as patch and configuration management because you can and should use tools you already have to re-image compromised devices. This reimagined threat management process incorporates people, processes, and technology integrated across endpoints, servers, networks, and mobile devices. If you think about it, there is a 5x4 matrix for all of the combinations to manage threats across the entire lifecycle for all device types. Whew That would be a lot of work and a really long paper . The good news is for this series we re going to focus specifically on network-based detection. Why not prevention ------------------- From reading thus far, you may think we ve capitulated and just given up on trying to prevent attacks. Not true We still believe that having restrictive application-centric firewall policies and looking for malware on the ingress pipes is a good thing. Our point is that you can t assume that your prevention tactics are sufficient. They aren t. Adversaries have made tremendous progress in being able to evade intrusion prevention and malware detonation devices sandboxes . And remember that your devices aren t always protected by the network perimeter or your other defenses at all times. Employees take the devices outside of the network and click on things. So your devices may come back onto the corporate network infected. That doesn t mean these devices don t catch stuff, but they don t catch everything. Thus, if you are having trouble understanding the importance of detection think about it as Plan B. Every good strategist has Plan B and Plan C, D, and E and focusing effort on detection gives you a fallback position when your prevention doesn t get it done. So in a nutshell, it s not either prevention or detection. It s both. Why not existing monitoring ---------------------------- It s true that you ve probably spent a bunch of time and money implementing intrusion detection prevention and SIEM to monitor those network segments. So why isn t that good enough It gets down to a fundamental reality of IDS and SIEM you need to know what you re looking for. Basically, you define a set of conditions rules policies where you look for typical patterns of attacks in the network traffic or event logs. If the attacker uses a common attack that s already been profiled, and you ve added the rule to your detection, and your device can handle the volumes because you have 10,000 other rules defined in the device, then you ll be able to find the attack. But what if the attacker is evading your devices by hiding the traffic in a standard protocol and communicating by proxying through a legitimate network What if they are using a pattern that you haven t seen before Yup, you ll miss the attack. Again, it s not like you don t have to monitor your systems and networks anymore. Compliance mandates that you ll still need your IPS and your SIEM. It s still critical to collect data and analyze it to find attacks that you know about. And to be fair many of the IDS IPS and SIEM platforms are adding more sophisticated analysis to their standard correlation capabilities to improve detection. But these approaches still require a lot of tuning and experimentation to get right, and not a lot of folks have time to get everything done. They certainly don t have time to deal with a noisy security monitor. The answer is -------------- Unfortunately we haven t found an approach for cold fusion or a magic bullet that identifies every attack from every adversary every time. Though that would be nice, huh But a couple of capabilities have come together to enable better and more accurate detection on the network 1. Math Actually, math has been around for a while yes, that s sarcasm . But it s an increased ability to find patterns amongst a variety of data sources has made a big difference in the effectiveness of detection. Vendors may call this Big Data Analytics or Machine Learning. Shiny buzzwords aside, these capabilities are improving your ability to find anomalous traffic earlier in the attack chain. 2. Context Anomaly detection has been around for almost as long as math, but the approach was of limited value because it threw off a lot of false positives. An anomaly could be just as easily legit and malicious and you had no way to tell the difference without doing a pretty deep investigation. So by being able to evaluate other types of data like identity and content payload and prioritize the anomalies based on what s more likely to be an attack, you ll be able to eliminate the obvious false positives. Thus network-based detection techniques have evolved to the point where you can identify devices that look like they ve been compromised. To be clear, this is sub-optimal because damage has already been done. Our inner security purist still wants to block attacks. But keep in mind that a breach doesn t happen until exfiltration occurs and if you are able to respond faster and better, then you can contain the damage. That s what better detection is all about. In the next post, we ll dig into the typical indications of a compromised device. Attackers always leave a trace and by looking for certain things on your network, you can find them. - Mike Rothman 0 Comments Subscribe to our daily email digest

Les mots clés de la revue de presse pour cet article : prevention
Les videos sur SecuObs pour les mots clés : prevention



AddThis Social Bookmark Widget



Les derniers articles du site "Security Bloggers Network" :

- In An Era Of Decline, News Sites Can t Afford Poor Web Performance
- BeautifulPeople.com experiences data breach 1m affected
- Swedish Air Space Infringed, Aircraft Not Required
- Why cybercriminals attack healthcare more than any other industry
- Setting the Benchmark in the Network Security Forensics Industry
- Spotify denies hack users subjected to weird music beg to differ
- The Dangerous Game of DNS
- Threat Recap Week of April 22nd
- Is your security appliance actually FIPS validated
- Deploying SAST Static Application Security Testing




S'abonner au fil RSS global de la revue de presse

Menu > Articles de la revue de presse : - l'ensemble [tous | francophone] - par mots clé [tous] - par site [tous] - le tagwall [voir] - Top bi-hebdo de la revue de presse [Voir]



Si vous voulez bloquer ce service sur vos fils RSS :
- avec iptables "iptables -A INPUT -s 88.190.17.190 --dport 80 -j DROP"
- avec ipfw et wipfw "ipfw add deny from 88.190.17.190 to any 80"
- Nous contacter par mail




SecuToolBox :

Mini-Tagwall des articles publiés sur SecuObs :

Mini-Tagwall de l'annuaire video :

Mini-Tagwall des articles de la revue de presse :

Mini-Tagwall des Tweets de la revue Twitter :