RSAC Recap: Two Sessions That Made Me Think
At the recent RSA Conference 2015, I attended some fascinating meetings and sessions filled with valuable insights. Here are two of them whose presentation slides are available for PDF download:
No surprise here. George Kurtz from CrowdStrike has become a staple of RSAC best sessions. Joined by Dmitri Alperovitch and Elia Zaitsev, the CrowdStrike team argued that malware is just a diversion now to hide true advanced attacks that don’t lay down a single file. Once the case was made, they demonstrated hacking into an environment, elevating privileges and creating a “Kerberos Golden Ticket” that would allow the hackers to maintain access even after a global password reset. Scary stuff!
What struck me is that most vendors and customers are focused today on catching the malware and files being laid down for command and control even without a signature. And while that is good and useful, it does not assist at all for accounts compromised through the type of attack demonstrated, phishing for credentials or social engineering of credentials. At SwishData we are firm believers in solutions that are not specific to certain types of attacks, because the vector of attack will always change as we plug the holes. We have several solutions that assist in defending data and networks without relying on malware detection or defense.
(RSA posted the video of the session you can watch it here)
Jason Bird from CSG Invotas argued that we are challenged to win the war against “the bad guys” because … well, they are bad. And bad guys don’t play by the rules! The main summary is DON’T do these things:
-Become an economical target
-Be passive (reactive)
-Constrain your team
And DO do these things:
-Multiply forces through automation
-Switch network conditions
-Pre-approve mitigation actions
-Encode asset names
-Lead a team strategy before a breach
Three of the very specific actions he recommended were creating a honey pot to capture activity, automate redundant and mundane tasks to free up funds and labor, and create multiple fake versions of your environment with similar names (different than just a honey pot.) These are interesting ideas that actually resonate with SwishData’s approach to cyber security. We believe strongly in simplification and automation to respond faster and more precisely. We have also acquired some partners that assist in creating honeypots and fake environments in a cheaper, more efficient way than the manual method.
I hope you get value from downloading the session PDFs and look for more from SwishData about how you can implement these ideas in your security environment!