from the brought-to-you-by-Home-Depot,-Target,-and-Equifax dept.
I often talk about automation in my articles and it's a hot topic in general – a quick Google search reveals more than 100 million results for security automation. Given the global shortage of cybersecurity professionals, and the volume and velocity of increasingly sophisticated threats we all have to deal with, humans can't go it alone. Automation helps get more from the people you have – handling time-intensive manual tasks so they can focus on high-value, analytical activities. But the catch with automation is that it has to be applied at the right time in the security lifecycle in order to be effective.
You've likely heard the phrase: "dirty data in, dirty data out." Jumping to the end of the security lifecycle and using automation to take action – like automating playbooks and automatically sending the latest intelligence to your sensor grid (firewalls, IPS/IDS, routers, web and email security, endpoint, etc.) – can backfire. Without first aggregating, scoring and prioritizing intelligence you can actually exacerbate the dirty data problem.
[...] But with the sheer volume of threat data continuing to climb at a staggering rate, we need to start with the threat – automating how we gather, score and prioritize threat intelligence. Otherwise we're just amplifying the noise, wasting precious resources and hampering security – and that's the dirty secret.
(Score: 1, Informative) by Anonymous Coward on Friday September 22 2017, @11:39AM (5 children)
I call bs on the whole article (although I haven't read it...)
> You've likely heard the phrase: "dirty data in, dirty data out."
The phrase is: "garbage in, garbage out," I can't believe someone would try to "sanitize" that!
(Score: 3, Informative) by Rich26189 on Friday September 22 2017, @12:35PM (1 child)
I did follow one or two links though I didn't fully read TFAs. I did follow along far enough to see that Marc Solomon wrote:
You’ve likely heard the phrase: “dirty data in, dirty data out.”
Well, no, I've never read that before. I clicked on Marc Solomon in the by line and the word I read most often in that blurb was "marketing", Nuf said
(Score: 2) by frojack on Saturday September 23 2017, @06:23AM
I think writing the whole article was automated. Its probably one of those troll articles written by a fuzzing program, by someone trying to see who will post a serious reply to a bogus article.
No, you are mistaken. I've always had this sig.
(Score: 0) by Anonymous Coward on Friday September 22 2017, @09:27PM (2 children)
Google confirms it:
https://trends.google.com/trends/explore?q=dirty%20data%20in%20dirty%20data%20out,Garbage%20in%20garbage%20out [google.com]
(Score: 0) by Anonymous Coward on Saturday September 23 2017, @01:18AM (1 child)
AC parent here, thanks! Always nice to have the numbers on your side...
(Score: 2) by frojack on Saturday September 23 2017, @06:19AM
Parent? You sure? You could be cuckold and you'd have no way of knowing.
Kids these days have enough problem choosing a gender, now you are going to make them guess about their identity too?
Won't you ACs please think of the children?
No, you are mistaken. I've always had this sig.
(Score: 2, Insightful) by anubi on Friday September 22 2017, @12:22PM
My own feeling is we have made something so complex that it is no longer manageable.
Our DNA is only 3 GB [google.com] of code...( uncompressed at that! ). How many GB of code does the current digital beast consume? We hardly are beginning to understand the slightest snippets of DNA. And we know there are biological viruses out there that could do us in big-time. Yet we enforce ignorance for our computational infrastructure? Only some entity with ignorance of how computers actually work combined with the authority of Congress would do such a thing.
All this legal "rights protection", electronic locks, obfuscation, and legally enforced ignorance of how stuff works is not helping one iota.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 0) by Anonymous Coward on Friday September 22 2017, @12:30PM
People are too unpredictable for certainty in automatic attacks.
Automatic tools that can be put in the attacker's test suite would be ideal, not.
(Score: 4, Insightful) by Anonymous Coward on Friday September 22 2017, @12:35PM (7 children)
Fist line of TFA "The cyber security skills gap is known and documented, and empirically understood by all enterprise security leaders."
Bahhhahhhaaaa!, oh wait your serious let me laugh even harder.
(Score: 1, Insightful) by Anonymous Coward on Friday September 22 2017, @04:11PM (5 children)
The best / worst part of management is how easily they tend to fall for such bullshit. Make up a whopping into like that, force them to internally agree or else they feel stupid for not knowing and reading the mentioned documentation. Then you can sell them any string of bullshit, their brain already gave up when it agreed to the first sentence!
(Score: 0) by Anonymous Coward on Friday September 22 2017, @04:34PM (4 children)
The3 thing I really don't get is why there is no recognition of the simple fact that to have information security you need people on staff that do that, I mean if your a mom and pop cornerstore you don't have the budget to maintain a staff of penetration testers, QA people and network, kernel and DB devs but if you are a multi billion dollar company and you can't through down a few million a year to test your own network in house you've already failed it's not like you need thousands or even hundreds of these people
The user is the problem is true as far as it goes but it's a social problem that permeates most companies, it's why they can't hire good people (or keep them) it's basic human organizing if they want good security they would be better off hiring management from the local homeless population at least they know how to cooperate and organize to at least shot term goals, it's pathetic
(Score: 0) by Anonymous Coward on Friday September 22 2017, @09:25PM (3 children)
Time for a diet when you can't hit "e" without "3" ;)
(Score: 0) by Anonymous Coward on Saturday September 23 2017, @12:22AM (2 children)
The very first word of the comment and he didn't catch it.
Pitiful.
...and the Preview page is mandatory for ACs.
...then there's
you can't through down
.
...and the root AC did the Fist thing.[1]
Again, the very first word of the comment.
Again, pitiful.
[1] I've done that several times, but I manage to catch it at Preview.
-- OriginalOwner_ [soylentnews.org]
(Score: 1, Funny) by Anonymous Coward on Saturday September 23 2017, @02:50PM (1 child)
One of the perks of being a registered user is that you can have the "Post Anonymously" checkbox ticked by default, and enjoy one-click AC posting -- never being forced to preview again. It's great for those of us with impecable speling!
(Score: 0) by Anonymous Coward on Saturday September 23 2017, @10:19PM
On this topic, I've previous noted that spellcheckers are available gratis.
I guess I'm doing that again here.
Even when my spellchecker stumbles, Google usually provides good answers.
In the 21st Century, I can't see any reason why a computer user should ever produce a misspelled word.
a registered user [...] can have the "Post Anonymously" checkbox ticked
Ah. Something I hadn't considered.
Obviously, out of my experience.
-- OriginalOwner_ [soylentnews.org]
(Score: 2) by DeathMonkey on Friday September 22 2017, @06:06PM
Just because that knowledge is completely ignored by everyone who matters doesn't mean it's not known!
(Score: 2, Interesting) by Anonymous Coward on Friday September 22 2017, @03:58PM (1 child)
The article is on securityweek.com. It's targetted at CxO's or people with VP in their title. It does not convey any meaningful information.
(Score: 2) by DannyB on Friday September 22 2017, @09:01PM
Shouldn't a site such as you describe, for CxO's, and no meaningful information have a domain like:
securityweak.com
?
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 4, Insightful) by DannyB on Friday September 22 2017, @04:14PM (2 children)
Security is not automation. Not even a process.
Security must be a foundational principle in the design of a system. It's not something you can later attach with scotch tape. It is a way of thinking.
Now there are many aspects of this in the design of a software system.
But I'll give an operational example. In the development a web based product, I use HTTPS everywhere. Even on my development box. On internal test servers. On Staging servers. On Demo and Pre-release demo servers. And of course, as everyone does, on production.
Bu . . . but . . . isn't that a lot of trouble?
Uh, no. It's not. Because I do it all the time. Every single server, no matter how small. Even run within a development system is run with HTTPS. Always. All the time. There are no exceptions.
So using and configuring HTTPS is an ordinary every day skill. Not something highly unusual that is only done on production -- and you hope you get it right! Maintain proficiency in skills.
That seems pretty basic to use HTTPS. But there's more. Much more. So you must constantly read and be looking for new types of attacks that you must defend against. SQL injection. XSS. XSRF. And on and on.
Here's something I wish strongly typed languages (eg, Java, C#) had. Subclasses of String. For example: HtmlSafeString. That is, a string that has already had any important html characters escaped. So that a > becomes > for example. You could assign an HtmlSafeString to a String, but not vice versa. You would be required to use a function to convert a String into an HtmlSafeString. Then I would want hard type checking, compile time enforced, use of only HtmlSafeString to be inserted into the output of a web page -- except within an input box / textarea, where String would be used. This would be embedded in whatever output template technology is in use. For example, a JSP would only allow an HtmlSafeString to become part of the output of the page.
This illustrates that security is something you think about at the lowest levels of your system.
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 2, Interesting) by Anonymous Coward on Friday September 22 2017, @07:33PM (1 child)
If you trust HTTPS and the Certificate Authority system to keep your web traffic secure, then you're trusting a system that is completely compromised and broken. At best, you may be able to keep small-fry crooks and neighborhood snoopers out of your traffic, but between National Security Letters and sleazy trusted-by-default CAs, you have no security with HTTPS. "The only thing worse than no security is a false sense of security."
Soylent News seems to be taking the second-best approach (in light of the braindead choices most browser devs' made by making their browsers shriek in horror over completely valid self-signed certificates), by implementing HTTP Public Key Pinning [wikipedia.org] (to prevent MITM with a different trusted-by-default certificate) and HTTP Strict Transport Security [wikipedia.org] (to prevent downgrade attacks).
A true and proper solution needs to be built, and work on such a project is being displayed at youbroketheinternet.org [youbroketheinternet.org].
(Score: 2) by DannyB on Friday September 22 2017, @08:59PM
I am aware of both of these.
I'm considering HSTS which wouldn't be much of a problem.
I'm more concerned about HPKP. I need to get multiple people above my head to make sure we are organizationally mature enough to implement this.
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 5, Insightful) by VLM on Friday September 22 2017, @04:17PM
should be
According to some google results from payscale and other sites, the average Python software dev makes $104K and the average security droid makes a mere $70K. I donno for sure, but I can guess one salary strategy that might, just might, result in more applicants. People do like money, ya know.
Wake me when software devs are scrambling away from software development to get more money doing security, LOL. If you're in IT security, you can get nearly a 50% pay raise by doing nearly anything else in IT other than help desk phone answerer. I wonder if that might contribute to the "shortage".