It’s a Sunday morning and I can’t help but try to mentally unravel
some conundrums. These have been written in no particular order, just as they
come to mind. Beware as I capture a view of the abyss inside me....
------
There are no shortage of social media feeds dedicated to
incident response, social engineering, threat hunting, and malware reversing. There
are a growing number around application security. Less so around patching. I’m
sure that that they are out there but I’ve struggled to find any broad social media
coverage for policy governance that aren’t vendors or others trying to sell
things.
I sometimes think about the impact that session
topics at security conferences. I’d swear that anecdotally 35-50% of the topics have social engineering as the topic. Yet when I look at the details of recent major
breaches, few if any of them seem to have been the result of social engineering
(unless one loosely associates spear phishing as a social engineering
technique). Is this because the social engineering sessions are so effective? or not really relevant to real world breaches?
Thinking
through counter examples. I’ve also seen a
fair number of conference sessions on the OWASP Top 10
vulnerabilities over the years. The Top 10 list have been presented at
security conferences
for more than 10 years now. All those conference sessions and I’m still at a loss to understand why the majority of the OWASP Top 10
vulnerabilities not changed in at least ten years.
Perhaps what isn’t covered at security conferences might be
important too. When was the last time that you’ve seen sessions on cloud
forensics? Outside of Blackhat and vendor specific demonstrations of tools, not
really ever. Controlling privileges? Again, plenty of vendor demos for tools
but no one really walking through how they did it in their organizations.
Most new college grads that interview for open cyber
security positions on my team seem to believe that there are only two jobs for
them: working in a security operations center (SOC) performing shift work at a
console or being a red team member. I don’t have either of those functions on
my ten person security team. Did I miss
a memo?
How effective are many of the machine learning enabled security
tools if they are being trained on an infrastructure in which privileges aren’t
controlled? I’d guess that
some of the things that those tools label as normal on endpoints running as local admin likely aren’t too helpful.
---
Sundays are always the hardest days to try to make sense of
the cyber security industry….
Follow me on Twitter for the latest blog updates: @Opinionatedsec1
SEE ALSO
No comments:
Post a Comment