Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Businesses Networking IT

Splunk CTO Urges Collaboration Against Cyberattacks - And 'Shapeshifting' Networks (itwire.com) 88

"The cost of cyber attacks is 1/10th to 1/100th the cost of cyber defense," says the CTO of Splunk -- because the labor is cheap, the tools are free, and the resources are stolen. "He says what's needed to bring down the cost of defense is collaboration between the public sector, academia and private industry...the space race for this generation," reports Slashdot reader davidmwilliams.

Splunk CTO Snehal Antani suggests earlier "shift left" code testing and continuous delivery, plus a wider use of security analytics. But he also suggests a moving target defense "in which a shapeshifting network can prevent reconnaissance attacks" with software defined networks using virtual IP addresses that would change every 10 seconds. "This disrupts reconnaissance attacks because a specific IP address may be a Windows box one moment, a Linux box another, a mainframe another."
This discussion has been archived. No new comments can be posted.

Splunk CTO Urges Collaboration Against Cyberattacks - And 'Shapeshifting' Networks

Comments Filter:
  • by hsmith ( 818216 ) on Sunday October 02, 2016 @07:05PM (#53001363)
    Depends on the industry. Yahoo? will pay $0 in fines for their breach. If you were a hospital you'd see $50k per patient, which adds up quite fast, and doesn't include stupid things like credit monitoring.

    Good infosec doesn't cost a lot - the problem is no one gives a shit until after something happens. Then you shit can your CISO, who you ignored the entire time, because you need someone to take the blame.
    • by ark1 ( 873448 )
      Even when something happens, people pretend to care then go on with business as usual.
    • Good infosec doesn't cost a lot - the problem is no one gives a shit until after something happens. Then you shit can your CISO, who you ignored the entire time, because you need someone to take the blame.

      I wonder if companies have discovered the cost of their reputation, especially after they're forced to hired a CISO due to massive security breaches. (cough, Target, Home Depot, cough).

      Sadly, the consumer attention span already forgot about their favorite stores getting hacked not long ago, so the business will hardly view security as a necessary evil going forward, unless the insurance company says otherwise.

      Starting to wonder if this needs to be a change in mentality where insurance companies are the ones

      • Good infosec doesn't cost a lot - the problem is no one gives a shit until after something happens. Then you shit can your CISO, who you ignored the entire time, because you need someone to take the blame.

        I wonder if companies have discovered the cost of their reputation, especially after they're forced to hired a CISO due to massive security breaches. (cough, Target, Home Depot, cough).

        Sadly, the consumer attention span already forgot about their favorite stores getting hacked not long ago, so the business will hardly view security as a necessary evil going forward, unless the insurance company says otherwise.

        Starting to wonder if this needs to be a change in mentality where insurance companies are the ones who should be insisting on CISOs.

        Target lost a shit ton of customer not to mention they closed stores due to people abandoning them during the holidays last year.

    • The claim is that breaking security is cheaper than creating security. For $5,000, I can buy a steel safe reinforced with concrete. For $25, I can rent a saw designed for cutting steel and concrete.

      Breaking things has always been cheaper than building them, and probably always will be. As you hinted, that's the wrong comparison. The comparison that drives decisions is:
      A) The cost to avoid a breech (the cost of security at a given level).
      Vs
      B) The cost of having a breech (reputation, down time, etc).

      In alm

  • by Anonymous Coward

    What he proposes is infeasible.

    Think about a simple shipping trip to amazon. If your DNS cache is wrong after 9.2 seconds, how are you going to maintain your session long enough to finish your purchase?

    The CTO here is confused as to how virtual IP addresses work. The virtual IP doesn't change, the actual IP of the servers in the cluster does. Without a reasonably constant IP, the availability portion of the CIA triad does not exist.

    Secondly, "reconnaissance attacks"- footprinting, is reasonably handled with

    • by lucm ( 889690 ) on Sunday October 02, 2016 @07:39PM (#53001491)

      Who cares what the Splunk CEO has to say? Splunk is a tool that is supposed to make it easy to search and aggregate logs, but it sucks at searching and aggregating logs. It's so slow and clunky that most people at the office ignore it and use awk or vi.

      The day his company creates something useful maybe I will pay attention to him.

      • by Mjlner ( 609829 )

        Who cares what the Splunk CEO has to say? Splunk is a tool that is supposed to make it easy to search and aggregate logs, but it sucks at searching and aggregating logs. It's so slow and clunky that most people at the office ignore it and use awk or vi.

        You forgot: grep, sed, perl, crontab and bunch of other tools. I'm sorry, but you have no comprehension of scale. The normal *nix tools are good enough at what they do for individual files, but once your infrastructure grows beyond a handful of hosts, the management becomes a major pain in the ass. I guess you've never even contemplated having to solve the issues like "Something weird happened in one of 20 application servers some time last week when user X logged in."

        Just because you don't like a certain t

        • I have a slightly different take on it - Splunk sucks because of their licensing and cost, not the tech. The tech is merely "ok".

          If I'm spending money for log aggregation and searching, I'd be throwing that money towards SumoLogic.

          If I'm not spending money, then it's Elasticsearch / Logstash / Kibana, which still works better than Splunk most of the time, without the thing holding my data hostage if we should actually have servers logging things and overrun the daily quota.

      • That's because the value-add that Splunk gives you is the draconian and super expensive licensing quotas. Oh, your servers did more than your per-day data allotment? Well, you better call us and get a code so that you can look at any of your logs at all. And yes, if you do that more than a few times, we're charging you more.

        Fuck Splunk.

        • by rhazz ( 2853871 )
          If you don't want to pay the licensing fee for the amount of data you're collecting, you could always trim what you're collecting to stay below the threshold?
    • by ark1 ( 873448 )
      There is plenty of snake and oil within security industry. It does not matter if it is feasible or not as long as you can sell it.
      • There is plenty of snake and oil within security industry. It does not matter if it is feasible or not as long as you can sell it.

        Security is nothing more than another form of insurance. In other words, it is essentially a snake oil industry, built on a foundation of FUD sales tactics, not unlike the insurance industry. This is why it continues to be very difficult to justify and implement, regardless of perceived or actual risk.

  • ...to keep them out of your network in the first place?

    The shifting addresses could only apply to internal systems. Externally available systems (like, say, web servers) have to have known addresses for access, or you've defeated the entire purpose of having them externally accessible.

    Which leads us back to firewalls and IDS and such.

    • ...to keep them out of your network in the first place?

      The shifting addresses could only apply to internal systems. Externally available systems (like, say, web servers) have to have known addresses for access, or you've defeated the entire purpose of having them externally accessible.

      Which leads us back to firewalls and IDS and such.

      Shape-shifting has to "bottom out" somewhere with known addresses, and that's where you're going to be vulnerable. You can test this now with low TTL DNS servers and (assuming your TTL is respected) you just send the traffic over to the new destination. If he's referring to external services, that about covers it. If it's external access to internal networks, then why are you running IPv6? Use NAT and a FW like everyone else and get that stuff off the internet. If he's referring to internal services, they'r

    • "The shifting addresses could only apply to internal systems. Externally available systems (like, say, web servers) have to have known addresses for access"

      Internally available systems have to have known addresses for access too: "a specific IP address may be a Windows box one moment, a Linux box another, a mainframe another." funny if you try to get a CIFS mount point out of your mainframe instead of your Windows server.

    • I think the easiest fix would be to stop spoofed packets at the egress boarder router.

      This would eliminate reflection attacks and a whole lot of other nastiness.

      Of course, this would require every ISP to get on board and not let packets which do not belong to their IP space to leave their network.

      I currently do this for our small network. No spoofed packets can leave our network. I am trying to do my small part in case any of our computers become compromised.

  • Perhaps Snehal Antani's original ideas were interesting, but linked article turns everything into a buzzword collection that makes little sense.

    Spare your time, skip article. Slashdot summary contains all relevant information.

  • Put together a special forces team to find the hackers and the make a video of them being lowered slowly feet first into tree shredders and publish the video online.

  • Comment removed based on user account deletion
  • Seriously, Splunk is probably the most expensive SIEM out there so for him to bitch about costs rings hallow to me. Bring the price down on your shit before lecturing me on costs.

  • Sounds like somebody is pushing an utterly stupid and destructive idea to earn a lot of money.

  • This sounds like rotating shield frequencies every 10 seconds to keep the borg from adapting. I saw that episode of Star Trek: V'ger, they end up adapting

  • by Anonymous Coward

    Can we ddos any and all people that use the word cyber in any context, i'm willing to take the first hit if it will start a trend.

  • Does that mean Splunk will no longer charge you through the nose for every fart you might want to pass through their software?

    Didn't think so.

    Preaching water, drinking wine, thanks, but we have enough assholes that already do that, we'd much appreciate if you just kept your mouth shut, Snehal.

  • 1) Dodge 2) Duck 3) Dip 4) Dive 5) Dodge. ... 2) Duck 3) Dip 4) Dive 5) Dodge. remember the 5 D's of dodgeball! thats the key to victory
  • by thermowax ( 179226 ) on Monday October 03, 2016 @08:41AM (#53003731)

    And now you've got to shell out for an SDN infrastructure, too.

    That's a cute idea, but he's obviously never had to operate or troubleshoot issues on a production enterprise network. What happens when an machine changes IPs in mid-tcp conversation? I have stuff that maintains ssh sessions for days, the client isn't doing constant nslookups to see where the server has gone. Not to mention the fact that sshd is going to interpret the client IP changing as a session-hijacking attack.

    That's just one example, the more I think about it leads me to downgrade my opinion to "dumbass".

    J-.

    • And now you've got to shell out for an SDN infrastructure, too.

      That's a cute idea, but he's obviously never had to operate or troubleshoot issues on a production enterprise network. What happens when an machine changes IPs in mid-tcp conversation? I have stuff that maintains ssh sessions for days, the client isn't doing constant nslookups to see where the server has gone. Not to mention the fact that sshd is going to interpret the client IP changing as a session-hijacking attack.

      That's just one example, the more I think about it leads me to downgrade my opinion to "dumbass".

      J-.

      Let's invest. I'll bet we can make millions off the stock before people see through this vaporware idea!!!

  • "Collaboration between public and private sectors" is word salad that really means he wants taxpayers to fund his enterprise and lifestyle.
  • Then I guess this generation is well and truly f*cked!
  • Thanks for all of the comments. Let me further explain, and I'm excited to hear more ideas from the community on the topic. First, to clarify the point I made about collaboration across public sector, academia, and private sector. Government agencies like DHS, NSA's IAD, universities like MIT's CSAIL, and hundreds of private sector companies are doing some amazing work in the area of breach detection, incident response, and security analytics. The challenge is that these efforts aren't synchronized or coord

Keep up the good work! But please don't ask me to help.

Working...