Splunk CTO Urges Collaboration Against Cyberattacks - And 'Shapeshifting' Networks (itwire.com) 88
"The cost of cyber attacks is 1/10th to 1/100th the cost of cyber defense," says the CTO of Splunk -- because the labor is cheap, the tools are free, and the resources are stolen. "He says what's needed to bring down the cost of defense is collaboration between the public sector, academia and private industry...the space race for this generation," reports Slashdot reader davidmwilliams.
Splunk CTO Snehal Antani suggests earlier "shift left" code testing and continuous delivery, plus a wider use of security analytics. But he also suggests a moving target defense "in which a shapeshifting network can prevent reconnaissance attacks" with software defined networks using virtual IP addresses that would change every 10 seconds. "This disrupts reconnaissance attacks because a specific IP address may be a Windows box one moment, a Linux box another, a mainframe another."
Splunk CTO Snehal Antani suggests earlier "shift left" code testing and continuous delivery, plus a wider use of security analytics. But he also suggests a moving target defense "in which a shapeshifting network can prevent reconnaissance attacks" with software defined networks using virtual IP addresses that would change every 10 seconds. "This disrupts reconnaissance attacks because a specific IP address may be a Windows box one moment, a Linux box another, a mainframe another."
Re: (Score:2)
It's getting so bad that I can see a forced implementation: Either switch or you're un-connected until you do. Set a switch date and enforce it. Thing is, will IPv6 really be the fix needed? I don't see how anything short of hardware built specifically for security on a secure network can be secure.
Re: (Score:2)
IPv6 is a very typical problem, in that if you continue to ignore it, it will eventually go away.
1/100th the cost? (Score:3)
Good infosec doesn't cost a lot - the problem is no one gives a shit until after something happens. Then you shit can your CISO, who you ignored the entire time, because you need someone to take the blame.
Re: (Score:2)
Re: (Score:2)
Good infosec doesn't cost a lot - the problem is no one gives a shit until after something happens. Then you shit can your CISO, who you ignored the entire time, because you need someone to take the blame.
I wonder if companies have discovered the cost of their reputation, especially after they're forced to hired a CISO due to massive security breaches. (cough, Target, Home Depot, cough).
Sadly, the consumer attention span already forgot about their favorite stores getting hacked not long ago, so the business will hardly view security as a necessary evil going forward, unless the insurance company says otherwise.
Starting to wonder if this needs to be a change in mentality where insurance companies are the ones
Re: (Score:1)
Good infosec doesn't cost a lot - the problem is no one gives a shit until after something happens. Then you shit can your CISO, who you ignored the entire time, because you need someone to take the blame.
I wonder if companies have discovered the cost of their reputation, especially after they're forced to hired a CISO due to massive security breaches. (cough, Target, Home Depot, cough).
Sadly, the consumer attention span already forgot about their favorite stores getting hacked not long ago, so the business will hardly view security as a necessary evil going forward, unless the insurance company says otherwise.
Starting to wonder if this needs to be a change in mentality where insurance companies are the ones who should be insisting on CISOs.
Target lost a shit ton of customer not to mention they closed stores due to people abandoning them during the holidays last year.
$5,000 steel safe vs $25 demolition saw rental (Score:2)
The claim is that breaking security is cheaper than creating security. For $5,000, I can buy a steel safe reinforced with concrete. For $25, I can rent a saw designed for cutting steel and concrete.
Breaking things has always been cheaper than building them, and probably always will be. As you hinted, that's the wrong comparison. The comparison that drives decisions is:
A) The cost to avoid a breech (the cost of security at a given level).
Vs
B) The cost of having a breech (reputation, down time, etc).
In alm
Coming from an information security academic (Score:2, Informative)
What he proposes is infeasible.
Think about a simple shipping trip to amazon. If your DNS cache is wrong after 9.2 seconds, how are you going to maintain your session long enough to finish your purchase?
The CTO here is confused as to how virtual IP addresses work. The virtual IP doesn't change, the actual IP of the servers in the cluster does. Without a reasonably constant IP, the availability portion of the CIA triad does not exist.
Secondly, "reconnaissance attacks"- footprinting, is reasonably handled with
Re:Coming from an information security academic (Score:5, Interesting)
Who cares what the Splunk CEO has to say? Splunk is a tool that is supposed to make it easy to search and aggregate logs, but it sucks at searching and aggregating logs. It's so slow and clunky that most people at the office ignore it and use awk or vi.
The day his company creates something useful maybe I will pay attention to him.
Re: (Score:2)
We have terabytes of logs in Splunk, and the servers are some of the biggest we have for utilities, something like 64GB RAM and who knows how many cores. Performance is usually bad, unless you just use the same dashboards over and over.
For correlations across a large number of devices Splunk works (slowly) as long as no fields are added or reordered too often.
So yeah, if you want to count useragents in Apache logs or do pie charts to show hits per url, you can do that. And you can add plugins to have heatma
Re: (Score:1)
Sounds like you do not have your build setup correctly. If you scale out Splunk correctly, 3 8 core / 8 gig of ram boxes in a Search head cluster, can pull MILLIONS of records in seconds. We went from 2 indexers and one search head, to a Index cluster and Search head cluster, and noticed a 1000% increase in performance. Also pulling in billions of log records a day with no issues. All of our indexers are recycled servers that were EOL.
Re: (Score:2)
Well, it has been installed and configured by their Professional Services and they're the one tuning and upgrading it.
Yes you can pull a billion records as long as you're using the same queries over and over, and as long as your log file structure doesn't change. But those are lab/demo conditions, in real life things don't happen like that.
Re: (Score:1)
It seems you do not understand how Splunk runs entirely. Running the same searches over and over does nothing to improve performance. Its when you "accelerate" them or add them to a summary index that speeds it up. In a VERY real world environment, I search millions of records many times an hour, depending on what I am looking for or the request I get, Some of these are even over several (or all) of my indexes. Currently my install averages 130 million records a day, from about 15 different source fe
Re: (Score:1)
Other folks here have provided insight and commentary that you likely have no clue as to what you are talking about, but who doesn't love a dogpile?
I have implemented MANY very large Splunk and ELK implementations. ELK will almost always ask for MORE hardware to get search performance. I agree that ELK scales out more quickly, but far less efficiently than Splunk does. If your sole criteria is search speed and you have unlimited hardware capacity then ELK is the way to go.
However, doing calculations on the
Re: (Score:2)
You mention yourself a flock of FOSS products that are vastly superior to Splunk, but somehow in your organization it's a daunting task to manage multiple configuration files so you buy Splunk instead. I'm guessing that you're mostly a Windows guy.
So let's agree that Splunk is an overpriced regex script with a lousy web frontend, sub-par command line capabilities and slow, row-by-row transformation features, but comes with a convenient central config file. If your use cases are satisfied with these limitati
Re: (Score:1)
Actually, I understand exactly what a Search Head cluster (put it behind a Load Balancer to handle the traffic, not the DNS round robin) with multiple Search Heads does. It allows you to share all your user load over several servers, which does help performance, when some people are doing huge searches and some just want to watch a dashboard. Beyond that, not everyone understands that separating your apps over multiple search heads actually helps as well. DBConnect for instance, if you have that on a SH
Re: (Score:2)
The funny thing is that you can spend a day with Elasticsearch and Logstash and come up with the same thing for essentially free.
Re: (Score:2)
I've dealt with Splunk for almost 7 years now, saw it growing and evolving, and from a user point of view I can tell you that there are two types of people who like Splunk:
1) managers who like the pie charts and dashboards
2) people who spend their days in the web console, mastering the proprietary syntax for search
Anyone else tend to try a few times then give up and access the log files directly. And if their only access is via Splunk they hate you.
It sucks because not only do you need to know the magical k
Re: (Score:2)
No, my primary complaint is that it sucks. I've had the "pleasure" of learning and using the proprietary query language and the half-baked API, that's why I'm comfortable to say that it's a piece of shit.
I also had the opportunity to work extensively with the dashboarding tools, and those make SharePoint look like a marvel of UX engineering.
Re: (Score:2)
Your office buys an expensive product you claim sucks and is never used
Yes, that's very common in large organizations. In order to save $50 per quarter they will buy cheap whiteboard markers that stop working within minutes of being pulled from the box, and at the same time they will have no problem buying expensive "enterprise" software with annual licenses more expensive than a condo because it's in Gartner's magic quadrant for whatever buzzword they heard at a conference. Then they bring in the vendor to do an implementation that never works, and if you're lucky the project
Re: (Score:2)
Who cares what the Splunk CEO has to say? Splunk is a tool that is supposed to make it easy to search and aggregate logs, but it sucks at searching and aggregating logs. It's so slow and clunky that most people at the office ignore it and use awk or vi.
You forgot: grep, sed, perl, crontab and bunch of other tools. I'm sorry, but you have no comprehension of scale. The normal *nix tools are good enough at what they do for individual files, but once your infrastructure grows beyond a handful of hosts, the management becomes a major pain in the ass. I guess you've never even contemplated having to solve the issues like "Something weird happened in one of 20 application servers some time last week when user X logged in."
Just because you don't like a certain t
Re: (Score:2)
I have a slightly different take on it - Splunk sucks because of their licensing and cost, not the tech. The tech is merely "ok".
If I'm spending money for log aggregation and searching, I'd be throwing that money towards SumoLogic.
If I'm not spending money, then it's Elasticsearch / Logstash / Kibana, which still works better than Splunk most of the time, without the thing holding my data hostage if we should actually have servers logging things and overrun the daily quota.
Re: (Score:2)
That's because the value-add that Splunk gives you is the draconian and super expensive licensing quotas. Oh, your servers did more than your per-day data allotment? Well, you better call us and get a code so that you can look at any of your logs at all. And yes, if you do that more than a few times, we're charging you more.
Fuck Splunk.
Re: (Score:2)
Re: (Score:2)
It's also like that with TeamCity: annual license per agent (which runs on your own machine) and only 1 concurrent build per agent. So essentially they force you to pay for rush hour usage.
Meanwhile Jenkins is free and scales a lot better.
Re: (Score:2)
Apparently *you* care.
Re: (Score:2)
Re: (Score:2)
There is plenty of snake and oil within security industry. It does not matter if it is feasible or not as long as you can sell it.
Security is nothing more than another form of insurance. In other words, it is essentially a snake oil industry, built on a foundation of FUD sales tactics, not unlike the insurance industry. This is why it continues to be very difficult to justify and implement, regardless of perceived or actual risk.
Isn't it easier... (Score:2)
...to keep them out of your network in the first place?
The shifting addresses could only apply to internal systems. Externally available systems (like, say, web servers) have to have known addresses for access, or you've defeated the entire purpose of having them externally accessible.
Which leads us back to firewalls and IDS and such.
Godel's hand reaches from the grave (Score:3)
...to keep them out of your network in the first place?
The shifting addresses could only apply to internal systems. Externally available systems (like, say, web servers) have to have known addresses for access, or you've defeated the entire purpose of having them externally accessible.
Which leads us back to firewalls and IDS and such.
Shape-shifting has to "bottom out" somewhere with known addresses, and that's where you're going to be vulnerable. You can test this now with low TTL DNS servers and (assuming your TTL is respected) you just send the traffic over to the new destination. If he's referring to external services, that about covers it. If it's external access to internal networks, then why are you running IPv6? Use NAT and a FW like everyone else and get that stuff off the internet. If he's referring to internal services, they'r
Re: (Score:2)
"The shifting addresses could only apply to internal systems. Externally available systems (like, say, web servers) have to have known addresses for access"
Internally available systems have to have known addresses for access too: "a specific IP address may be a Windows box one moment, a Linux box another, a mainframe another." funny if you try to get a CIFS mount point out of your mainframe instead of your Windows server.
Re: (Score:2)
I think the easiest fix would be to stop spoofed packets at the egress boarder router.
This would eliminate reflection attacks and a whole lot of other nastiness.
Of course, this would require every ISP to get on board and not let packets which do not belong to their IP space to leave their network.
I currently do this for our small network. No spoofed packets can leave our network. I am trying to do my small part in case any of our computers become compromised.
buzzword collection (Score:2)
Perhaps Snehal Antani's original ideas were interesting, but linked article turns everything into a buzzword collection that makes little sense.
Spare your time, skip article. Slashdot summary contains all relevant information.
Possible reduction in attacks (Score:2)
Put together a special forces team to find the hackers and the make a video of them being lowered slowly feet first into tree shredders and publish the video online.
Re: (Score:1)
Buzzword salad (Score:2)
Seriously, Splunk is probably the most expensive SIEM out there so for him to bitch about costs rings hallow to me. Bring the price down on your shit before lecturing me on costs.
Networks nobody can debug anymore. Great! (Score:2)
Sounds like somebody is pushing an utterly stupid and destructive idea to earn a lot of money.
rotate shield frequencies.... (Score:1)
This sounds like rotating shield frequencies every 10 seconds to keep the borg from adapting. I saw that episode of Star Trek: V'ger, they end up adapting
Hey anonymous (Score:1)
Can we ddos any and all people that use the word cyber in any context, i'm willing to take the first hit if it will start a trend.
"We need to bring down the cost of defense" (Score:2)
Does that mean Splunk will no longer charge you through the nose for every fart you might want to pass through their software?
Didn't think so.
Preaching water, drinking wine, thanks, but we have enough assholes that already do that, we'd much appreciate if you just kept your mouth shut, Snehal.
Seems fitting. (Score:1)
You've got to be fucking kidding. (Score:3)
And now you've got to shell out for an SDN infrastructure, too.
That's a cute idea, but he's obviously never had to operate or troubleshoot issues on a production enterprise network. What happens when an machine changes IPs in mid-tcp conversation? I have stuff that maintains ssh sessions for days, the client isn't doing constant nslookups to see where the server has gone. Not to mention the fact that sshd is going to interpret the client IP changing as a session-hijacking attack.
That's just one example, the more I think about it leads me to downgrade my opinion to "dumbass".
J-.
Re: (Score:1)
And now you've got to shell out for an SDN infrastructure, too.
That's a cute idea, but he's obviously never had to operate or troubleshoot issues on a production enterprise network. What happens when an machine changes IPs in mid-tcp conversation? I have stuff that maintains ssh sessions for days, the client isn't doing constant nslookups to see where the server has gone. Not to mention the fact that sshd is going to interpret the client IP changing as a session-hijacking attack.
That's just one example, the more I think about it leads me to downgrade my opinion to "dumbass".
J-.
Let's invest. I'll bet we can make millions off the stock before people see through this vaporware idea!!!
More corporate welfare (Score:2)
"the space race for this generation" (Score:2)
Further Explanation (Score:1)