Tag Archives: Security

Arista CloudVision gets multi-cloud, NSX security features

Arista Networks has added to its CloudVision management console the ability to apply security policies across virtualized switching fabrics running on Amazon Web Services, Google Cloud and Microsoft Azure.

Arista also introduced this week an integration between Arista CloudVision and NSX, VMware’s software for provisioning virtualized networks. The combination lets engineers take security policies created in NSX and apply them to Arista switches running in the data center.

The latest features come about a year after Arista introduced a virtualized version of its network operating system, called vEOS, for AWS, Google and Azure. At the time, Arista added some vEOS controls to CloudVision, which competes with Cisco CloudCenter.

The new multi-cloud feature within Arista CloudVision lets engineers modify the access control lists (ACLs) in vEOS switches, said Jeff Raymond, vice president of EOS product management. The capability, which the vendor calls Zone Segmentation Security, eliminates having to worry about the unique security mechanisms in each of the three public clouds.

Companies often create virtual networks in the public clouds to deliver security, load balancing and other services to applications. Amazon and Google call the networks Virtual Private Clouds (VPCs) while Microsoft refers to them as virtual networks (VNet).

Arista has integrated its Zone Segmentation feature with Zscaler’s cloud-based web gateway. The integration lets companies use Zscaler to apply security policies for traffic heading from a campus network or remote office to the cloud provider. Arista CloudVision applies policies to traffic flowing between and within virtual networks.

Overall, Arista is using CloudVision to address a trend toward more collaboration between corporate networking and security teams, said Shamus McGillicuddy, an analyst at Enterprise Management Associates, based in Boulder, Colo. A recent EMA survey found that 91% of security and network infrastructure teams were working together using shared or integrated tools.

The latest Arista offerings also show the vendor recognizes its customers need security that stretches from the private data center to the public cloud, said Bob Laliberte, an analyst at Enterprise Strategy Group, based in Milford, Mass. “Building out a strong security ecosystem will be critical, and delivering a capable management platform for hybrid cloud environments will be important for its customers to effectively manage those hybrid environments.”

VMware NSX integration with Arista CloudVision

The NSX integration bridges the gap between VMware virtual networks and Arista physical switches in the data center. With CloudVision, engineers will be able to take security policies created for NSX environments and apply them to workloads running on the hardware.

NSX policies define the network resources accessible to groups of workloads and applications running on the virtual network. CloudVision applies those policies to an Arista fabric by converting them into a format that can become a part of the switch’s ACL.

As a result, engineers can save time by using just NSX for creating security policies, according to Raymond.

New hardware-based encryption in Arista routers

Finally, Arista plans to release four routers with built-in support for encryption standards. For the enterprise WAN, Arista embedded hardware-based IPSec in the 7020SRG for site-to-site virtual private networks. The router is a 10 GbE platform.

For the data center interconnect, Arista will provide MACsec encryption in the new 7280CR2M and the 7280SRAM. Both routers offer wire-speed encryption with 10 GbE and 100 GbE for up to 100 kilometers. For MACsec encryption up to 2,500 km, Arista introduced the 7280SRM, which has 200 GbE Coherent interfaces for metro and long-haul links.

Arista plans to release all the new technology by the end of September.

Arista sells its products primarily to tier-one and tier-two service providers, financial institutions and high-tech companies, including Microsoft, Amazon and Facebook.

Recently, however, the company has aimed some new hardware at enterprises with more mainstream data centers. In May, for example, the company introduced switches for the campus LAN.

SIEM evaluation criteria: Choosing the right SIEM products

Security information and event management products and services collect, analyze and report on security log data from a large number of enterprise security controls, host operating systems, enterprise applications and other software used by an organization. Some SIEMs also attempt to stop attacks in progress that they detect, potentially preventing compromises or limiting the damage that successful compromises could cause.

There are many SIEM systems available today, including light SIEM products designed for organizations that cannot afford or do not feel they need a fully featured SIEM added to their current security operations.

Because light SIEM products offer few capabilities and are much easier to evaluate, they are out of the scope of this article. Instead, this feature points out the capabilities of regular SIEMs and can serve as a guide for creating SIEM evaluation criteria, which merit particularly close attention compared to other security technologies.

It can be quite a challenge to figure out which products to evaluate, let alone to choose the one that’s best for a particular organization or team. Part of the evaluation process involves creating a list of SIEM evaluation criteria potential buyers can use to highlight important capabilities.

1. How much native support does the SIEM provide for relevant log sources?

A SIEM’s value is diminished if it cannot receive and understand log data from all of the log-generating sources in the organization. Most obvious is the organization’s enterprise security controls, such as firewalls, virtual private networks, intrusion prevention systems, email and web security gateways, and antimalware products.

It is reasonable to expect a SIEM to natively understand log files created by any major product or cloud-based service in these categories. If the tool does not, it should have no role in your security operations.

There are many SIEM systems available today, including light SIEM products designed for organizations that cannot afford or do not feel they need a fully featured SIEM added to their current security operations.

In addition, a SIEM should provide native support for log files from the organization’s operating systems. An exception is mobile device operating systems, which often do not provide any security logging capabilities.

SIEMs should also natively support the organization’s major database platforms, as well as any enterprise applications that enable users to interact with sensitive data. Native SIEM support for other software is generally nice to have, but it is not mandatory.

If a SIEM does not natively support a log source, then the organization can either develop customized code to provide the necessary support or use the SIEM without the log source’s data.

2. Can the SIEM supplement existing logging capabilities?

An organization’s particular applications and software may lack robust logging capabilities. Some SIEM systems and services can supplement these by performing their own monitoring in addition to their regular job of log management.

In essence, this extends the SIEM from being strictly a centralized log collection, analysis and reporting tool to also generating raw log data on behalf of other hosts.

3. How effectively can the SIEM make use of threat intelligence?

Most SIEMs are capable of ingesting threat intelligence feeds. These feeds, which are often acquired from separate subscriptions, contain up-to-date information on threat activity observed all over the world, including which hosts are being used to stage or launch attacks and what the characteristics of these attacks are. The greatest value in using these feeds is enabling the SIEM to identify attacks more accurately and to make more informed decisions, often automatically, about which attacks need to be stopped and what the best method is to stop them.

Of course, the quality of threat intelligence varies between vendors. Factors to consider when evaluating threat intelligence should include how often the threat intelligence updates and how the threat intelligence vendor indicates its confidence in the malicious nature of each threat.

4. What forensic capabilities can SIEM products provide?

Forensics capabilities are an evolving SIEM evaluation criteria. Traditionally, SIEMs have only collected data provided by other log sources.

However, recently some SIEM systems have added various forensic capabilities that can collect their own data regarding suspicious activity. A common example is the ability to do full packet captures for a network connection associated with malicious activity. Assuming that these packets are unencrypted, a SIEM analyst can then review their contents more closely to better understand the nature of the packets.

Another aspect of forensics is host activity logging; the SIEM product can perform such logging at all times, or the logging could be triggered when the SIEM tool suspects suspicious activity involving a particular host.

5. What features do SIEM products provide to assist with performing data analysis?

SIEM products that are used for incident detection and handling should provide features that help users to review and analyze the log data for themselves, as well as the SIEM’s own alerts and other findings. One reason for this is that even a highly accurate SIEM will occasionally misinterpret events and generate false positives, so people need to have a way to validate the SIEM’s results.

Another reason for this is that the users involved in security analytics need helpful interfaces to facilitate their investigations. Examples of such interfaces include sophisticated search capabilities and data visualization capabilities.

6. How timely, secure and effective are the SIEM’s automated response capabilities?

Another SIEM evaluation criteria is the product’s automated response capabilities. This is often an organization-specific endeavor because it is highly dependent on the organization’s network architecture, network security controls and other aspects of security management.

For example, a particular SIEM product may not have the ability to direct an organization’s firewall or other network security controls to terminate a malicious connection.

Besides ensuring the SIEM product can communicate its needs to the organization’s other major security controls, it is also important to consider the following characteristics:

  • How long does it take the SIEM to detect an attack and direct the appropriate security controls to stop it?
  • How are the communications between the SIEM and the other security controls protected so as to prevent eavesdropping and alteration?
  • How effective is the SIEM product at stopping attacks before damage occurs?

7. Which security compliance initiatives does the SIEM support with built-in reporting?

Most SIEMs offer highly customizable reporting capabilities. Many of these products also offer built-in support to generate reports that meet the requirements of various security compliance initiatives. Each organization should identify which initiatives are applicable and then ensure that the SIEM product supports as many of these initiatives as possible.

For any initiatives that the SIEM does not support, make sure that the SIEM product supports the proper customizable reporting options to meet your requirements.

Do your homework and evaluate

SIEMs are complex technologies that require extensive integration with enterprise security controls and numerous hosts throughout an organization. To evaluate which tool is best for your organization, it may be helpful to define basic SIEM evaluation criteria. There is not a single SIEM product that is the best system for all organizations; every environment has its own combination of IT characteristics and security needs.

Even the main reason for having a SIEM, such as meeting compliance reporting requirements or aiding in incident detection and handling, may vary widely between organizations. Therefore, each organization should do its own evaluation before acquiring a SIEM product or service. Examine the offerings from several SIEM vendors before even considering deployment.

This article presents several SIEM evaluation criteria that organizations should consider, but other criteria may also be necessary. Think of these as a starting point for the organization to customize and build upon to develop its own list of SIEM evaluation criteria. This will help ensure the organization chooses the best possible SIEM product.

Building on experience: a framework for cybersecurity policy

Each year, more and more governments are developing policies to address security challenges presented by an increasingly digitized world. And to support those efforts, I’m excited today to announce the release of Microsoft’s new Cybersecurity Policy Framework, a resource for policymakers that provides an overview of the building blocks of effective cybersecurity policies and that is aligned with the best practices from around the globe. Nations coming online today, and building their cybersecurity infrastructures, should not—and need not—be burdened with the stumbling blocks that characterized previous generations of cybersecurity policies. Instead, such nations should be empowered to leapfrog outdated challenges and unnecessary hurdles.

For years, Microsoft has worked with policymakers in advanced and emerging economies, and across many social and political contexts, to support the development of policies to address a wide range of cybersecurity challenges. This new publication captures and distills the important lessons learned from those years of experience partnering with governments. And as increasing numbers of countries wrestle with how to best address cybersecurity challenges, the Cybersecurity Policy Framework is an indispensable resource for the policymakers joining this work.

According to the last analysis provided by the United Nations, half of the countries on earth today either have or are developing national cybersecurity strategies. I have little doubt that in the next decade every single outstanding country will add its name to that list. And this trend highlights the importance of this new resource. The policies established today will impact how technologies are used for years to come and how safe or dangerous the online world becomes for all of us. Truly, there is no going back, only forward.

The Cybersecurity Policy Framework is not one-stop shopping for cybersecurity policymakers, but it does serve as an important “umbrella document,” providing a high-level overview of concepts and priorities that must be top of mind when developing an effective and resilient cybersecurity policy environment.

Specifically, this new resource outlines:

  • National strategies for cybersecurity.
  • How to establish a national cyber agency.
  • How to develop and update cybercrime laws.
  • How to develop and update critical infrastructure protections.
  • International strategies for cybersecurity.

We at Microsoft have been at this work for a long time and have developed a wide variety of resources to help those who are working to position their industries and nations to capitalize on the benefits of new technologies—so many that they can often be difficult to find! And this highlights another strength of the Cybersecurity Policy Framework, while it is not one-stop shopping, each section does provide an overview of a critical policy topic as well as links to the associated and more in-depth resources my team has developed over the years to assist policymakers. In this way, this new resource serves not only as essential, high-level guidance, but also as a key to a broader catalogue of resources built on years of experience partnering with governments around the world.

Reading through this new resource, I am proud of the work we have done in pursuit of a safer online world. Important progress has been made and these foundational principles underscore much today’s cybersecurity discourse. However, we have—and will always have—more work to do as a result of the changes and innovations in technology always on the horizon, and their implications for cybersecurity. I’m glad to put this resource forward today to support a new generation of policymakers and also look forward to partnering with them to tackle the new challenges we will face together tomorrow.

Download your copy of the Cybersecurity Policy Framework today.

For Sale – AMD FX 8320, 990FX + 8GB + internet security

I’m open to offers on all items
PRICES NOW INC P&P

Bullguard Internet Security Activation Code £10

AMD FX 8320 with cooler
asus sabertooth 990fx r2.0
8gb Corsair Dominator RAM

£130 inc P&P open to offers

Watercooling parts
All parts are used, have taken out of a working loop.

Phobya Balancer 250 silver nickel
Now £17 inc P&P

[​IMG]

Price and currency: £10 £130
Delivery: Delivery cost is included within my country
Payment method: Bank or Paypal Gift
Location: Rotherham
Advertised elsewhere?: Advertised elsewhere
Prefer goods collected?: I have no preference

______________________________________________________
This message is automatically inserted in all classifieds forum threads.
By replying to this thread you agree to abide by the trading rules detailed here.
Please be advised, all buyers and sellers should satisfy themselves that the other party is genuine by providing the following via private conversation to each other after negotiations are complete and prior to dispatching goods and making payment:

  • Landline telephone number. Make a call to check out the area code and number are correct, too
  • Name and address including postcode
  • Valid e-mail address

DO NOT proceed with a deal until you are completely satisfied with all details being correct. It’s in your best interest to check out these details yourself.

Juniper boosting performance of SRX5000 firewall for IoT, 5G

Juniper Networks has introduced a security acceleration card that boosts the performance of the company’s SRX5000 line of firewalls to future-proof the data centers of service providers, cloud providers and large enterprises.

Juniper designed the services processing card, SPC3, for organizations anticipating large data flows from upcoming multi-cloud, internet-of-things and 5G applications. Besides meeting future demand, the SPC3 can also accommodate current traffic increases due to video conferencing, media streaming and other data-intensive applications.

The SPC3 multiplies performance up to a factor of 11 across key metrics for the SRX5000 line, Juniper said. Organizations using the Juniper SPC2 can upgrade to the SPC3 without service interruptions.

What’s in the SRX5000 line?

The SRX5000 line’s security services include a stateful firewall, an intrusion prevention system, unified threat management and a virtual private network. Network operators manage security policies for SRX5000 hardware through Juniper’s Junos Space Security Director.

With the addition of an SPC, the SRX5000 line can support up to 2 Tbps of firewall throughput. The line’s I/O cards offer a range of connectivity options, including 1 Gigabit Ethernet, 10 GbE, 40 GbE and 100 GbE interfaces.

Security is one area Juniper has reported quarterly revenue growth while overall sales have declined. For the quarter ended June 30, Juniper reported last month revenue from its security business increased to $79.5 million from $68.7 million a year ago.

However, overall revenue fell 8% to $1.2 billion, and the company said sales in the current quarter would also be down. Nevertheless, the company expects to return to quarterly revenue growth in the fourth quarter.

Microsoft’s Top 100 Security Researchers – Black Hat 2018 Edition

This morning we are excited to unveil the security researcher leaderboard at the Black Hat Security Conference.  This list recognizes the top security researchers who have contributed research to the Microsoft products and services.  If you are curious on how we build the list, check out our blog from last week on The Making of the Top 100 Researcher List

We appreciate all the work and partnerships with the security community over the years.  This is a good annual reflection point on the past year’s contributions.  Keep up the great work and we look forward to hearing from you this year too.

Microsoft’s Top 100 Security Researcher List

Ranking Researcher Name
1 Ashar Javed
2 Junghoon Lee
3 Yuki Chen
4 Cameron Vincent
5 Richard Shupak
6 Suresh Chelladurai
7 MaoFeng Ran
8 Mateusz Jurczyk
9 Ivan Fratric
10 Gal De Leon
11 Jaanus Kääp
12 James Forshaw
13 Kai Song
13 Hui Gao
15 Andreas Sandblad
16 Ajay Kulal
17 Yeivin Nadav
18 Fan Xiaocao
19 Liu Long
20 Zhang Yunhai
21 Dmitri Kaslov
22 Marcin Towalski
23 Qixun Zhao
24 Wayne Low
25 Huang Anwen
26 Dhanesh Kizhakkinan
27 Peter Hlavaty
28 Simon Zuckerbraun
29 Xiao Wei
30 Yassine Nafiai
31 Alex Ionescu
32 WenQunWang
32 Debasish Mandal
34 Ismail Talib
35 Cem Karagun
36 Adrian Ivascu
36 Ahmed Jerbi
38 Kdot
39 Zhong Zhaochen
40 Hung Huynh
40 Rancho Han
42 Jens Muller
43 Linan Hao
43 Lucas Leong
43 Ying Xinlei
43 J00Sean
47 Hamza Bettache
48 Aradnok
48 Zhou Yu
50 Mohamed Hamed
51 Vikash Chaudhary
52 Alec Blance
53 Zhenhuan Li
54 Xiong Wenbin
54 Richard Zhu
56 Minh Tran
57 Frans Rosen
57 Steven Seeley
59 Mario Gomes
60 Matt Nelson
61 Zhang Sen
62 Scott Bell
62 Honggang Ren
62 Ke Liu
63 Nethaniel Gelernter
63 Vladislav Stolyarov
67 Ivan Vagunin
67 Mustafa Hasan
69 SaifAllah Massaoud
70 Adesh Nandkishor Kolte
70 Roman Blachman
70 Omair
73 Tao Yan
73 Giwan Go
73 Nick Freeman
76 Amal Mohandas
77 Lucas Moreira Giungi
78 Marcin Wiazowski
79 Adam Bauer
79 Oleksandr Mirosh
79 Yangkang
79 Wanglu
79 Yong Chuan Koh
79 Jin Chen
79 Rgod
79 Ding Maoyin
79 Song Shenlei
88 Jovon Itwaru
88 Hungtt28
90 Abdulrahman Alqabandi
90 Christian Holler
92 Arik Isik
92 Manish Kumar Gupta
92 Kévin Chalet
92 Linang Yin
96 Ahmed Radi
97 Guangmingliu
97 Amir Shaahin
97 Omair Ahmed
97 nyaacate

Phillip Misner,

Principal Security Group Manager

Microsoft Security Response Center

For Sale – AMD FX 8320, 990FX + 8GB + internet security

I’m open to offers on all items
PRICES NOW INC P&P

Bullguard Internet Security Activation Code £10

AMD FX 8320 with cooler
asus sabertooth 990fx r2.0
8gb Corsair Dominator RAM

£130 inc P&P open to offers

Watercooling parts
All parts are used, have taken out of a working loop.

Phobya Balancer 250 silver nickel
Now £17 inc P&P

[​IMG]

Price and currency: £10 £130
Delivery: Delivery cost is included within my country
Payment method: Bank or Paypal Gift
Location: Rotherham
Advertised elsewhere?: Advertised elsewhere
Prefer goods collected?: I have no preference

______________________________________________________
This message is automatically inserted in all classifieds forum threads.
By replying to this thread you agree to abide by the trading rules detailed here.
Please be advised, all buyers and sellers should satisfy themselves that the other party is genuine by providing the following via private conversation to each other after negotiations are complete and prior to dispatching goods and making payment:

  • Landline telephone number. Make a call to check out the area code and number are correct, too
  • Name and address including postcode
  • Valid e-mail address

DO NOT proceed with a deal until you are completely satisfied with all details being correct. It’s in your best interest to check out these details yourself.

SIEM benefits include efficient incident response, compliance

Security information and event management systems collect security log events from numerous hosts within an enterprise and store their relevant data centrally. By bringing this log data together, these SIEM products enable centralized analysis and reporting on an organization’s security events.

SIEM benefits include detecting attacks that other systems missed. Some SIEM tools also attempt to stop attacks — assuming the attacks are still in progress.

SIEM products have been available for many years, but initial security information and event management (SIEM) tools were targeted at large organizations with sophisticated security capabilities and ample security analyst staffing. It is only relatively recently that SIEM systems have emerged that are well-suited to meet the needs of small and medium-sized organizations.

SIEM architectures available today include SIEM software installed on a local server, a local hardware or virtual appliance dedicated to SIEM, and a public cloud-based SIEM service.

Different organizations use SIEM systems for different purposes, so SIEM benefits vary across organizations. This article looks at the three top SIEM benefits, which are:

  • streamlining compliance reporting;
  • detecting incidents that would otherwise not be detected; and
  • improving the efficiency of incident handling

1. Streamline compliance reporting

Many organizations deploy the tools for these SIEM benefits alone, including streamlining enterprise compliance reporting efforts through a centralized logging solution. Each host that needs to have its logged security events included in reporting regularly transfers its log data to a SIEM server. A single SIEM server receives log data from many hosts and can generate one report that addresses all of the relevant logged security events among these hosts.

An organization without a SIEM system is unlikely to have robust centralized logging capabilities that can create rich customized reports, such as those necessary for most compliance reporting efforts. In such an environment, it may be necessary to generate individual reports for each host or to manually retrieve data from each host periodically and reassemble it at a centralized point to generate a single report.

Many organizations deploy the tools for these SIEM benefits alone, including streamlining enterprise compliance reporting efforts through a centralized logging solution.

The latter can be incredibly difficult, in no small part because different operating systems, applications and other pieces of software are likely to log their security events in various proprietary ways, making correlation a challenge. Converting all of this information into a single format may require extensive code development and customization.

Another reason why SIEM tools are so useful is that they often have built-in support for most common compliance efforts. Their reporting capabilities are compliant with the requirements mandated by standards such as the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard (PCI DSS) and the Sarbanes-Oxley Act.

By using SIEM logs, an organization can save considerable time and resources when meeting its security compliance reporting requirements, especially if it is subject to more than one such compliance initiative.

2. Detect the undetected

SIEM systems are able to detect otherwise undetected incidents.

Many hosts that log security breaches do not have built-in incident detection capabilities. Although these hosts can observe events and generate audit log entries for them, they lack the ability to analyze the log entries to identify signs of malicious activity. At best, these hosts, such as end-user laptops and desktops, might be able to alert someone when a particular type of event occurs.

SIEM tools offer increased detection capabilities by correlating events across hosts. By gathering events from hosts across the enterprise, a SIEM system can see attacks that have different parts on different hosts and then reconstruct the series of events to determine what the nature of the attack was and whether or not it succeeded.

In other words, while a network intrusion prevention system might see part of an attack and a laptop’s operating system might see another part of the attack, a SIEM system can correlate the log data for all of these events. A SIEM tool can determine if, for example, a laptop was infected with malware which then caused it to join a botnet and start attacking other hosts.

It is important to understand that while SIEM tools have many benefits, they should not replace enterprise security controls for attack detection, such as intrusion prevention systems, firewalls and antivirus technologies. A SIEM tool on its own is useless because it has no ability to monitor raw security events as they happen throughout the enterprise in real time. SIEM systems use log data as recorded by other software.

Many SIEM products also have the ability to stop attacks while they are still in progress. The SIEM tool itself doesn’t directly stop an attack; rather, it communicates with other enterprise security controls, such as firewalls, and directs them to block the malicious activity. This incident response capability enables the SIEM system to prevent security breaches that other systems might not have noticed elsewhere in the enterprise.

To take this a step further, an organization can choose to have its SIEM tool ingest threat intelligence data from trusted external sources. If the SIEM tool detects any activity involving known malicious hosts, it can then terminate those connections or otherwise disrupt the malicious hosts’ interactions with the organization’s hosts. This surpasses detection and enters the realm of prevention.

3. Improve the efficiency of incident handling activities

Another of the many SIEM benefits is that SIEM tools significantly increase the efficiency of incident handling, which in turn saves time and resources for incident handlers. More efficient incident handling ultimately speeds incident containment, thus reducing the amount of damage that many security breaches and incidents cause.

A SIEM tool can improve efficiency primarily by providing a single interface to view all the security log data from many hosts. Examples of how this can expedite incident handling include:

  • it enables an incident handler to quickly identify an attack’s route through the enterprise;
  • it enables rapid identification of all the hosts that were affected by a particular attack; and
  • it provides automated mechanisms to stop attacks that are still in progress and to contain compromised hosts.

The benefits of SIEM products make them a necessity

The benefits of SIEM tools enable an organization to get a big-picture view of its security events throughout the enterprise. By bringing together security log data from enterprise security controls, host operating systems, applications and other software components, a SIEM tool can analyze large volumes of security log data to identify attacks, security threats and compromises. This correlation enables the SIEM tool to identify malicious activity that no other single host could because the SIEM tool is the only security control with true enterprise-wide visibility.      

Businesses turn to SIEM tools, meanwhile, for a few different purposes. One of the most common SIEM benefits is streamlined reporting for security compliance initiatives — such as HIPAA, PCI DSS and Sarbanes-Oxley — by centralizing the log data and providing built-in support to meet the reporting requirements of each initiative.

Another common use for SIEM tools is detecting incidents that would otherwise be missed and, when possible, automatically stopping attacks that are in progress to limit the damage.

Finally, SIEM products can also be invaluable to improve the efficiency of incident handling activities, both by reducing resource utilization and allowing real-time incident response, which also helps to limit the damage.

Today’s SIEM tools are available for a variety of architectures, including public cloud-based services, which makes them suitable for use in organizations of all sizes. Considering their support for automating compliance reporting, incident detection and incident handling activities, SIEM tools have become a necessity for virtually every organization.

Bugcrowd CTO explains crowdsourced security benefits and challenges

Crowdsourced security can provide enormous value to enterprises today, according to Casey Ellis, but the model isn’t without its challenges.

In this Q&A, Ellis, chairman, founder and CTO of San Francisco-based crowdsourced security testing platform Bugcrowd Inc., talks about the growth of bug bounties, the importance of vulnerability research and the evolution of his company’s platform. According to the Bugcrowd “2018 State of Bug Bounty Report,” reported vulnerabilities have increased 21% to more than 37,000 submissions in the last year, while bug bounty payouts have risen 36%.

In part one of this interview, Ellis expressed his concerns that the good faith that exists between security researchers and enterprises is eroding and discussed the need for better vulnerability disclosure policies and frameworks. In part two, he discusses the benefits of crowdsourced security testing, as well as some of the challenges, including responsible disclosure deadlines and the accurate vetting of thousands of submissions.

Editor’s note: This interview has been edited for clarity and length.

When it comes to responsible vulnerability disclosure, do you think companies are at a point now where they generally accept the 90-day disclosure period?

Casey Ellis: No. No, I think technology companies are, but it’s very easy working in technology to see adoption by technology companies and assume that it’s normal now. I see a lot of people do that and I think it’s unwise, frankly.

I think that’s where we’ll end up eventually, and I think we’re moving toward that type of thing. But there are caveats in terms of, for example, complex supply chain products or vehicles or medical devices — the stuff that takes longer than 90 days to refresh and test, patch, and deploy out to the wild. The market is not used to that kind of pressure on public disclosure yet, but I think the pressure is a good thing.

The bigger problem is in terms of general vulnerability disclosure; that’s not accepted outside of the tech sector yet — at all, frankly.

There’s been a lot of talk about security automation and machine learning at RSA Conference again this year. Where do you see that going?

Ellis: It depends on your definition of automation at that point. Is it automation of decision-making or is it automation of leverage and reaching that decision?

For the customers, they just want to know what they need to go and fix. But we have to prioritize the submissions.
Casey EllisBugcrowd

Using Bugcrowd as an example, we’re heavy users of machine [learning] and automation within our platform, but we’re not doing it to replace the hackers. We’re doing it to understand which of the conversations we’re having as these submissions come in are most important. And we’re trying to get to the point where we can say, ‘Okay, this bug is less likely to be important than this other bug. We should focus on that first.’

For the customers, they just want to know what they need to go and fix. But we have to prioritize the submissions. We have to sit in front of that customer and have these conversations at scale with everyone who’s submitting, regardless of whether they’re very, very valuable in terms of the information or they’re getting points for enthusiasm but not for usefulness. It’s actually a fun and a valuable problem to solve, but it’s difficult.

How do you prioritize and rank all of the submissions you receive? What’s that process like?

Ellis: There’s a bunch of different things because the bug bounty economic model is this: The first person to find each unique issue is the one who gets rewarded for it. And then, the more critical it is, the more they get paid. And this is what we’ve been doing since day one because the premise was these are two groups of people that historically suck at talking to each other.

So we said we’re going to need to pull together a human team to help out, and then what we’ll do is we’ll learn from that team to build the product and make the product more effective as we go. It’s a learning loop that we’ve got internally, as well. And what they’re doing is, basically, understanding what’s a duplicate [submission], what’s out of scope and things like that. There are simple things that we can do from a filtering standpoint.

Duplicates get interesting because you have pattern matching and Bayesian analysis and different things like that to understand what the likelihood of a duplicate is. Those are the know things. Then there’s the heavy stuff — the critical importance, wake up the engineering team stuff.

There’s also a bunch of stuff we do in terms of analyzing the vulnerability against the corpus [of known vulnerabilities] to understand what that is, as well as who the submitter is. Because if they’re a notorious badass who comes in and destroys stuff and has a really high signal-to-noise ratio then, yes, that’s probably something that we should pay attention to.

There’s a bunch of really simple stuff or comparatively simple stuff that we can do, but then there’s a bunch of much more nuanced, complicated stuff that we have to work out. And then we’ve got the human at the end of [the process] because we can’t afford to get it wrong. We can’t say, no to something that’s actually a yes. The whole thing gets basically proofed, and then those learnings go back into the system and it improves over time.

Do you receive a lot of submissions that you look at and say, ‘Oh, this is nonsense, someone’s trying to mess with us and throw the process off’?

Ellis: Yes. There’s a lot of that. As this has grown, there are a bunch of people that are joining in for the first time, and some of them are actively trolling. But then, for every one of those, there are 10 that are just as noisy, but it’s because they think they’re doing the right thing even though they’re not.

If someone runs Nessus and then uploads a scan and says, ‘That’s a bug!’ then what we do at that point is we say, ‘No, it’s not. By the way, here are some different communities and education initiatives that we’ve got.’

We try to train them to see if they can get better because maybe they can. And if they’ve initiated that contact with us, then they’re clearly interested and enthusiastic, which is a great starting point because just because they don’t know how to be useful right now doesn’t mean they can’t be in the future. We give the benefit of the doubt there, but obviously, we have to protect the customer from having to deal with all of that noise.

When it comes to that noise in crowdsourced bug hunting, do you think those people are looking more at the reward money or the reputation boost?

Ellis: It’s usually both. Money is definitely a factor in bug bounties, but reputation is a huge factor, too. And it goes in two directions.

There’s reputation for the sake of ego, and they’re the ones that can get difficult pretty quickly, but then there’s also reputation for the sake of career development. And that’s something that we actually want to help them with. That’s been an initiative that we’ve had from day one, and a bunch of our customers actually have people in their security teams that they hired off the platform.

Jason Haddix [Bugcrowd vice president of trust and security] was number one on the platform before we hired him. We think this is actually a good thing in terms of helping address the labor shortage.

But, to your point, if someone comes in and says, ‘Oh, this is a quick way to get a high-paying career in cybersecurity,’ then we have to obviously temper that. And it does happen.

Last question: What activity on your platform has stood out to you lately?

Ellis: There’s a real shift toward people scaling up in IoT. We have more customers coming onboard to test IoT. I think the issue of IoT security and awareness around the fact that it’s something that should actually be addressed is in a far better state now than it was when IoT first kicked off years ago.

And the same thing that happened in web and mobile and automotive is happening in IoT. With IoT, it was ‘We don’t have the people [for security testing]. Okay, where are we going to get them?’ I think the crowd is reacting to that opportunity now and starting to dig into the testing for IoT.

And here’s the thing with IoT security: For starters, bugs that are silicon level or at a hardcoded level are probably out there, but the cost to find them and the value of having them [reported] hasn’t justified the effort being put in yet.

That’s usually not what people are talking about when they’re talking about IoT bugs. It’s usually either bugs that are CVEs [Common Vulnerabilities and Exposures] in the supply chain software that forms the operating system or bugs that are in the bespoke stuff that sits on top. And, usually, both of those things can be flushed and changed.

We’re not at the point where you’ve got a more common issue and you’re not able to change it ever. I assume that will happen at some point but, hopefully by the time we get there, people are going to be thinking about design with security more in mind for the first place, and all that older stuff will be at end-of-life anyway.

For Sale – AMD FX 8320, 990FX + 8GB + internet security

I’m open to offers on all items
PRICES NOW INC P&P

Bullguard Internet Security Activation Code £10

AMD FX 8320 with cooler
asus sabertooth 990fx r2.0
8gb Corsair Dominator RAM

£130 inc P&P open to offers

Watercooling parts
All parts are used, have taken out of a working loop.

Phobya Balancer 250 silver nickel
Now £17 inc P&P

[​IMG]

Price and currency: £10 £130
Delivery: Delivery cost is included within my country
Payment method: Bank or Paypal Gift
Location: Rotherham
Advertised elsewhere?: Advertised elsewhere
Prefer goods collected?: I have no preference

______________________________________________________
This message is automatically inserted in all classifieds forum threads.
By replying to this thread you agree to abide by the trading rules detailed here.
Please be advised, all buyers and sellers should satisfy themselves that the other party is genuine by providing the following via private conversation to each other after negotiations are complete and prior to dispatching goods and making payment:

  • Landline telephone number. Make a call to check out the area code and number are correct, too
  • Name and address including postcode
  • Valid e-mail address

DO NOT proceed with a deal until you are completely satisfied with all details being correct. It’s in your best interest to check out these details yourself.