Hello every one,
I am Ammar Jaffri From Pakistan, I have Plus Forty years of experience in IT / Information Security and Cyber Security. I have the honor of heading the Govt Organization dealing with Cyber issues in Pakistan ( NR3C ). I recognition of my services ISC2 awarded me the FIRST Leadership in Cyber Security in 2007 ( SLA Award in Bangkok ).
I would like to Focus on New Challenges and New Responses .. Traditional Security Systems and Techniques are failing Fast as Criminals have learnt to by pass the Controls. There is an urgent need to provide a Mix Blend of SIEM / SIM logs and Behavior based Hunting response by Cyber Experts. Would like to Contribute in response to a Discussion
I like this topic, and congratulations on your experience and the recognition you have received for it. I also agree with your take that there's a need to be doing more on the 'active' side of security. I really enjoyed this whitepaper from Robert M. Lee on the Sliding Scale of Cyber Security, and also emphasizes the human element alongside tools in active defense:
Just some thoughts on your discussion,
I think there is a healthy cost balance that needs to be achieved, as you say mixed blend is required. The risk and business requirements always determine the controls such as Threat Hunter teams.
Threat hunters need to live front lines of security research, attuned to the latest threats, methods and tactics. They need/want the latest tools and need to go to hip hacking and infosec events and conferences, do the latest and greatest training courses. There are only so many people with the talent and mentality to be effective.
From my perspective, the success of a threat hunting team is highly dependant on the human resource factor. An efficient threat hunting team would I expect cost lots of money. However, there is a dependency on the quality of the human resource; as they get certified and gain more experience, they will just jump ship for better wages, conditions. So where is the incentive to spend the budget on training them to such high skill levels? As the SANs reading room white paper highlights the return of cost balance is a sliding scale that the business requirements and risk will dictate.
The tools are getting better, with AI learning and pattern recognition, and quick identification of credential misuse which will reduce the human dependency a little and make proactive defence and threat hunting more affordable.
Till then I believe the ability to deploy highly skilled threat hunting teams and other active defence on their network will not be typical. However, ultimately regardless the blue team will always be on the back foot, and it is still a game of catch up, defence in depth stands true.
What are your thoughts on the disclosure of vuls and issues to the vendors, there is on the deep and dark web, a vibrant exploit trade? The bug bounty programs such as Hackerone might be helping, but bad actors do have deep pockets?