|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Bob Mahoney (bob
zanshinsecurity.com)
Date: Tue Feb 17 2009 - 11:14:02 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
In 2006, my company did a project for Dan, looking at the possibility
of crafting a zero-day deflecting rule set for the Verdasys Digital
Guardian product.
Dan allowed me to present an overview of the work at MIT's "Security
Camp" that summer, along with my thoughts on how the product might
enhance/improve incident response capability. PDF version, with
speaker's notes, but w/o clever animation, is available at:
http://www.zanshinsecurity.com/archive/Zanshin-DigitalGuardian-IR.pdf
Targeted for an audience of mostly security staff, from Boston-area
universities. The incident response thoughts are largely based in our
experiences "managing" MIT's response to Blaster. (we got *hurt*, in
about the $1 million range... a link to our paper on that subject is
in the notes, as well as other references, some to members of this
list) I wish I'd had this tool available for Blaster, damage would
have been minimized, and my team would have gotten a little sleep.
Years of watching people deploying the wrong things, and being unable
to grasp how poorly they perform, is just depressing. But I was
genuinely impressed by DG (circa 2006, at least- I'm sure it's
continued to evolve) If I was offered a job today running a large
network of Windows machines, I'd probably want to negotiate the
purchase/deployment of DG up front. More importantly, it's a product
I think I could coexist peacefully with as an end user...
The product is interesting, and we had fun thinking up ways to do
useful things with it.
Disclaimer: Zanshin got paid for this work, although we're no longer
active under that name. I have never had a financial interest of any
sort in Verdasys or DG.
-Bob
On Feb 16, 2009, at 9:45 AM, dangeer.org wrote:
> Digital Guardian is a recording reference monitor:
> an agent on every surveilled host communicating
> periodically with a no-wait-state collection depot
> arbitrarily located. The agent is small, tight,
> invisible, tamper-resistant, and low-load. Any
> touch whatsoever of local data is captured at the
> innermost operating system levels. Agents do
> 20,000-to-1 continuous log reduction, compress and
> encrypt bundles of these results, and push them to
> the collection system with end-to-end assurance,
> adapting to intermittent connectivity without
> intervention.
_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]