Showing posts with label mssp. Show all posts
Showing posts with label mssp. Show all posts

Wednesday, July 07, 2010

Thoughts on "Application SOC" and New MSSPs

I'd like to briefly comment on a few ideas that appeared on lists I read.

First, in this Daily Dave post from June, Dave Aitel writes:

So when I gave cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 FIRST talk, one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 questions was "What is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 solution?" ...

Immunity sees lots of success (and has for many years) with organizations that have done high level instrumentations [sic] against cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir applications, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n used powerful data mining tools to look at that data...

So what you see is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 start up of what I like to call cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "Application SOC". It's like a network SOC, but way more expensive, and with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 chance of being actually useful!


On a related note, after discussing iTunes fraud, Stephen Northcutt adds cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following comments in this SANS Newsbites post from yesterday:

I think we are seeing more and more market demand for a new type of MSSP, a cross between (1) a software security and quality consultant, (2) a monitoring company that focuses primarily on web logs and probably has some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir own routines (think Suhosin [a PHP hardening system] on steroids ) and (3) a high end code and configuration incident response capability.

Both Dave and Stephen mention an "application SOC" sort of idea, so let's talk about this first. I believe this already exists, and is indeed used effectively by a variety of organizations. It's certainly at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 high end of maturity, but it's cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re.

Logs can be a supplementary data source, for forensic reference during incident response triggered by a traditional security indicator. Alternative, logs can provide cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 primary indicator. Unfortunately, logs alone may not necessarily contain cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 data needed to convince an analyst that a security incident has occurred.

There's also cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem of failing to build visibility in to applications. Gunnar, feel free to reply with a link to your latest logs for developers class!

Turning strictly to Stephen's remaining points, I think companies like Cigital already have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "a software security and quality consultant" space firmly in control.

Stephen's last point, however, seems really interesting. I may be misinterpreting what he said because I like my interpretation, but at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 very least he may be advocating for an outsourced PSIRT. I think this is a cool idea. Create a MSSP who provides customer-facing support to vulnerability researchers and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs who find software flaws. Work with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 software developer to transform vulnerability reports into improved code, handling cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 public relations, disclosures, coordination with CERT, etc. I don't know of anyone who does that work, but I think every software provider needs a PSIRT. What do you think?