CONTINUOUS MONITORING FOR CONTROLS & VULNERABILITIES

View Show Notes and Transcript

Episode Description

What We Discuss with Daniel Miessler :

  • Continuous Monitoring(CM) vs Continuous Auditing.
  • At what point, should an organisation consider Continuous Monitoring? Do smaller organisations need to think about it as well?
  • What is BugBounty? How do we find more about BugBounty resources for continuous monitoring?
  • How to manage risk around Bounty program?
  • How do you do continuous monitoring in a multi cloud environment?
  • How can one start with automation when looking for vulnerability Continuously?
  • Is there alert fatigue in continuous monitoring?
  • Why is it important to do continuous monitoring?
  • Does everyone in tech or in general need to have a personal brand? Tips for Personal Branding for audience that enjoys blogging or podcasting.
  • And much more…

THANKS, Daniel Miessler!

If you enjoyed this session with Daniel Miessler, let him know by clicking on the link below and sending her a quick shout out at Twitter:

Click here to thank Daniel Miessler on Linkedin!

Click here to let Ashish know about your number one takeaway from this episode!

And if you want us to answer your questions on one of our upcoming weekly Feedback Friday episodes, drop us a line at ashish@kaizenteq.com.

Resources from This Episode:

Ashish Rajan: hey Daniel ! Welcome to show

I can have a whole episode about where you started and everything, but I’m sure the audience is keen to know who’s Daniel. And how did you get into cybersecurity?

Daniel Miessler: yeah, I got onto cybersecurity when I was in university.

And, there were a whole lot of worms going around at the time that were just self-propagating. They were taken over the whole internet. This was around the 2000 timeframe and, the university computers just started falling. And, I basically just started helping, cause I had just learned how to use Linux. A while before. And I basically just went around, installing Linux on everything. And then I basically got deputized as you need to do this for the whole university. And then I just became in charge of security for the university.

Ashish Rajan: wow. That’s interesting start man. I think worthwhile calling Do you see worms even now?

Oh, is that, is [00:01:00] that a concept back in the day?

Daniel Miessler: it’s been awhile. It’s been awhile.

Ashish Rajan: yeah. cause for people who probably haven’t heard of it, I’ll definitely encourage people to Google it. This is kind of a lot of us may have started our careers where talking about worms instead of Viruses

We are here for continuous monitoring. Now when someone Googles or when people try to talk about automation and they all go into continuous auditing, continuous compliance, can you demystify what is continuous monitoring for people who may not have heard of it? Is it the same as continuous auditing or compliance?

Daniel Miessler: yeah, the way I like to abstract that is to imagine questions. So questions you wish you knew the answers to. So if you’re a CISO at some company, it’s a medium sized company or whatever, the questions you might want to know are, do I have any dangerous data ports open that are facing the internet right now?

And let’s say it’s a larger company, I’d say it’s medium sized or larger. And you’ve got lots of, regular legacy IP space. [00:02:00] And you’ve also got a big cloud presence and you’ve got a bunch of developers who are trying to implement stuff. So they’re going and turning things on. Plus you have this big legacy IP space with lots of, you know, IPS there.

And again, you’ve got developers who can go and turn up services. most companies don’t have perfect visibility or knowledge of what’s being enabled. So the question is, what do I have exposed right now? And when I read the newspaper and I hear about, a newspaper, no, one’s reading a newspaper anymore.

You’re re you’re reading the news from wherever. And, you’re hearing about these compromises. You’re hearing about, Postgres servers being taken over, no SQL servers, just all sorts of misconfigurations online and you’re seeing that’s how they got hacked. Right? You look at capital one, lots of situations there.

And the news is full of them basically every week. And you find out it’s, it’s like an own goal. It’s their fault, essentially, because this happened. so that would be one question. Do I have any of these exposed to the [00:03:00] internet? another question would be, do I have. Stuff. That’s about to expire, TLS wise, like certificates that are about to expire.

So you make through this giant list of bad things that you’re worried about happening to you. You turn that into a question and that set of questions is essentially what you would do continuously. So at that moment, you could ask yourself a philosophical question. Okay. Are you monitoring for that? Are you auditing for that?

That’s just semantics. All you’re doing is you’re answering these questions that you’re worried about, say whatever it is, your top 20 questions that you’re concerned about. And you find a way to ask those questions as often as possible and let yourself know if any of those answers are. Yes.

Ashish Rajan: Oh, and to your point that could feed into your SOC.

If you want to do that path where, Oh suddenly I’ve got publicly exposed APIs. So it’s not like that. You’re constantly trying to write a custom [00:04:00] script to find out at any given point in time. Is this exposed right now, but you kind of do it once and you just wait for it to kind of trigger an alarm and you kind of go down that path.

continuous auditing, continuous compliance, continuous monitoring sounds like a very large organization kind of a thing. do smaller organizations need to think about it as well, or is an easier building block? What are your thoughts on that?

Daniel Miessler: They definitely need to think about it.

And I think the conversation is starting to happen at smaller organizations. The BugBounty space is really pioneering this right now. so myself and a few others have been doing this for a few years, but now it’s really starting to blossom inside of the BugBounty community. That body of knowledge that’s available there is available to anyone. So if someone just has a security mind and they have a 10 person company, and they’re all AWS, they could take some of these lessons from the BugBounty community. And there are [00:05:00] a number of guides out there. There are platforms out there, a free open source code snippets.

Like you could roll your own. there’s just tons of options out there for somebody in a 10 person company. It could be the co founder of the company could go. And most importantly, what are the worst things I’m worried about happening? Turn that into questions. And then you just go and code up a solution that corresponds to each one.

So that could be the co-founder of a two person company. I could be a medium sized company, or it could be a giant enterprise.

Ashish Rajan: I ve got some folk who may not know what BugBounty is. So how do you describe BugBounty to someone who’s probably new in the cybersecurity field?

Daniel Miessler: Yeah.

So bug bounty is, it’s basically a response to the world of pen testing, where you would have as a company, you would hire someone to come find vulnerabilities for you. So you would bring in whatever one or two people, or if it’s a really big engagement, it would be multiple. People. And [00:06:00] they would look around on the network inside and outside or whatever the scope was and try to find vulnerabilities.

And then they would submit that in as a report. And that works great. but this idea was basically what if the internet could help? What if you could basically announce that you wanted help looking at your security and you open up a program? And everyone on planet earth could find vulnerabilities, send them to you and you would reward them with money based on the quality of the book.

So it’s crowdsourcing pen testing.

Ashish Rajan: I love myself. Worthwhile, calling out their public and private ones as well in that space. So, yeah, just be wary of who you attack

so I’m going to peel a layer for the BugBounty program. And you mentioned that there are quite a few resources that are opening up. So are these being written by folks who are BugBounty ? I guess professional [00:07:00] BugBounty folks or by the blue team red team.

Cause I think you have a blog about this, which I love you have a purple team, red team, a blueteam. And, I find it really interesting the way you explained it. But from a BugBounty resource perspective, you mentioned it’s available for anyone , what am I searching for – continuous monitoring guides?

Daniel Miessler: Yeah. So, I would say continuous monitoring is kind of a newcomer to the BugBounty space. BugBounty traditionally has been. An individual, well, a collection of individuals, the security researcher themselves would do their own personal brand of testing. So oftentimes they have a specialty, like maybe they’re really good at cross site scripting, or maybe they’re really good at RFI or whatever it is that they do.

Oftentimes they would just kind of like be really good at that. And then for all, all of the surface area that they were attacking. And all the different companies that they were doing bounties for, they would go [00:08:00] and like do that one move. Right? It’s like almost like martial arts where like you get good at one thing, and then you go to tournaments and you see if anyone could block that one thing.

And it makes people a lot of money. So it’s been very, Manually focused in the past. It was people just going and trying this thing in not really a repeatable way, but within the last few years, like I said, myself, and a number of other, bounty people basically, started saying, Hey, wait a minute.

If I’m doing this one move and it’s really effective, can I just automate that move and then automate also the discovery of new targets. of course within the boundaries of the bounty program, but they could just set it off running and then go to the grocery store or go on vacation

this is what, I actually built a company around this in the past, which I’m no longer affiliated with, but these frameworks exist where you basically set and forget [00:09:00] and you hook that up to alerting. So you go on vacation, you go to the grocery store, you go to the park, you go for a walk and suddenly you get a Slack message that says, Hey, I found a new subdomain.

Within the scope of this program. And it has a vulnerable file at the root of its directory structure. and that of course could spawn another automated thing, like go and exploit it or whatever. So you could come back from vacation, have a bunch of bugs, you write them up and submit them and you just made a ton of money.\

Ashish Rajan: you’re giving a lot of ideas over here.

Daniel Miessler: so the crazy part about this is that the flip side of this is you could do the exact same thing as the defender. Okay. So if you’re the, if you’re the blue team, if you’re the CSO or you’re some security engineer at the company, you could have this same exact infrastructure running constantly.

So that the infrastructure running [00:10:00] against you from either an attacker or a BugBounty person, they’re not going to see at first because you’re also running it. So now it’s a race to who finds it first and goes and fixes it.

Ashish Rajan: Oh, to your point, a blue team person would have access to some of these guides, which are there on the internet to plan for it.

So you don’t ever think of all the ideas, like all the questions, I guess they’re already questions available on the internet. Is that right?

Yeah. Yeah. So, I mean, if you were to just search for, how do I get started in bounty, you’re going to find a thousand results. And a lot of those are written by people that I know, and they’re, they’re just really well done.

plus the community is really. Open arms, right. There are so many people in the community who will be like, Oh, I started, I did this video on YouTube. You should check this out. This is where you start. They’re really good with sharing information. You can just ping them and just be like, Hey, look, I got this new technique.

What do you think? And a bunch of people will show up and say, Oh yeah, I’d do something like that. You should try this or whatever. It’s just a very, open community [00:11:00] and yeah, it’s pretty easy to get into.

that’s pretty awesome. And I’ve got a couple of questions I think, in this space,

are you using Python for automation? Or you have a favorite language?

Daniel Miessler: Yeah. So a lot of Python, a lot of the infrastructure actually Bash is surprisingly powerful.

Ashish Rajan: I don’t think you would say that, but Im glad you did. I don’t feel alone anymore.

Daniel Miessler: No, no. It’s, it’s surprisingly powerful. I would say Bash Python and I’m lately moving a decent amount towards Go.

Ashish Rajan: Oh, okay. Oh yeah Golang

Daniel Miessler: yeah, yeah. Golang is really, really powerful. it does, parallel requests really, really well.

Ashish Rajan: You can do multi threading

Daniel Miessler: Yeah. It’s like, it’s like C speed almost. so it’s got advantages over Python and Bash in that way. so I like to use Bash as glue. And then use Python and Go. And also just a lot of other tools that are already written in these languages.

Yeah. There’s [00:12:00] tons, tons of great creators who are writing tools? I put out a number of tools myself and, again it’s easy to it. Like this stuff together, stitch it together using. Bash or whatever, and just, be on your way.

Ashish Rajan: that actually, that’s an interesting one. Now, maybe it’s a good segway into the next question that came in from Rahul around any tips or awareness on managing risk around bounty programs.

Interesting question , you do a lot of bounty. what’s the advice that your giving to the others to do to the blue team? For all the stuff they’re finding?

Daniel Miessler: So that is a really good question. there is a. Risk to just opening up the gates to a Bounty program. If you just say, Hey, send me everything there.

There’s a really big problem. People can sort of run a scanners, right. Just run a like Nikto or something like that.

Ashish Rajan: Or even a burpsuite scanner I imagine.

Daniel Miessler: Yeah. Burp like lots of different tools out there that you [00:13:00] could run and it just produces reports and they just start emailing you these giant. zip files and PDFs, and it’s like a 900 page PDF or whatever.

And you’re like, okay, what is the actual bug? And what did it allow you to do? So imagine you’re the only security engineer. Someone had the bright idea to open a BugBounty and yeah, now you come in and you’ve got an inbox full of 700 items. And you don’t know which ones are good bugs and which ones are bad.

So it ends up putting a big burden on the receiving team, of like how am I going to triage these? And then also, how am I going to do remediation? Like you have to have a plan and there’s a bunch of companies out there that are really good at this. I mean, yeah, BugCrowd, HackerOne those are the top two bounty platforms and they now understand that this is a thing, and that’s why they have services which do the triaging for the company.

Right. But if you’re a. Bounty expert yourself, and you can get a [00:14:00] team together to do triage is possible for the company to do themselves. And a lot of people do that, but you don’t want to skip that step and be surprised and get over overwhelmed.

Ashish Rajan: Okay, that’s a good way manage your risk by being aware that there’s a lot of work, depending on how much you open up to the BugBounty program as well.

just start small , is that what advice would be

Daniel Miessler: start small and be ready to do triage , have a solution for triage.

Ashish Rajan: I’ve got just one. I think it’s more of a comment saying it’s only a bunch of people found a CVE in Apple, iCloud and Apple awarded them a 100k, that’s an insane amount on the, well, yeah, I guess, but it’s normal for bug bounty programs, if you’ve found a really good bug.

Daniel Miessler: Yeah. So there are. I would say hundreds of bug bounty programs out there, probably thousands of bounty programs out there

I mean, you could make a lot of money doing this. And a lot of the people I know in the space, they have transitioned and they do this full [00:15:00] time. Now they, they quit their regular jobs. And this is all they do is Bounties

Ashish Rajan: and to your point, you can automate it. So even when you’re on vacation, there’s continuous monitoring happening for you KO move, I guess, whatever their KO move, maybe that signature just keeps going around everywhere.

Daniel Miessler: let me expand on that. So basically the best people, the people at the top of these leader boards, I would say, I probably know. I don’t know, I don’t know, 60, 80% of them. And I could tell you all of them have this thing that I have in this thing that I’m talking about, this continuous monitoring, they have it.

And the crazy thing about that KO move is let’s say that they had whatever two or three finishing moves that they would go around and make money with three years ago. Well, they’ve already built that into their automation, but now the crazy thing about this automation is they could hear about another finishing move.

Just go and read about it and say, Oh, that’s a great idea. And then they pull it over, put it [00:16:00] into their automation, and now they’re finding something new. I’ll give you a good example. there’s a framework that finds favicons, you know, the favicon. Yeah.

Ashish Rajan: Yeah. That’s right.

Daniel Miessler: So a big part of the bounty thing is like, how do you know if you scan 10,000 websites for a giant IP space, which ones are related to this brand?

If you’re trying to only hit that brand, but there’s no explicit indication on the website, whether or not it’s associated with the brand. Well, what does project does is it takes hashes of the favicons and groups them all together and says, if they’re running a favicon for so-and-so Acme company, it might be Acme.

So that’s a technique which you now put into your continuous monitoring. And now, now you say I’ve found a new website, a new attack surface that is likely to be associated with this brand. And it could be that you found it first, which means it’s [00:17:00] full of vulnerabilities. So now you’re going to make a ton of money.

Ashish Rajan: Danie you have filled a lot of nuggets in there already? So I wonder if all the people are going to drop off. And so I started Googling for how do I enter a BugBounty program as a side hustle.

Daniel Miessler: Well. And to your point about the topic of this show, these are all techniques you should be doing as a defender.

Yeah, cause you can get there first, you have more inside knowledge of all the vulnerabilities. You have more insight, knowledge of, of the space. So it’s a, it’s a big deal.

Ashish Rajan: I think so. I hundred percent agree with you because I think. I believe the reason the blue team, a lot of people talk about why the blue team not, sometimes keeping up with the red team or the purple team or whoever you want to call it.

I find it really interesting because sometimes the answers that are out there and to your point, their playbooks out there, that the BugBounty guys use, and they probably openly talk about it as well about having someone spend the time to go, is this worthwhile? [00:18:00] Is this, does it make sense for my environment?

So Ive got one more comment coming in, Sam Curry and his team would be awarded at around 500 K for finding 55 vulnerabilities. That’s insane. clearly this is like a very popular topic as well. I’ve actually got an interesting question. What suggestions do you have for continuous monitoring in a multicloud environment? does it really matter if it’s a multicloud in a continuous monitoring state ?

Daniel Miessler: Yeah, it does. It does actually matter. So here’s the situation where you have to watch out for it.

So let’s say you have, a main IT department and a medium sized company, but let’s say it’s, It’s multinational. Right? You’ve got like something in France. You have a you’re in India and you’re also in Chicago. Right. and just based on the politics of how the company came up, the main IT place is in say France,

Ashish Rajan: right?

Daniel Miessler: And you’re a security engineer in France and you’re like, Oh, I have to cover the entire cloud. So you go and get [00:19:00] the seven AWS accounts in France. And you rig it all up and you see tens of thousands of IPS and you’re monitoring and that’s fine. Little, do you know, there are two other things, AWS accounts in Chicago and in India, but you’re not friends with them.

They’re not telling you. And you wake up one day because your boss calls you and you’re on the front page of whatever tech crunch, because your company got compromised. Because someone had a Postgres server out there and a whole bunch of data got pulled. It turns out it was a listener running from AWS infrastructure that was run by an account outside Chicago.

If you don’t know about the accounts you cant continuously monitor them. So what you have to do with continuous monitoring is make sure you have. All the ends to know when new infrastructure is being spun up, that you know, all the AWS accounts. [00:20:00] and that you’re not just getting a tiny slice of it.

Ashish Rajan: That’s a great point though, because I mean, I guess people keep saying this, you can’t protect what you don’t see. have you had to come across some exercise yourself where you kind of had to do some form of. Discovery. Cause I imagine it’s not easy to find out if like, you know, to your point, I don’t communicate with my team in France, step one, talk to your team members, I guess,

Daniel Miessler: talk to your team members, but also think so the most important thing for this whole space is think like the attacker, right?

So if there are techniques that an attacker can use to

find the other infrastructure that you don’t know about, figure out what those are and use them as well. So, for example, the fabric on thing would work because all three have to use the same favicons for their potentially most likely, not always, but all three companies might be using the same favicon.

So if you have a way to look at attack [00:21:00] surface and link it to the company, go and do that. And now you find a whole new website. It turns out there’s some crazy marketing department and they had this crazy idea. That’s the other thing, marketing. Marketing , is a huge, attack surface generator because they can have an idea.

They have money behind them and , they’ll just hire a third party and just be like, Hey, go stand up this website. Here’s the code? Here’s the favicon. And within two weeks they have a website. Did they go through security? Nope. Did they call you? Nope.

Ashish Rajan: Oh, because they are the ones who are bringing in helping sales happen.

Security has sometimes little to no say, but I’m not going to go there. Cause that, cause it’s a really interesting space in, there were a lot of security people like, but it doesn’t make sense. Ah, I’ve got, I’ve got a few people who loved the favicon idea. one more question here might sound buzzwordy, but have you considered or added any machine learning algorithms to your methodology [00:22:00] to KO move?

I’m going to start calling him KO move now. Cause sounds so much cooler.

Daniel Miessler: Yeah, so that is a fantastic question. And, I, I’m not doing it yet, but I am deeply interested in this space. There’s a lot of thought around this. In fact I have some contacts in the Pentagon and this is something that we’ve talked about as well.

It’s like, so in the, in the ML world, there’s an idea of, ness NESS. So there’s like vulnerable NESS. There’s like, Cat NESS, like what, how catty is this image? And like the cat NESS is 89%. That means there might be a cat. Right?

Ashish Rajan: Okay. Yep.

Daniel Miessler: So the idea is you’re dumping tons of data, which is constantly being collected into an algorithm that tells you.

Potentially that this website looks vulnerable and of course you have to train it. This is supervised learning. You have to train it. so it knows [00:23:00] what bad looks like and what good looks like. But doing that now you could be scanning a much larger areas, dumping that into the algorithm. And instead of just saying, Hey, a port opened up, he could say a port opened up and its vulnerableness score is a 94%.

Oh, so now you, now, if you had tons of findings, you would have prioritization using the ML that says here’s where you should go first, because it’s most likely to pay you money.

Ashish Rajan: Interesting. So to your point, because you have your, I guess your KO signature move running on a lot of domains, I guess, hundreds of thousands of domains across BugCrowd or HackerOne, but not all of them.

Some of them may maybe false positive as well, where you go, Oh really? But I mean, your point requires some triage, but if you have machine learning on top of it to prioritize , this has a very high percentage of being accurate.

Daniel Miessler: Yes,

[00:24:00] Ashish Rajan: exactly.

Daniel Miessler: Very high percentage of being a false positive.

And it gets really crazy when you’re defending a big company. What if you’re defending a city or a state or a country, you have a very small military group, you know, some cyber military or whatever. And it’s like, okay. Yeah, I have 75 million. Open Postgres servers, which ones do I need to defend first? And that’s racing with the algorithms on the other side, because they’re doing something similar to find the ones to attack first.

So it’s this escalation of. Not only the monitoring, but the algorithms giving you the prioritization of what to focus on first,

Ashish Rajan: That is insane I wish the podcast people could see this, but I’m like mind blown. Like, and this is kind of where to your point about when you’re talking about a small team, [00:25:00] I’m not going to call it Pentagon in case they started recording this conversation, then I’m just going to say, if you’re defending a city or a country, when people talk about nation state, that’s next level stuff, man.

It’s like you almost trying to, I don’t know how they don’t have anxiety. I’m just saying, I don’t know how they have a normal life , if you’re in that space.

Daniel Miessler: Well, and that’s why I really love the ML question, because that is a way potentially, again, this is all fraught with difficulty, but it is a way to go from you have a team of whatever 11.

And you’re looking at 11 million results. How do you get to the top 10? How do you focus on the most important things? And the thing about ML that’s super exciting is I’m here. Here’s a really great example. If you look at the sky and you’re looking at meteors coming in.

Ashish Rajan: Yeah.

Daniel Miessler: most of that coverage is done by amateurs with the telescope, like.

[00:26:00] Yes. So much of that coverage is done by amateurs and they’re sending it into places and saying, Hey, did you see this one? And they’re like, hold on, let me look. They’re like, Oh yeah, good catch. Yeah, we’ll monitor that one. Thanks really. So, so what you really need is you need, you need eyes. You need sensors facing the stars who bind with algorithms because they don’t sleep.

They don’t get tired. They just keep watching and they could report to you, which ones might be asteroids. And this is the advantage of ML is that it scales and it doesn’t get tired. And it’s the same exact thing for monitoring a country or a giant company, or your company, a medium sized company. It’s like, can we use that to continuously monitor and also to continuously prioritize.

Ashish Rajan: That’s pretty awesome. And I think to your point, the blue team is also adopting machine learning quite a bit as well. I think, cause I know the guys in [00:27:00] Netflix, I was talking to them a couple of years ago. they had already started hiring for machine learning folks in the security team.

So, to your point, even when a SOC team is managing so much data coming through your SIEM or whatever. How do you prioritize? How do you go? Like I have this bane with the SOC team. Ive got a SOC team myself, that reports to me, but I find it really interesting that in the 21st century, we still have to let people go through false positives and go, Oh, it’s the false positive.

It’s a false positive, it’s a false positive. And you’re like, Why is someone spending dime, just triaging these things when, to your point there’s machine learning, there’s other things available to, would you rather spend time there and just help something else prioritise, out of 11 million incidents or reports that you’ve had?

I love the idea, man. So you’re still exploring this.

Daniel Miessler: Yeah. I’m exploring exactly how to implement it. the problem was ML is always training. And it’s always how good is a lot of data

Ashish Rajan: to train it as well.

Daniel Miessler: A lot of data you need good data [00:28:00] because there’s, cause if you label something as false positive, And it looks too similar to something else, like just going to get a lot of noise.

Right. And one interesting thing about this is there’s also, there’s already, you’re probably aware of this. If you’re running a SOC, there’s already lots of AI conversation around logs and SOCs

Ashish Rajan: every vendor out there is talking about machine learning and AI

Daniel Miessler: Exactly and they’re going to prioritize this and prioritize that.

Yeah. This is the extension of that. This is the extension of. Okay. That’s for all the logs that came into the central place, but now what are the questions we’re actually worried about? And let’s go constantly surveil, constantly blanket, looking for problems and bring that into the algorithm. That’s that’s where this continuous monitoring is a step above just like log collection.

Ashish Rajan: Oh, that’s an interesting, and probably a good time. A good point to mention the comment that came from Vineet was about, cause we talked about [00:29:00] inventory and obviously maintaining inventory for resources. I feel that’s hard to begin with. Is there a. And this is kind of going with to your point about how do you scale this , is this one of those things that you said, take one step at a time or just make a playbook, keep applying it.

Cause I think you mentioned some of this in your talk as well. What are your thoughts on that?

Daniel Miessler: So start with your list of questions, right? Start with your list of concerns first, then your list of questions, the list of questions that you’re asking yourself, like to Vineet’s point, how many externally facing hosts do I have?

that’s a question. that’s a question you want the answer to perpetually always at any moment you want to know the answer is 9,437. Right. And do you know exactly what ports, what services, the next question, what services are available to the internet on those hosts? You have the answer to that.

Okay. Are [00:30:00] any of them running a web server? You have the answer to that. So that, yeah. Is the centerpiece of that question and, or the answer to that question and, Vineet is a hundred percent correct. That is a foundation for an asset management system. which has been a massive achilles’ heel for all of IT since it started.

And to your earlier point, you can’t defend what you don’t understand. So half of these hacks, or some massive percentage of these hacks or an infrastructure, they didn’t know, they had like to see CISO wakes up and it’s like, I thought we turned that off four years ago and here we are in the news, in the tech crunch because of that.

Ashish Rajan: Yep. And I love it. I think I was talking to someone, I can’t remember the name of the company anymore. I don’t think I can talk about the company as well, but the incident was an interesting one. They had a BugBounty program kind of like what we have as well. Cause I was trying to, we have a BugBounty program in my company and, I was trying to find out information about [00:31:00] like, what are the kind of risks or what are the kinds of findings which have been interesting?

One of the findings that someone spoke about was that there was a, a service, which people thought they had turned off. Years ago and someone in a BugBounty program found it. And you’re like, this was supposed to be like, no, exactly. To what you said. The CISO is like, what the hell? We had a closing party for this thing.

There was like 50 people there. They all said this is closed no longer. We moved on and some, some kid around the world found it and you’re like, yep, this is the reality. yeah man, a hundred percent spot on .

A few more comments coming in. can you also use it for finding fake phishing websites? What was that interesting?

I believe there will be a pattern for that. I imagine

Daniel Miessler: oh yeah. Very smart guy. so basically yes, you can. I think he’s playing off of the Favicon thing.

Ashish Rajan: Oh yes.

Daniel Miessler: So basically, if someone wants to look like an authentic website, [00:32:00] they might use the favicon obviously to trick the user. So this would be a way to find. Potentially.

Ashish Rajan: We spoke about continuous monitoring. We also talking about something which is really interesting as an organization, which is small. To a large, like large security team.

You can dedicate a lot of resources, the engineering heavy, I’m thinking of Netflix and Atlassians of the world with their massive engineering teams. Now that’s not possible for everyone as well. Right. So where do you stand the whole using custom code versus can I just find a product or do this? Like where do you stand on that thinking?

Daniel Miessler: Yeah. so up to a few years ago, I would say you kind of have to write this custom. There are now a number of, companies out there that are kind of doing this continuous monitoring stuff. I would say it’s getting more useful to potentially look at a vendor for this, but you want to make sure it’s not something like, I don’t want to say the name, companies that have [00:33:00] like scorecards.

Where, where they’re like, we rate your security as a, as a C. the reason is because we saw your SMTP server didn’t use TLS correctly or something. And what they’re actually doing is selling those less. And they’re kind of using them as a little bit of extortion. So it’s not a really clean space.

What you want to know is, okay, you’re a vendor. That’s going to monitor my entire attack surface. What all of my attack service are you going to monitor? And how quick are you going to monitor it? Because when I was doing this, I was doing it multiple times per hour. this is near instantaneous.

It’s near continuous, right? Whereas a lot of the players in the space are like, Oh, we, we do a circulation every month where we do a circulation every week. And the fact is it’s not fast enough. ideally this thing should be continuous. , you know, we were getting those speeds, using what we were doing.

So those are the [00:34:00] types of questions I would ask these vendors. If you have a strong internal, security group, you really don’t need to get a vendor. You can just look at the BugBounty space and flip it on its head and turn it into the blue team version. Use the automation that’s available and you could build it yourself.

It’s just a question of resourcing. if you have a relationship with any of these vendors and you trust them well, it’s not to the point where he could do either or depending on your situation.

Ashish Rajan: I love that idea on flipping the BugBounty program on its head and using that as your. Like, this is what I should build towards, cause this is what these guys are using.

This is their like a hundred percent man love the idea

with continuous monitoring, you know, and we spoke about it just before 11 million logs or 11 million events coming in. I’ve got this super awesome KO move that, you know the basically favicon just dies at the end of it , is there alert fatigue in this space as well?

Cause I [00:35:00] imagine. Well, I’m assuming they will not be much alert, fatigue, because it’s all, either false positive has been narrowed down, but keen to know your thoughts cause a lot of the monitoring space or continuous monitoring space talk about the whole, Ive got so much alert, fatigue. I don’t want to see on the alert again.

So what are your thoughts on that?

Daniel Miessler: Yeah, so the way that, I set our system up was to only alert on things that are super sensitive. so it’s possible to do multi-tiered checks. So let’s say there’s a Postgres server. That’s listening. So, 54 32 it’s listening. But the next follow up question is.

Okay, can you authenticate to it using the top, whatever 100 username, the password combinations. I run a project called cyclist, which is like the largest collection of usernames and passwords that are for basically everything. And they’re kind of the best list they’re used all over. ’em

[00:36:00] Ashish Rajan: the show notes, but definitely recommend that.

Yeah.

Daniel Miessler: Yeah. Yeah. So, If you can ask the question of, can I log into this thing and you find out yeah, actually the third thing on the list, whatever it is, I’m not even sure the credentials for that service, but let’s say it does log in. Well, now the alert that you get is, a Postgres server was not just listening on the internet.

Cause that could be a lot of alert, fatigue. If you have 20 million IP spaces, right. Or super large, massive, massive org. Cause if your SOC is looking at every single Postgres server is like, okay, now I have to go manually check. But if you add one or two levels of check on top of the first one, maybe now you’re only getting three alerts.

And the alerts are not only did I see it, but I logged in and there’s data there. And, and it also goes back to the ML question of, [00:37:00] can the ML be used to reduce that number of alerts? but really the way to reduce that is to not ask questions that you’re worried about alert, fatigue for getting the answer to.

So for example, if it’s just wide open database ports facing the internet or search that are about to expire on your top 10 websites within the next three days, that really won’t be alert fatigue, because you’ve set the bar so high of

criticality.

And then as, as you have more people or more automation to parse and do triage, you could turn the knob of.

How many more alerts you want to do. But, the paradigm that I was using before is, vast majority of the time no alerts were created whatsoever. This is the opposite of a vulnerability scanner. Vulnerability scanner sends you a hundred pages of results, no matter when it runs, because it’ll send you [00:38:00] things like, Oh, the secure flag is not set on your website.

And just like extremely minor stuff. It’s like you’re using this framework or whatever, and that’ll just fatigue a SOC in a second. But if you only ask very few questions, and you prioritize those you shouldn’t have a problem with alert, fatigue.

Ashish Rajan: I love this approach , I’ve been sold on this idea for some time, but for people who are listening to this podcast and going.

This sounds interesting. or still on the wall for, or should I come onto the continuous monitoring side or not or let me SOC team continuously just go through manual logs and stuff. What do you tell people? I think you kind of spoke about the methodology and the philosophy as well, but what do you tell people?

Like, why is it important to be doing continuous monitoring? Is it more to the fact that to be keeping up with the adversaries or like, what’s your thought on? , if in an ideal world, why should everyone should be doing a continuous monitoring?

Daniel Miessler: So the way [00:39:00] I would answer that is you need to know the current state of your attack surface.

At any given moment and the higher quality of the questions that you’re asking of that attack surface. And the more often you’re asking them those two combined results in the best possible current state that you could have. So this would be the equivalent of having eyes constantly on the external perimeter of a castle.

Right. So let’s say you’re constantly being bombarded and there might be holes. There might be ladders going over the top because the castle was so large. If you didn’t have anyone out there actually watching and actually doing inspection, then people could go in or they could burrow under the can come over.

The top. Continuous monitoring is the way to know how bad it is at [00:40:00] this exact moment.

Ashish Rajan: starting to see this pattern already, where a lot of us work in a very heavy digital space. It’s very unlikely that you would come into a space where maybe unless you’re working in operation technology or something and trying to operate a nuclear plant if Pentagon is listening.

that may be a different scenario, but most of us, 80 or 90% of us are still in a very digital space, digital transformation has been going up. For some time, either most of us are on a cloud environment or all of us thanks to Covid now remote. So there is no way, that you should be kind of shying away from this.

And the other questions that I had towards the end was. and I want to switch gears from technical to nontechnical. Cause I think you’ve done an amazing job with personal branding.

People can go on your website and see the membership and all that. Do you feel like everyone needs to have , you’ve had a tweet about this as well. Do you feel everyone in tech or everyone in general should [00:41:00] have a personal brand online these days? And what does that really mean for people who are listening to this?

Daniel Miessler: . Yeah, I would, I would say, I wouldn’t want to say everyone. I mean, there’s some people who are just like, They’re just naturally happy. They don’t need to really tell anyone about their thoughts. They don’t really need to share anything with anyone else.

so there’s lots of people in that category and I wouldn’t want to like try to shame them because they’re not broadcasting. I would say for anyone who is probably listening to this and definitely you and me and, you know, thousands and millions of others, people like us, if you’ve ever had the idea of, Oh, I should write this down and talk to someone about it. That is the bar.

If you’ve ever had that idea and you wanted to share an idea with anyone. Yeah. You should absolutely have a presence. You should have a website. You should be on Twitter. what social media you use will change because the companies will come and go. and Instagram has a vibe. Twitter has a vibe.

They have different vibes but you should [00:42:00] essentially see these different technologies as syndication. You and your perception of the world. Is a lens. it’s a vibe. it’s a brand that people can start to. Like, I found you, you found it me. And like, I like your vibe, so I’m subscribed to it.

Right. Whatever that means, whatever the technology means. And, I actually think that this is part of a larger trend where. We’re moving away from the power of corporations. I think people in the, you know, the 1950s, whatever, they just wanted to have a cool job at some corporation.

And I think things are moving more towards the individual where what the individual can do as themselves is valuable. They don’t need to be tied to a big brand. They could be their own brand. And in order for that to work in order for people to be able to hear you, you have to establish that platform.

And that platform most importantly is a central domain. So you want to have a personal domain and [00:43:00] you don’t want it to be like, I love matchbox cars.com or like, or like I really love, whatever Gatorade, orange flavor.com, because that might be cool when you’re 19, but you need it to scale all the way into your fifties and sixties.

so, so first name, last name is usually really good. You want a brand that lasts a long time and that that central domain is the center of everything. And from there you stack on. you know, Twitter or whatever social media that you use, and most, most importantly, have ideas, share ideas and interact with other people who are thinking similarly, or, you know, at a tangent to what you’re thinking.

Ashish Rajan: I love that, man. And to your point, some people may look at that as like, Oh, I love sharing ideas. And, but I don’t want to be on a video. I don’t want to be like, where do I start? Do you have a, an opinion on everyone should be either doing [00:44:00] podcasting videos, blog. There’s so many avenues now, which would, what do you recommend for these people?

Daniel Miessler: So most importantly is, a website where you physically write. you write on the website and you have the idea captured as, as a thinker or a creator of the most important thing that you do is you capture the idea and you articulate it in some way. So the text form on your website is step one, because you want to get, get in the habit of one creating ideas and to capturing them.

From there you can move into, okay. Is this audio? Is this video? A lot of people will never move to video. I haven’t made a strong move to it yet. and in fact, the videos that I am doing on YouTube, they’re actually just, their slides with narration number, the math videos that are out there.

Ashish Rajan: Right.

Daniel Miessler: Other people that are like, they’re just staring directly at the camera. And, maybe that’s part of the vibe because maybe it’s about clothes or whatever. So it’s different for everyone. But most important is nobody [00:45:00] gets onto a video and just wings it, or not very many people, they usually come with a plan.

They’re they’re like, Hey, I want to talk to you about this. And then they proceed through an agenda. Yeah, right through a five minute video or a 30 minute video, whatever it is, you have to be able to capture that and have it written down before you show up on video. So step one is get the domain and start organizing your thoughts on the site.

Ashish Rajan: I’m glad we were able to kind of unveil or peel a few layers from the continuous monitoring and alert fatigue side of things. But I had a really great time. I can’t wait to bring you back on again and go to the next level of continuous monitoring and maybe BugBounty as well. Yeah, dude. Thanks so much for coming in.

People who have, further questions, where can they reach you? What’s your socials.

Daniel Miessler: Yeah, it’s just a Daniel Miessler. it’s DanielMiessler.Com for the website and Daniel Miessler on Twitter.

Ashish Rajan: Awesome, dude, thank you so much again, and I can’t wait to have you back again.

No items found.