Sherlock’s statement is most often quoted to imply that uncommon
scenarios can all be explained away by reason and logic. This is missing
the point. The quote’s power is in the elimination of the impossible
before engaging in such reasoning. The present authors seek to expose
a similar misapplication of methodology as it exists throughout information
security and offer a framework by which to elevate the common Watson.
Spam fighting isn’t just about writing policies, training classifiers, and combating attacks. Leveraging the “secure by design” principal in the context of spam helps create better products with built-in features for preventing and managing large-scale attacks. In this talk, we’ll share how Facebook spam-fighters extended their efforts to align incentives and include other product teams within the company in the effort to fight abuse.
I was at Amazon for about six and a half years, and now I’ve been at Google for that long. One thing that struck me immediately about the two companies — an impression that has been reinforced almost daily — is that Amazon does everything wrong, and Google does everything right. Sure, it’s a sweeping generalization, but a surprisingly accurate one. It’s pretty crazy. There are probably a hundred or even two hundred different ways you can compare the two companies, and Google is superior in all but three of them, if I recall correctly. I actually did a spreadsheet at one point but Legal wouldn’t let me show it to anyone, even though recruiting loved it.
Google Software Engineer Steve Yegge issued an apology of sorts on Google+ for his now infamous Google+ platform rant, which he unintentionally made public. In his apology, he shares his commitment to his statement in his rant that “Google does everything right” and despite Google’s potential flaws in understanding platforms the company has already begun to address some of the issues he brought up. He also goes as far as to share his own personal account of pitching to Jeff Bezos while at Amazon.
You’ve spent money on security products that escalate nothing. You have a 24/7 SOC that hardly pays attention to their tools, or knows how to use them. You have intelligence feeds but have no idea what consumes them. Logs are inaccessible, slow to query, or non-existent. Defenders have stopped hunting and lost a sense of purpose.
That means it’s time for a Red Team to come in and fuck shit up.
I’ve been working in information security for about two decades — spanning attack and defense, across the public and private sectors — and the most consistent truth I’ve found is that people overwhelmingly misunderstand how information security works. Even worse, the common misconceptions are such an endemic problem that they’ve fueled a $75 billion industry, comprised largely of snake oil solutions that range from ineffective to outright harmful. That’s left us in a place where the vast majority of the tech sector is throwing their money away on security that just doesn’t work, while ignoring the basic practices and processes that actually do produce secure systems … but it doesn’t have to be this way.