Hacker News new | past | comments | ask | show | jobs | submit login

Yea it's obviously a fluff piece. At the same time, what kind of details would you expect? As with any anti-fraud it's going to contain a lot of heuristics and stuff that needs to stay secret in order to be effective. So they could probably provide details about how all access is audited, but the real neat parts of what makes it work wouldn't be disclosed anyways.

It's also not clear how Kill Chain helped at all. If they discovered the user, then they could have deactivated his credentials, right? Or are they alluding to that they use live user activity as a sorta honeypot to see if there are other compromised users?

This quote was pretty funny: "An attacker only has one time to be right to get that information out of the network" -- really? Cause I thought usually we think of it the other way around: the defenders have to only mess up once to lose.




The way they described it, they used user auditing to track what the user was doing on the network and where, and compared it against the user's role.

There's lots of commercial software that will help you do this. First you have network appliances throughout your network that monitor traffic. Then you create rules and policies on the device that tracks the user, its defined role, what it should have access to, and what it is attempting to access. Then you define actions (logging, dropping the packet, ignoring it, etc) based on the rules/policies.

You can do this using open source software, too, but it takes a bit more glue code usually. A long set of iptables rules (along with free tools like Snort) could tag traffic based on the user, layer 7 protocol, and network access, and alerts could be mailed to the admins when a user over-reaches in their access.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: