Will you be monitoring everything for me? Yeah



    Usually, Habr is used as an informational solution - someone shares the accumulated and structured information, and someone absorbs this information (I wanted to write “consumes”, but the marketers have already used this word). But I, as an old-timer, and given the slight relaxation between February 23rd and March 8th, I wanted to turn to the very collective mind that makes any article more interesting. And since writing a simple question - like on a forum - is boring, I’ll try to dilute my question with interesting facts.

    I'll start from afar: I have one favorite study dating back to 2014. It says that from 22% to 43% of subjects are ready to download and run an unknown executable file if they are paid in the range of 1 cent to 10 dollars. I already wrote about him in the text devoted tooffices of the future .

    Since one of my main works is related to virtualization, I am very interested in this aspect of security. Ok, the problem with the same distributions and batch updating of users is quite simple to solve with the help of a hypervisor and a thin client, however - we live in reality - there will always be a part of users who go the wrong way, start the wrong way and do the wrong thing. I have a simple question, who uses which security system in virtualization and why?

    Wagging in the interesting direction number 1

    As a rule, in such articles that are published on corporate blogs, they write about ten examples of how a virus ciphered something. Most often, they again recall Petya. It’s much more interesting for me to recall a slightly curious incident that happened at Bristol Airport.

    There, too, the cryptor mowed the weevil , and the consequences themselves are interesting. As a result of the attack, all the information boards went out and the poor employees had to record flight numbers in the old analogue way - with a marker on the board.
    “Where's my flight?”
    “And we just erased it.”
    - And what is my gate?
    “But hell knows, Joe has a bad handwriting.”



    We return to the problem, for which, in fact, this post is started. On one of the projects where I participate, we use Citrix, and we chose it compared to this topic . So, recently we were offered to connect Citrix Analytics. According to sellers, this thing will monitor user activity and isolate users / processes creating something wrong.



    As usual, they promise machine learning, blacklists and security breach patterns. Since, in theory, a useful thing, we have a logical question - who really used it and are there any other options?

    Wagging in an interesting way number 2

    Again, when they talk about all kinds of leaks, remember the theft of passwords and other information (for example, a very cool and technically competent publicationThe Bell in the digital results of the year mentioned about leaks 4 times, if you count Google+ for 2 leaks - then all 5). What interests me is the issue of long copying of source codes and documentation.

    For example, the Panama plum (panamageit). The volume of documents was 2.6 terabytes. Copying and accumulating such a volume of information could not be unnoticed. Do large companies now know that some of the retiring employees are not copying their data “for memory”.

    What turns out. It turns out that we need a certain system that “sniffs” when someone massively rubs something (cryptographers) and eats resources for encryption as if they weren’t in themselves (well, or other cryptographic behavior patterns). Also, when someone massively copies something to his corner. And when this someone, such a radish, walks around potentially dangerous sites. And here, too, we need patterns, because he will not go to sites from the black list, but easily - to similar ones. Just banning with keywords is also a half-hearted decision.

    We were given a chance to play with the Citrix admin panel and if you look at the description and dig deeper, it seems to be quite suitable.


    What did you do there, Andryusha?

    But we are literate people. Experience shows that when you choose from only one option, then, as a rule, this option is erroneous :). Therefore, I have a simple question - did someone use a similar or similar solution? Is there something better, cheaper, or better and cheaper at the same time?

    Superficial googling (and not superficial either) shows that large players have something similar, but there is very little information. At first we looked at WMWare - it’s always interesting, but did you make the right choice two years ago when choosing virtualization. Something close is called AppDefense . There, an “intelligent processing algorithm” is also triggered inside the application. But how it works is an extremely interesting question.


    Judging by this one-hour video, protection against encryption and other software crap works well there - such an antivirus on steroids - but there is no automatic user monitoring. Therefore, the question with real application is also what is really there and how it works.

    Let's go further. In fact, virtualization is just a bunch of jobs. Are there any solutions designed for a bunch of physical machines? For example, Cisco has a certain Cisco DNA Center, where they promise to “quickly detect and respond to threats before hackers can steal data or disrupt work.” That sounds cool. Another lure: “DNA Center collects data about devices, applications and users from several sources, and then uses advanced analysis algorithms to identify correlations and proposes recovery measures.”

    The video also promises something close to the requested functionality.


    But then again, experience suggests that Cisco is more about networking solutions. And to tie this to virtualization, you have to somehow make this service friends with DHCP.

    It seems to me that this thing is exclusively for a bunch of network connections and is unlikely to be useful in our simple and virtual conditions.

    And what do you say, dear colleagues?

    Also popular now: