[AusNOG] Fw: important

Mister Pink misterpink at gmail.com
Fri Oct 2 16:30:35 EST 2015


The thing with a lot of modern malware is that it often goes through a
crypter before it gets sent out, which means that it's not uncommon for
every single sample in a given campaign to be completely unique - this is
why people have been bemoaning the fact that signature based AV has been
broken for years.

Ironport is for stopping spam, it can look for known malware whilst it's at
it but this relies upon signatures (see above).  There are some pretty good
cloud based as a service offerings for Spam/Malware filtering but email is
just one vector of attack, as has been mentioned.  Users are used to
clicking on dropbox links etc and downloading files all day long, even more
so if you block all zip files on your mail server.

Everyone has a laptop and a smartphone these days, so if you stop them
doing something on the corp gateway, they will often tether their phone,
grab what they want and drop back on the corp network minutes later.

You need defence in depth, you need ongoing security awareness training
(Schools not prisons), you still need good backups, you should be thinking
about next gen firewalls, you still need traditional AV, and you might want
to consider app whitelisting (Esp for problem users or vulnerable vectors
like HR opening resumes all day) .

There are a bunch of cool things on the market that can also solve some of
these problems from Sandboxing to MicroVM's etc but they can be costly so I
think you need to address the fundamentals first.

On 2 October 2015 at 12:36, Rhys Hanrahan <rhys at nexusone.com.au> wrote:

> Hi Noel,
>
> Personally, I agree with your opinion, and typically have stayed away from
> these solutions over the years for exactly this reason. However, over the
> last few months things seem to have worsened to the point where we need to
> try something different.
>
> We've been running a typical postfix+rbls+spamassassin+clamav+lots of
> other bits for about the last 5 years, with me running the same setup
> personally, prior to that. And over the years, aside from some performance
> tweaks to get more throughput on Amavis, it's done fine. There's always
> been stuff it's missed, but like people have said, there's no silver bullet.
>
> The problem is that the amount of stuff it misses seems to miss has gone
> up by a fair amount for us in recent times - not just with the crypto
> stuff, but with general junk that comes through.
>
> I'm not going to extend this thread to "how do I fix our setup", because
> that's way outside the scope of the list, but I'll just say that I've
> already looked at improving the config in several ways and I feel like I've
> taken the setup as far as I can take it in terms of tweaks to reasonably
> improve its accuracy.
>
> I know they're probably running the same or similar setup under the hood
> of any appliance, but the thing is, if they're going to provide me 24x7x365
> signature updates that they manage, which can stay on top of outbreaks,
> then to me that's worth paying for.
>
> Hopefully I manage to find something that doesn't end up falling over. :-)
>
> Rhys.
>
> -----Original Message-----
> From: AusNOG [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Noel
> Butler
> Sent: Friday, 2 October 2015 10:07 AM
> To: ausnog at lists.ausnog.net
> Subject: Re: [AusNOG] Fw: important
>
> nearly missed this, found it in Junk because you replied direct, please
> reply to list only
>
> On 01/10/2015 17:10, Brad Peczka wrote:
> > Google will also show me examples of the aliens that landed at
> > Roswell, if I look hard enough. Doesn't mean it's real! :-)
> >
>
> That maybe so, but the nightmares of ironport are well realised by those
> with a clue, including those that run networks large enough to make telstra
> look like a ma 'n pa part time vISP
>
>
> > Ironport ESAs are a solid product, as evidenced through their use in
> > Australia by iiNet, Micron21, and many others in both the ISP and
>
> and I (and assume others) recall a numnber of problems with mail and iinet
> in recent times because of ironport
>
> Like I said YMMV, but most are shying away from these things, well, those
> that care do :)
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20151002/06aec0c9/attachment.html>


More information about the AusNOG mailing list