Today we (Deloitte) hosted the ISGA (formerly WhiteHat) meeting. I was in charge from Deloitte's side. Apart from a few hiccups related to broken amps and late coffee it went off fairly smoothly. I got the chance to present, my presentation was entitled: "Threat Monitoring: Reading Risk the Wrong Way".
It basically provides a justification as to why threat monitoring is important, and how people ignore the "threat" component of the risk equation. A component of threat monitoring is having decent threat models. For this I discussed how security researchers have gotten the vulnerability life cycle wrong, and provided a corrected model based on combining the conclusions of several researchers.
The slides can be found here.
I am really enjoying watching how these turn out. The recent 0day's have seen unofficial patches, Microsoft entering the threat monitoring game, a significant amount of community effort and all sorts of discussions.
1...2...3...go
A great entry over at OSVDB blog has an unintentionally good description of the problem with provenance.
http://osvdb.org/blog/?p=116
Wow, it seems Microsoft managed to get their MS06-015 cumulative IE patch rolled out with only a few compatibility problems with older HP, NVIDIA, Siebel and Kerio Firewall products. Pretty good given the non-security ActiveX change they bundled in there.
Oh, they also fixed that security vulnerability that was activley exploited in the wild since March 23rd. Now given the lag time in patch deployment (current research suggests 19 days for internal machines), it should just be just over a month that attackers have been able to wade through the average windows box.
Can someone tell me why Microsoft decided that the best way to get a patch out as quickly as possible was to bundle a huge, non-security modificcation into it?