Ask HN: Cyber Security folks – what are your biggest pain points?
36 by cookiengineer | 36 comments on Hacker News.
I'm building a startup which focusses on automated cyber defense and tries to build products which can adapt to changing situations in the network landscape as well as network behaviours or process behaviours (EDR/XDR/whatever BS term). In my case I'm building everything from the ground up, and the MVP is trying to start with a better inventory of everything; whereas the inventory focusses on the network-scale rather than the "per single machine scale" that other solutions offer (if they even offer anything like it, which in practice they actually don't for the most parts). My journey started with log4j's log4shell1/2, after realizing that most blueteams (my one included) don't actually have a full, reliable and correctly indexed inventory. If you ask around in other blueteams something simple like "How many machines you got?" you'll always get responses like "well, one software says 30.000, the other one 24.000 and our SNMP sensors say around 38.000..." which is kinda ridiculous to start with. If you then ask whether or not they use log4j in any of their software they either shrug or say "nope" with a panicking voice, because they don't really know for sure. Anyways, my solution currently is a peer-to-peer approach where the systems themselves decide to mitigate issues, propagate patches (or even vaccines for zero-days) and also share incidents that look suspicious, so the surrounding nodes can start to quarantine themselves off, for example, when something really bad happened. For this to be a reliable product I decided to ditch the whole Windows "hooks are kinda useless" shitshow, and went for Linux/BSD/Unizes in general first, while leveraging a mixture of golang for userspace and eBPF for kernelspace. But I wouldn't be a good founder if I ignored my customers, right? So my questions are now somewhat to all the cyber security professionals out there: - What are your biggest pain points? Do you use yet another Elastic Search dashboard that's painful to use in practice? - Do you have a reliable software inventory / SBOM? - Do you have a reliable network inventory / NBOM / SaaSBOM? - Do you have an SBOM for all third-party software that's only available via binaries, where you don't have the source code available? - Does your anti-virus / EDR solution still require signatures or is it behaviour driven? - What about golang malware (aka malware that doesn't need to call hooked APIs in the kernel and can instead just use something like purego to generate shellcode directly)? - How confident are you that your CVE/NVD vulnerability database is correctly tagged? (hint: I think it's not reliable for more than 80% of entries) - Do you use Linux in your infrastructure? If so, which distributions?