The common themes throughout the vendor areas of major cyber
security conferences are always interesting.
This year’s themes at the two big
cyber conferences that I attended in 2019 seemed to be clustered around the
following:
“Machine learning.”
“AI.”
“No false positives.”
If you believed the marketing, you’d think that such advanced
tools had made cyber security breaches a thing of the past. They haven’t. And
yet, at the same time, there don’t seem to be tools to do what seem to be the most
obvious of obvious things to real security practitioners.
Something seems broken in the way that the cyber security industry “product
manages” their offerings. They seem to miss some of the obvious basics.
The hard conversation point here, of course, is that industry-wide vendor product management misses in use cases translate to blue team misses in cyber detection, resiliency, and response.
I have an entire list but I’ll blog this single example.
ASNs are group of IP addresses at the ISP or large organization level. Sizable companies tend to have their own. There are ASN blocks that are compromised either knowingly or unknowingly at the ASN level.
At the two huge cyber security conferences I attended, there
didn’t seem any vendors that sell products that can block or alert on connections
at the ASN level. The only choices are at the IP level or the country level. I confirmed this with every seemingly applicable vendor at both shows.
Yet, malware actors operate at the ASN level doing things like IP hopping. We know that there are ASNs from which originate a high percentage of malicious traffic. Remote connection anomalies are almost always more obvious at the ASN level since companies tend to make regular remote connections to the same ASNs (other companies or websites). Multi-national companies do business that make geo-blocking at the country level impractical.
Yet, malware actors operate at the ASN level doing things like IP hopping. We know that there are ASNs from which originate a high percentage of malicious traffic. Remote connection anomalies are almost always more obvious at the ASN level since companies tend to make regular remote connections to the same ASNs (other companies or websites). Multi-national companies do business that make geo-blocking at the country level impractical.
There is a lot of sound fundamental rationale for control at
the ASN level and no vendors seem to have it. I had to write ASN level alerting in a
security tool that I coded myself in 2016. If I could do it and keep it updated
for two years with my limited resources, you’d think that the big players could
trivially do the same.
Lots of thought and resources have gone into the advanced
functionality that’s driving this year’s marketing hype. Despite all of the thinking, those that defend
organizations from cyber threats still are missing many basic capabilities for dealing
with advanced threats. This may be one of many factors why the number of companies
getting regularly breached continues to grow.
Details and fundamentals matter in security.
Follow me on Twitter
for discussion and the latest blog updates: @Opinionatedsec1. Or, start your
own discussion using #crazygoodcyberteams on twitter or Linkedin and I'll read
it.
SEE ALSO
No comments:
Post a Comment