Sunday, October 6, 2019

Fundamental Cyber Security Product Management Misses

The common themes throughout the vendor areas of major cyber security conferences are always interesting. 

This year’s themes at the two big cyber conferences that I attended in 2019 seemed to be clustered around the following:

“Machine learning.”


“No false positives.”

If you believed the marketing, you’d think that such advanced tools had made cyber security breaches a thing of the past. They haven’t. And yet, at the same time, there don’t seem to be tools to do what seem to be the most obvious of obvious things to real security practitioners.  

Something seems broken in the way that the cyber security industry “product manages” their offerings. They seem to miss some of the obvious basics.

The hard conversation point here, of course, is that industry-wide vendor product management misses in use cases translate to blue team misses in cyber detection, resiliency, and response. 

I have an entire list but I’ll blog this single example. 

ASNs are group of IP addresses at the ISP or large organization level. Sizable companies tend to have their own.  There are ASN blocks that are compromised either knowingly or unknowingly at the ASN level.

At the two huge cyber security conferences I attended, there didn’t seem any vendors that sell products that can block or alert on connections at the ASN level. The only choices are at the IP level or the country level. I confirmed this with every seemingly applicable vendor at both shows.

Yet, malware actors operate at the ASN level doing things like IP hopping. We know that there are ASNs from which originate a high percentage of malicious traffic. Remote connection anomalies are almost always more obvious at the ASN level since companies tend to make regular remote connections to the same ASNs (other companies or websites). Multi-national companies do business that make geo-blocking at the country level impractical. 

There is a lot of sound fundamental rationale for control at the ASN level and no vendors seem to have it.  I had to write ASN level alerting in a security tool that I coded myself in 2016. If I could do it and keep it updated for two years with my limited resources, you’d think that the big players could trivially do the same. 

Lots of thought and resources have gone into the advanced functionality that’s driving this year’s  marketing hype.  Despite all of the thinking, those that defend organizations from cyber threats still are  missing many basic capabilities for dealing with advanced threats. This may be one of many factors why the number of companies getting regularly breached continues to grow.

Details and fundamentals matter in security.

Follow me on Twitter for discussion and the latest blog updates: @Opinionatedsec1. Or, start your own discussion using #crazygoodcyberteams on twitter or Linkedin and I'll read it.


No comments:

Post a Comment