Three Wow Moments at Security Field Day #5
This year I participated in Security Field Day #5 as a delegate #XFD5. This meant that not only did I watch major industry vendors present on how they are innovating and solving problems in the security industry, I also was a part of a small 13-person team of IT professionals that could interact and ask questions live!
Like many people in the security industry, I specialize in specific areas. My specialties include wireless security and analyzing network security protocols. However, there are some aspects of security that I know little about.
I found attending Security Field Day to be both informative and educational. An opportunity to hear about advances that I might otherwise not get exposure to. This blog is about what surprised and delighted me from the different vendor sessions at Security Field Day #5.
HashiCorp
Let’s start with HashiCorp and their Zero Trust Security. Their concept is to trust nothing and to “authenticate and authorize everything”. They achieve this with identity driven controls between humans, machines, and applications.
Many folks will be familiar with their Vault product that is used to secure secrets, such as passwords and certificates.
HashiCorp described their Consul product as a shared registry where services also have identity-based security. This allows services to be authenticated before they talk to one another, and also facilitates the automation of service discovery.
I thought the automatic discovery of services was a wow moment for me. I am clearly not alone, as Chris Kent Director of Marketing at HashiCorp said they are doing “a million demos” of Consul a month.
Juniper Networks
It has been two years since Juniper Networks acquired Mist Systems. The expectation was that Juniper would extend Mist’s AI technology used to manage WLAN operations, to provide end-to-end network operations in an enterprise. This is happening with, Juniper extending Mist AI from WLAN to the WAN through Juniper’s switching products and their SRX firewall.
Juniper announced a year ago, the coupling of risk profiling with threat intelligence. To do this they use the Juniper ATP cloud with the MIST AI operations. This provides “actionable” insights. Krystle Portocarrero, a product manager at Juniper, described ATP as the sensors that detect what is happening and Mist AI is the intelligence that triggers an action taken to address a security issue.
In Krystle demo, at Tech Field Day #5, she demonstrated what happens when a host has been identified as being infected by the firewall using machine learning. When this happens, the host goes into the infected host phase, and the threat information is sent to Mist AI.
The picture below shows the threat information populated in Mist. In this example, you can see in Mist that an iPad has been infected with a trojan. The ATP tools evaluate and provide risk assessments, which feeds into any decision on the action to take.
From Mist, the network administrator has the ability to ban the device from the network. In other words, stop it from associating with the Access Point and getting an IP address. This of course, stops the devices from spreading the threat to other parts of the network.
Krystle explained that the advantage of this is that “this enables all the information to be in one place”. I agree, and it was my second wow moment at Security Field Day #5.
Kemp
Security Field Day was also an opportunity to hear from Kemp following their recent acquisition of Flowmon Networks.
Monitoring of network traffic enables an organization to get a perspective of both the volume of traffic on the network and how the traffic flows across the network. With an understanding of the expected performance and behavior of the network, it becomes feasible to detect anomalies. This is the enabling concept behind Kemp’s Flowmon solution.
At the heart of the Flowmon solution are their behavior analysis algorithms. Pavel Minarik, CTO at Kemp explained the difference between statistical analysis and behavior analysis. Statistical analysis applies a volume-based metrics, whereas behavior analysis is looking for a specific set of flow characteristics in the traffic. This means that you do not need to see a large volume of attempts to trigger the detection.
The picture below shows an example of multiple flows that were analyzed, and collectively triggered an alert.
When a critical abnormality is detected, Flowmon automatically starts a packet capture. This of course is after the event has occurred. To address this issue, Flowmon keeps about 15 to 30 packets in the memory of each probe. This coupled with the flow record enables a network analyst to go back in time. But this was not my wow moment!
My third wow moment was when my fellow delegate, Dominik Pickhardt, asked how long Flowmon can store the captured meta data and packet information. Normally Flowmon customers store raw flow data without any aggregation for months. This provides the ability to look back in time and analyze the stored network information against the previously unknown indicator of compromise. The ability to look back and determine if you have been compromised has to be an enormous advantage.
I hope you enjoyed my wow moments, and it has inspired you to join the next Security Field Day event.