SysDig, In-Q-Tel, NextGen, & SIEM - Enterprise Security Weekly #137

Transcript

prevention based tools leave you blind to threats inside your network by adding network traffic analysis to your sock you can find in soffit ackers before they make their move extra-hot provides complete visibility at enterprise scale detect threats ninety-five percent faster with machine learning that helps Tier one analysts perform like seasoned threat hunters visit extra hop comm forward slash security weekly to learn why the sand institute calls extra hop fast and amazingly thorough that's extra hop comm forward slash security weekly networks are becoming increasingly complex and fragmented in digital transformation and DevOps are driving an explosion in network connectivity changes with each new network connection cyber attackers may gain another opening to breach or traverse the network at toofan they've pioneered a policy based approach to network security management using automation and analytics as a result you can make network changes in minutes instead of days reliably and securely to learn more about to fin the security policy company go to security weekly comm forward slash to fin and sign up for a free evaluation by the end of 2020 99% of exploited vulnerabilities will be publicly disclosed in known to IT system admins the consequences of that fact means the burglar will already be in your house because you left the front door wide open by failing to patch known vulnerabilities how can you keep the threat actors out through cloud-based automation autumn ox enables you to slam the door on unpatched OS and third-party vulnerabilities across your entire Windows Mac and Linux infrastructure take advantage of a free trial with Auto mocks to not only see the vulnerability status of your infrastructure but do something about it within minutes start automating the fundamentals of cyber hygiene at security weekly comm /oo tomás that's security weekly comm forward slash autumn ox welcome back everyone to enterprise security weekly we are returning to Las Vegas this August for black hat and DEF CON if you would like to request a briefing or a sponsored interview or sponsor a show that will be recording so for the first time in a long time we're gonna be recording shows at a conference it happens to be black hat we have a suite that we've rented we're going to be doing micro interviews those are those 10-minute roughly interviews where you get to talk about the problems you solve for companies and then we'll be doing shows we're doing this show and Paul security weekly and slots are filling up fast we've already sold probably nine or ten yeah I think about almost half of our slots are already but we're about half full already and I mean it's also an opportunity to come hang out with us at a suite at blackhat which lord knows what was it what's I'm sure that's a dangerous company I'm sure we'll figure out how to have alcohol cigars and probably some Munchie foods in the suite somehow I think we'll figure it out it's gonna be a lot of fun you can go to security weekly comm forward slash booking and book your briefing and or request an interview or sponsor a show let's see listeners that are overwhelmed with the content that we produce we've heard you go to security weekly comm forward slash subscribe click the button to join the listener list and we will send you information about things that you're interested in that will that let's see I'll do the other announcements in the next next assignment yes let's talk about the news logarithms in the news they've released the next version of their cloud-based next-gen sim platform logarithms had a solid product for some time now and they just continue I think to keep pace with the trends in the meeting we had with where she spoke with logarithm today they've been a great partner of security weekly they're really all about as our many vendors but about the minor attack framework and allowing you to detect what the minor attack framework is defining as attack techniques being used by attackers today yeah I mean logarithm has done a really good job of adding additional capabilities on top of what would be classified as a traditional SIM they've got endpoint capabilities we did a webcast on file integrity monitoring how we're gonna talk a miter attack framework they've integrated security operations automation functionality into the platform orchestration orchestration yeah so they've they've obviously moved a lot of those capabilities into the cloud and what I like about this announcement is look it's difficult to manage on Prem in environments right you got to do server updates you got a you need more storage right and so by moving into the cloud which is what this announcements about is taking a lot of that maintenance aspects of your sim off the play of your IT or security folks allows that better scalability up in the cloud environment where you don't have the operational folks to maintain it and we have better tools for monitoring our controls in security posture over cloud I think of cloud needy right uh-huh one of our other sponsors that was on Paul security week I think was last week two weeks ago and you know the tools that are available today I think make it much easier to adopt cloud technologies the announcement talks about mean time to detect M T TD and mean time to respond which I think are great metrics for measuring the effectiveness of your tools in addition to the mitre attack framework this and all the things that Matt talked about like moving to the cloud in this and I can sense the hesitation I get it your data is going prop into someone else's computer essentially actually not essentially it is being on someone else's computer but I think we have a much better processing toolset to be able to secure that accordingly in the cloud yeah a couple things one look it's it's not the core cloud environment right so obviously logarithms got to put its own controls around protecting the data but the quote out of here that I thought was most interesting for organizations that don't have the staff is solution maintenance is never on my mind when using logarithm cloud it just runs right and that a lot of people can't say that when they have it on Prem and they've they're they're constantly have to worry about the maintenance of the servers and the storage and all that other stuff that's the advantage of moving some of these capabilities into the cloud operational ease making it easy to use yep it's good stuff let's see Exia and Symantec provides security intelligence for hybrid networks this is was an interesting announcement I think there's another one coming up here as well you know I'm okay yes it allows some better integrations with the semantic security analytics for threat detection and stuff this is like but marketing yeah it was worth it's alright integration of Axius cloud blends with semantic security analytics threat detection and forensics platform allows Symantec customers to gain real-time they check that box real-time visibility into their hybrid cloud environments so I have no idea that means yes the next sentence says semantic security analytics can be found at Oracle cloud marketplace so I'm not quite sure where all those cloud in what real-time and visibility into what I into Oracle I'd okay I don't know I there's there's another one later I think we'll semantic in it that I was just um it's an interesting head scratcher but look everybody's trying to figure out how to integrate and deal with multi hybrid cloud environments people are gonna pick different pieces how many people are actually using semantic security analytics I mean the rip tech side of the house from an MS SP probably is sure I don't know how many other Symantec customers are using this because they're primarily using them for sap yeah okay but I forget the one of the reasons why I chose this Oracle was when you have security solutions providers partnering with companies like Xen gigamon that's really cool now if I could remember who the other players are in that space because I think quite frankly the feedback I've gotten is XE and gigamon great technologies the cost might make you a little nauseous right I mean their enterprise grade level yeah things now what we established on the first article was we're making the transformation to cloud in adoption of cloud easier better monitoring tools now I think people who aren't fortune 50 companies can now actually have this problem of how do I gain visibility into it how do I collect flow data how do I you know manage it and and that kind of thing sure IXY and gigamon can how there's other options out there as well yeah I want to say it in a briefing but we're not doing a briefing summary on this show maybe next week so maybe out oh yeah I'll be here next week I'll be back from Barcelona but they're you so anyway that's why I added it but again this is kind of just fluffy we don't have many of the details kind of thing yes high level this next one's interesting to vas PLC debuts Omni a new approach to digital security but when you dig into the article avast is one of those companies I track and business security weekly is potential publicly traded publicly traded but they don't hit my market cap guidelines this is all about home stuff this is home network protection this is on-the-go security parental controls okay for the home users probably a great announcement right but from an enterprise perspective I just I don't see people deploying avast is their antivirus they're using McAfee they're using semantics there might using Sophos and so this is great for the home users my biggest challenge with some of these capabilities is how many people are using who what are they using at home how do these tie-in to help them protect them most people today at home and I'm sure this is what Avast and others are struggling with most people at home are using an iPad or some kind of tablet or some kind of Chromebook because they're low-cost options that allow them to accomplish the goal of I need to go browse the web and you check some email just from social media like what the more advanced users still have home PCs perhaps is a general statement but largely I think the home security is more about protecting your IOT devices in addition to your tablets and Chromebook style devices which largely people don't really think about I think we've lost that connection to the endpoint antivirus industry and solution when you're on your phone you're like well I don't need to worry about that anymore well in fact you do right and in there's there's a gap there that I think has in people's brains has been disconnected yeah plus a lot of the is he's offer bundled solutions McAfee and Symantec into the ISP offering so it's really easy for a home user to download one of those two based on what your ISP is right put the base antivirus in there there's all their features that both McAfee on the Norton side and Samantha come added right they've added additional capabilities but it's bundled into my ISP service now I'm I'm Centrelink if I wanted to download I think it's McAfee I could be wrong but I have it but I'm a Mac guy so all of my computers were on so folks at home but Atos launches a new unified cloud identity and access management solution for ultimate ultimate ultimate security so I have taken ultimate secure so I had to take a double take because I know a toast more for their managed service offerings yeah and I didn't realize that atlas actually builds a lot of products as well and I think some of those products are used to provide their managed service offerings but I've always known a toast at least in in the u.s. is more of a service provider not necessarily know they have Identity and Access Management right it's the cool thing to do it is the cool one wants to have some kind of identity and access management just so they can say I have identity and access yeah I mean this was one of the things we talked about on BSW I think last week kind of my recap on the global cyber Innovation Summit in Baltimore one of the areas we didn't talk about was identity which which Bob and the others have received my feedback this market has gotten super crazy you've got new players coming in doing Identity and Access Management then you've got layers of additional capabilities from multi-factor authentication privileged access management etc etc etc I am a big believer identity is one of the big security issues of our time that has to be addressed and something that we own regardless of where our infrastructure runs along with apon and data in so yeah you're gonna see a lot of identity announcements this is some centralization for these capabilities but look we still have the root problem we know user pass the username passwords not strong enough we've added additional capabilities for multi-factor authentication then we've added privileged access management on top these solutions are really complex to manage and I think people were trying to figure out a better way to do it but I don't know how this cloud solutions going to go up against an octa or a ping or a sale point or any the other you know how many identity access management players are out there well ping identity could be considered one of them mm-hm but they're talking about zero trust in API security yes which was really strange I'm confused I'm confused right because I you know I I had to go to the website like yeah look I think a ping is is an identity play now I think we're there pitches on AP I security is from the authentication perspective because they're an authentication provider sure okay one aspect of API priorities one aspect of API security but generically API security is way more complex than just authentication yeah it is a p1 yes but right and so the article is really when you first read it you're you're scratching your head GaN API security ping oh it's the authentication plunks and I guess zero trust could play into it as well well zero trust is one of the new buzzwords it is we've seen a lot of that around where where you can't trust anyone or or your environment zero trust not working etc etc so again a little buzzword bingo here but authentication of api's is a critical component but it's not the only component for API security so it'd be interesting this was more of hey we're gonna talk about it on a roadshow versus understanding what are they doing specifically so it was a little hard to extract that out I did go the website and checked on a couple things that's why I went ah authentication of api's device Authority innovate ski scaler from microsoft azure IOT hub device provisioning service and docker support it a lot of Technology mentions in there I won't necessarily say buzzwords but yeah this is really focused on IOT devices so again I didn't know device Authority so I had to go to the website and go okay what's the vice Authority do ah IOT devices okay so now you put that in context with IOT and cloud and in some aspects Microsoft's been doing some interesting stuff on supporting IOT devices looks like this partnership is trying to improve aspects of that but it's a really limited scope I think you know in where the market is right now it's a slow adoption Microsoft has a lot of great frameworks and services for those that are producing IOT devices and/or providing the security of IOT devices in fact you may have seen this week that Cisco had some pretty serious vulnerabilities that actually allows you to bypass their trusted computing that's the wrong term but they have a trusted platform basically that says the firmware running on this device is the actual firmware from Cisco and hasn't been tampered with there's a way around that I think that I hope that frameworks like from Microsoft become more of a staple and don't have these vulnerabilities where you can build because don't forget Iowa sees not just about like I've got this device and I'm gonna you know sell it to people it's a whole ecosystem how do you update the firmware how do you manage it what is the mobile app talk to go talk to the cloud right there's a whole ecosystem there are some great new frameworks for implementing it more securely but again those have been proven that they too can have vulnerabilities so I don't know just when I think I'm out they pull me back in yes or you think we have security that can be achieved in IOT you know the dark side like oh it's all or just when we think we know how is yours gonna make a difference in the market now you get the side thing on the IOT side right because they were calling it as your sphere before now they're calling it our now there's a Jiraiya boys provisioning service which the way I understood it was something that as your sphere was providing I don't they change names or have multiple services under the umbrella and the name of the I anyway umbrellas a Cisco thing but in any case yeah yeah don't mix those yes now everyone's really confused if that's the opposite of why we chew this shows too many people not completely yeah green extra hop is announcing a new partner program new panorama partner for what is a panorama it's just expanding its global channel program to work with global resellers just countries you manage services and integration partners with deep domain expertise in security I mean any vendor who's not trying to figure out how to optimize the channel is silly foolish so obviously you want to take your technology that you've built it's got great customer adoption figure out how to leverage the channel and augment your sales force get out of people in their overhead and get it sold so makes a lot of sense double-edged sword from the consumer and by consumer mean like the consumer consumer but the enterprise consumer side right if you go to a reseller they may try and sell you a package of security technologies in this case are they tightly coupled together are they not do they all work you don't know a lot of times the devil in the details of resellers is this is the package that makes them the most money yeah necessarily choosing technologies that can best solve your problem they're choosing technologies that they have the highest markup on and packaging it together and say you should use this for your security so we hire beware when you do this however extra hop is a sponsor of ours we've worked very closely with them they have some of the smartest people that we know I mean Corey Boston is one of my favorite people to work with he's an extra hop mat I can't remember his last name we did the webcast with him he Lauren yeah he's an awesome NEX Trampas great technology movie scene the the demo it's distributed and sale I think but the reseller could put something that maybe Matt and I say and you know John strand alike that's not ready for primetime yet baby my people underling it together so you have to be careful of the dad doesn't have nothing happens all the time you could find a reseller that does yeah do a really good job of integrating maybe there's integration services or whatever yeah in the u.s. I think your points pretty valid around how they build these packages when you get overseas what you have to realize is that resellers are a big part of how product gets moved into markets like amia and ap okay a reseller distributor based they have the relationships and therefore if you want to tap into the European market or you want to tap into the asia-pacific you are so remote you have got to go down this path it's just too hard sometimes to do it direct on your own because of the way the relationships are in those other environments you have big resellers in the US that have a lot of strategic relationships they also help you strategically get your products placed but there's more flexibility in the US and there are sometimes in Europe and Asia where it's just it that if you're gonna do business in those regions you have to go down this path are you familiar with high trust a little bit yeah I mean I know high trust for my earlier days but they've made some shifts and this was the thing I had to go research because I'm I don't recognize them for cloud control and the ability to do this kind of hybrid cloud stuff right that looks like an evolution of what high-trust has been doing and they're really when you go out and look at them now they're really a cloud workload protection platform they've kind of evolved themselves into a CWPP and this announcement is adding additional support beyond VMware and NSX to support AWS cloud kubernetes which is where cloud workload platforms are going right I mean people are hybridizing they are deploying workloads in the cloud and so high trust is now adding additional capabilities to manage that how good they are as a CWPP I don't know we know a lot of others we've talked to capsulate and we know a ton of others in this space I did not put high trust in that category so that's why when I saw the announcement I had to go back to high trust website and go oh yeah they've made that shift which I didn't instinctively know which was the interesting part for me which means marketing we have to communicate at some point yeah right because it's interesting workload visibility is a very very broad term what it actually means in this context I don't know but it sounds like I mean they talked about VMware vSphere ad be us and kubernetes and a single user interface and an API dev second and they've got all the buzzwords in there but how are they playing in this space yeah is and how do they line up to the other solutions that are already out there that we've there are plentiful is plentiful yeah and there's a lot of functionality and all those other solutions is worried yeah assist again in-q-tel have formed a partnership to provide government agencies with cystic cloud native VSP visibility and security platform Cystic is also a sponsor they are I'm actually in the same space that we're just similar space we're just all similar I think their focus is more on container monitoring and security not necessarily the entire workload stack from a CWPP perspective there's there's some differentiation when you look at the different components in there in the container space right you have some that are trying to protect the underlying infrastructure if some that are more focused on the container side yeah we're cystic fits into the model is more on the container monitoring visibility and security side runtime protection capabilities I think this is a great announcement right it might be a little early as the federal space now starts to figure out how to go through digital transformation Yeah right you've got big monolithic applications in the federal government space they want to be able to leverage these new technologies deploy to cloud how far they are in the evolution is is yet to be seen but the announcement in the partnership here makes a lot of because as the government starts to revamp these applications and they move to containerization having the relationship with in-q-tel allow Cystic to get some entries into the federal space as part of that core architecture as part of that redesign that's a really good thing for anybody that's thinking about how do I get into the federal space in-q-tel obviously is one of those firms that can help you do that because there's a lot of potential business there through this we need like a matrix application that like ask you a series of questions and then recommends what security technologies you might need like are you deploying applications and in containers where are your containers live are you doing it on servers in the cloud service using kubernetes using swarm kind of applications yeah exactly and then says okay these are the vendors that you should consider that are stronger in these areas because conceivably we can say we're making the cloud you know digital transformation but what what does that mean there's like a million different ways to develop and deploy an application today yeah in in it's all different in all of it is going the path that you take is gonna require different security technologies or if you've got a couple of different passes we're just almost feral right like you may have one group that's deploying and implementing this way and another group that's slightly different can you find one security vendor to cover larger aspects of your security program what I like about cystic and one of the reasons their sponsor and the reason I'm going to Barcelona next week is for their colocation event is they approach the container security problem a little differently than the course container security companies look I work for layered insight for months it's part of that company we really focused on the security side of the equation more runtime and static but Cystic went after container monitoring yep first and then built security capabilities to bring the two together because their approach was look I have to have visibility into the container and what the containers doing before I can protect the container and so when you look at the traditional container security companies they're positioned uniquely because they have the monitoring stuff that would traditionally be a new relic or what's the company that Cisco bought apt the fence or a very developer to write very folks might not have heard of which is application performance monitoring yes space they started there and then moved took that capability then wrapped security features around that and now have both the monitoring and the security aspects of that we're mostly containers you can come over just right your aqua your twist lock stack rocks their various already focused various security focus yes gotcha did we skip one hour is that all of them no that is all of them and now we need to take a short break and come back and answer the question so such a thing as an enterprise open source firewall maybe we'll see stay tuned