DeepSec 2019 Talk: Security Analytics and Zero Trust – How Do We Tackle That? – Holger Arends
For many years we’ve all been in an arms race, fighting daily against new malware varieties and new attack techniques that malicious actors use to fool us and compromise our systems. Many of us rely on state of the art safeguards and have invested tremendous amounts in defending our systems and networks, yet even so, important data is still leaked or important systems are compromised.
Firewalls, IDS, IPS or SIEM systems are often unable to prevent or detect attacks. Questions are often raised: “why?” and “how?” is it possible these attacks stay undetected for long periods of time, considering the significant investments into cyber security. And so it seems obvious to say that with the introduction of IoT devices, unmanaged BYOD, combined with legacy systems and end to end encryption, the future will be a difficult place to stay safe and secure in.
In late 2017, we asked ourselves the following questions. Is it possible to defend our networks and systems by relying mainly on traffic-related analytics and related prevention? Are we able to achieve knowledge and certainty about endpoints and their associated technologies? Furthermore, does this allow us to distinguish attacks and/or malicious activities from benign activities, even on encrypted channels? We also explored if it was possible for a Telco / Enterprise to integrate such analytics, considering high traffic throughput, into traditional security defences. These questions were and are our motivation to run the project for the last 2 years and we would like to share our insights here at Deepsec 2019.
In our talk, we will brief you about our lessons learned, and discuss
- Which technologies and practices work well in combination, and where it makes sense to introduce log-less and agent-less security analytics
- How it looks to combine deep protocol analytics, big data, polyglot persistence and machine learning and what challenges we faced
- How well the detection and mapping of technologies works on different protocol layers and encrypted sessions
- What interesting insights we gained about attackers, their tools, tactics and how they utilised infrastructure for their attacks
- How often a simple handshake reveals the nature of any following data stream
- What kind of defensive capabilities and safeguard improvements / tunings can be achieved
Finally, we would like to speak about ethics; discussing the potential of DPI and what this means for all of us, ranging from privacy concerns to potential misuse of such technologies against a free society.
Being a lifelong enthusiast for computer security and emerging technologies, Holger started his IT Security career in the German army in 1997. Since then, Holger has continued to strengthen his professional skill set by being involved in many security projects around the globe. While working with industry leaders such as Microsoft, he’s had several years of experience running his own IT Security business. Holger has always been passionate about innovating and developing new security solutions, and this has led him to Telstra where he is the Principal Security Domain Cyber Security expert at the Centre of Excellence, Technology & Innovation. His current role focuses on futuristic and real-world security analytics solutions in the fields of IoT and Cyber Security.