One Article Review
| Source |  taosecurity |
|---|---|
| Identifiant | 862505 |
| Date de publication | 2018-10-25 10:31:27 (vue: 2018-10-25 17:00:41) |
| Titre | Have Network, Need Network Security Monitoring |
| Texte |  I have been associated with network security monitoring my entire cybersecurity career, so I am obviously biased towards network-centric security strategies and technologies. I also work for a network security monitoring company (Corelight), but I am not writing this post in any corporate capacity.There is a tendency in many aspects of the security operations community to shy away from network-centric approaches. The rise of encryption and cloud platforms, the argument goes, makes methodologies like NSM less relevant. The natural response seems to be migration towards the endpoint, because it is still possible to deploy agents on general purpose computing devices in order to instrument and interdict on the endpoint itself.It occurred to me this morning that this tendency ignores the fact that the trend in computing is toward closed computing devices. Mobile platforms, especially those running Apple's iOS, are not friendly to introducing third party code for the purpose of "security." In fact, one could argue that iOS is one of, if not the, most security platform, thanks to this architectural decision. (Timely and regular updates, a policed applications store, and other choices are undoubtedly part of the security success of iOS, to be sure.)How is the endpoint-centric security strategy going to work when security teams are no longer able to install third party endpoint agents? The answer is -- it will not. What will security teams be left with?The answer is probably application logging, i.e., usage and activity reports from the software with which users interact. Most of this will likely be hosted in the cloud. Therefore, security teams responsible for protecting work-anywhere-but-remote-intensive users, accessing cloud-hosted assets, will have really only cloud-provided data to analyze and escalate.It's possible that the endpoint providers themselves might assume a greater security role. In other words, Apple and other manufacturers provide security information directly to users. This could be like Chase asking if I really made a purchase. This model tends to break down when one is using a potentially compromised asset to ask the user if that asset is compromised.In any case, this vision of the future ignores the fact that someone will still be providing network services. My contention is that if you are responsible for a network, you are responsible for monitoring it.It is negligent to provide network services but ignore abuse of that service.If you disagree and cite the "common carrier" exception, I would agree to a certain extent. However, one cannot easily fall back on that defense in an age where Facebook, Twitter, and other platforms are being told to police their infrastructure or face ever more government regulation.At the end of the day, using modern Internet services means, by definition, using someone's network. Whoever is providing that network will need to instrument it, if only to avoid the liability associated with misuse. Therefore, anyone operating a network would do well to continue to deploy and operate network security monitoring capabilities.We may be in a golden age of endpoint visibility, but closure of those platforms will end the endpoint's viability as a source of security logging. So long as there are networks, we will need network security monitoring.Copyright 2003-2018 Richard Bejtlich and TaoSec |
| Envoyé | Oui |
| Condensat | 2003 2018 able abuse accessing activity age agents agree also analyze answer any anyone anywhere apple application applications approaches architectural are argue argument ask asking aspects asset assets associated assume avoid away back because been being bejtlich biased blogspot break but cannot capabilities capacity career carrier case centric certain chase choices cite closed closure cloud code com common community company compromised computing contention continue copyright corelight corporate could cybersecurity data day decision defense definition deploy devices directly disagree down easily encryption end endpoint entire escalate especially ever exception extent face facebook fact fall friendly from future general goes going golden government greater have hosted how however ignore ignores information infrastructure install instrument intensive interact interdict internet introducing ios itself left less liability like likely logging long longer made makes manufacturers many may means methodologies might migration misuse mobile model modern monitoring more morning most natural need negligent network networks not nsm obviously occurred one only operate operating operations order other part party platform platforms police policed possible post potentially probably protecting provide provided providers providing purchase purpose really regular regulation relevant remote reports response responsible richard rise role running security seems service services shy software someone someone will source store strategies strategy success sure taosecurity teams technologies tendency tends thanks themselves therefore third those timely told toward towards trend twitter undoubtedly updates usage user users using viability visibility vision well what when where which whoever will words work would writing www |
| Tags | |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.