Just as many CSOs are focused on automating their organisational threat response, many others are focused on improving their visibility of network traffic – which, with encryption increasingly used to protect legitimate application traffic and obfuscate malware command-and-control (C&C) traffic, has become ever more difficult to do.
Visibility was the topic of an engaging panel at which Al-Bassam joined James Ng, head of Telstra’s Cyber Security Governance and Risk team as well as acting CISO of telco venture Belong; Preston Hogue, director of security marketing with F5; and Shafqat Mehmood, cyber threat intelligence and incident response manager with Australian Unity.
All shared different perspectives on helping keep up with the increasing flood of botnet traffic that had grown out of cybercriminals’ increasing use of automation, and often fuelled the creation of malicious networks that used encryption to operate right under the eyes of visibility-challenged CSOs.
Botnet traffic has become so common, said Hogue, that “we go into a lot of customers and turn on bot protection, and they have such a drastic drop in their overall traffic that they think we’ve implemented the control inappropriately.”
“Once that traffic gets in, it is all essentially consuming compute, consuming resources and costing the organisation dollars – but is not providing any form of benefit. So you see why you want to be able to identify those bots as far out towards the edge as you can – and implement enforcement points as far out as possible, as well.”
Like many organisations, Australian Unity has been focused heavily on bolstering endpoint protection to prevent many forms of attack traffic from ever getting onto the company network. In a zero-trust network environment, this meant always monitoring traffic to mobile devices as well as other endpoints.
“Encryption and obfuscation of C&C traffic presents a serious challenge to valid traffic,” Mehmood explained. “The first and best option is to detect at the endpoint level, where [malicious] applications have not yet started to communicate. The second approach is to use proxies to decrypt and get this traffic at the proxy level.”
Al-Bassam was sceptical about the degree to which endpoint protection can block all threats, however, noting that “it’s quite easy to create malware that evades signature and pattern-based recognition.”
“Endpoint security be effective in protecting the actual malware from running more than detecting it,” he continued, noting the importance of a whitelisting strategy to ensure only vetted and approved applications are running on endpoints.
However endpoint protection is handled, the ability to decrypt and aggregate data for analysis fuels threat-intelligence capabilities that also help improve threat visibility. This capability, Ng said, is developing in line with the “default position that we just encrypt everything.”
“There are certainly use cases where businesses just need a means of accessing the data, and need to decide whether the data needs to be encrypted from the outset.”
“There is probably a case for making sure that if there is decryption, or that if we are not encrypting certain types of data, that this is transparent to the customer. It’s all around using data to actually help the customer, as opposed to having the default position of encrypting everything.”
Many organisations were leveraging high-capacity decryption tools to create “what we used to refer to as a DMZ,” Hogue noted. “They’re creating a true DM to have that encryption zone not only for security and encryption, but for the ability to be able to do troubleshooting and to look at data governance around that.”
“Along with those data policies, you also have to be able to make determinations that in some instances there is traffic that should not be encrypted,” he said, noting that service chaining “allows you to invoke policy on that. The endpoint may be your last line of defence, but the hope is that you’re able to have multi layers of defence to be able to look at and inspect all of this.”
Insights and advice were flying thick and fast throughout the day, and attendees went home with a considerable amount of food for thought. Yet one underlying question remained throughout: are we really getting better at security as quickly as we need to?
Attendees want to believe so – but Al-Bassam is still on the fence.
“I do think people are taking things more seriously now,” he said, “but with a reasonable amount of effort I do think you can still compromise most organisations.”