Richard Bailey, Zeke, Corlett Zeke discussed on Risky Business
We have over six hundred security vandals. NFC Ram database and most of them are there because they inquired about sponsoring they reached out to us but in the end we wind up doing business with about twenty to twenty eighty five vendors in any given calendar year so this is my way of saying we can't just accept any sponsor who comes along now. Does this mean that we endorse awesome any of the vendors we featuring. They sponsored segments no it doesn't I mean I'm not practitioner. I cannot tell you these guys fantastic guaranteed tade but we generally select vendors four snake oil is who we think doing interesting things vendors who we think will give us an interesting and relevant conversation for audience about what they're doing and why and that's really what these podcasts are about. That's the process explainer out of the way so let me tell you about what's going to be in this edition. Shen of snake oil is in this podcast. You're going to hear from three vendors. I will hear from industry. Luminary Richard Bailey who is working currently with call call offer products based on Zeke which used to be known as Bro but yeah that that's a super cool chat with Richard and I let it run long because is it's Richard Bite Lick come on right so that one actually runs a little bit longer than the interviews in in oil is normally do then we're going to hear from Marshall Web from path networks. It's and that's also a really great interview that one Masha will be telling us about Abe an xt pay to technologies open source technologies that are really pushing the state of the art indeed AAs mitigation forward basically these two things now main that you can efficiently mitigate data's attacks with commodity hardware. We're so path has built a business around that and by the looks of things going after those arbor networks based services they've already got a terabyte per second of connectivity ability which is a lot of bits per second for a relatively new company but yeah they're idea is the data scrubbing and standby data scrubbing services shouldn't cost a fortune it's kind of a tax on business and they're using the lightest standards and the latest techniques to mitigate these attacks using commodity hardware and they're passing on the savings to customers. They've also built some really cool distributed network monitoring tools as well so the going on in that interview that is number two this time and then I lost snake oil it for this edition is respond software. They make a decision agent for socks basically but I guess that's kind of underselling they quite quite literally aiming to replace frontline salk analysts with software. Now the funny thing is right. You might think that that sounds a bit risky but say this out loud. We can't use a software agent for first line monitoring because we might miss something so yeah when you say it out loud. It's kind of funny right because everybody's already missing. Thank stuff response. Whole pitch is that they can bump out a list of like five serious things? Your sock should be doing that day. Instead of trolling through tens of thousands of meaningless context less alerts let's and when you finished with those five confirm serious things you can always go back and look at your logs but as you hear response customer actually starting to really trust it to do that first piece of analysis so so that is also an interesting chat so yeah. We got a bunch of stuff right bunch of stuff to talk through in this edition so let's kick it off now without chat with Richard has has previously appeared a few times as a guest on this podcast. I think you can really describe rigid as an industry luminary. He's been in the discipline since the ninety s he's written a bunch of books so on and so on and these days he is with Choline. Their goal is to transform network traffic into actionable data for analysis forensics and real time response response. Their product is based on the open source tool zeke which was formerly bro and Richard joined me to talk about it and he is what he had to say. If you think about got a spectrum of what you can learn about your network at one end of the spectrum you've got write everything to disk and that's a full content peak cap collection the other end of the spectrum you have tell me as best as you can just the things that I want to know that might be good or bad or however you define you. If you you WANNA have policy violations or whatever you call it now you can think you know going back to the PHILIPPIC APP. That's great but even in an era of inexpensive storage how you GonNa make use of that data on a daily basis at the other end the alerts would if you miss something what if you don't have an alert for whatever however the attack is so Zeke sits right in the middle of that and the idea behind it is to give you an idea the of what's happening on a network in a form that has enough detail that you can make some sense of it but not so much that it just takes a lot out of space and it's tough to index and all that it's a pretty simple idea but it turns out that there really aren't many products or offerings offerings in that space like the thing that we always like it's compared to quite often is net flow but Netflix for the most part is just a description of who who talked to who when how much data was passed piece protocols that sort of thing and we'll give you that with our connection log but then any protocol protocol that Zeke understands. We're GONNA give you data about that as well so let's say you've got a TCP connection and on top of that is an https session session. We're going to give you what we can from each bs which will end up being. SSL Data so we'll give you server names. We'll we'll tell you information about the certificates in if you want we can extract the certificates and you can save that to disk and all of this is linked through a connection. ID's so that or you ideas as they appear in the logs so that if you're trying to figure out what relates to what you're trying to do like you know your data science or whatever you WANNA call it on that information and it makes it easy to follow that chain and as it turns out it does a really nice place to be if you're trying to understand what's happening on your network because we the answer a lot of the questions that security person wants to know in a small footprint that can be saved for basically forever if you if you think about having adding some type of hot storage that goes into database or or spunk or Hemu or Google Chronicle or whatever and if you WanNa do cold storage just writing text files to disk or or Jesus files to disk and put it up in Amazon Glacier is something forever so that's that's the basic idea and we can we can expand and beyond that I'm sure yeah it. Kinda reminds me a little bit like it's similar to what the team at iceberg did that they were a small company wound pinquater by Gigamon. This was a bit different in that it streamed everything to the to the cloud and it was very much about metadata but what I found interesting about them and what I find interesting about coal is that here we are in two thousand nineteen when apparently network monitoring is dead and yet you exist and people are people are buying your stuff. I think the the death of network security monitoring has maybe been called a bit prematurely. Yeah I actually wrote a blog post early early on court late and the marketing team labeled it. NSM is dead. I I was a little shocked like Oh. No this is great. This is going to get around that I think. NSM is dead but it ended up. Just being a you know a click. I suppose the people would read the Post and his dad long live. NSM Yeah Yeah so there's no doubt out that it is not the same world as it was when I started in one thousand nine hundred seven hundred ninety eight back then if you saw something on the wire it was generally unencrypted and when it was a non binary protocol so let's say it was not a son remote procedure call or something like that. It was generally text so you could read it so it was simple. https you could read the page and see what it's doing if it was a file transfer over FTP you could read the commands and if it was telling that you could read the administrator or a criminal interacting with your system and that was a great way to figure out what was happening because it was just right there you know fast forward due to the last ten years or so and more and more traffic is encrypted. You can't do that anymore. It did kind of make a lot of the full packet capture stuff. That was very very trendy like a witness. There was another one God what was it called. It was the one that got sold to but that stuff was super hip for awhile and then everything started getting encrypted. That's like look at least captured packets. We've got that we can't read seamless soda well. There's an interesting workflow to that so the workflow the full many of the full package vendors particularly a company like net witness was around network forensics and it was a it was a similar approach that you would take jaquith file based forensics. Imagine you have a disc you want to extract all the artifacts rendered them in a way that an analyst can look through them and when they find the stolen invoice they ah that person's not supposed to have that on the computer the way that the network forensic vendors took it was the traffic was captured during certain periods was essentially the hard disk ask they would extract all the artifacts presented to the analyst that is generally not the same kind of workflow though that we've seen develop in the era of the modern sock and the the rise of of Sims generally what you would you find people doing is threat hunting. That's became popular for the last nine ten years or so. it's looking for something that you didn't necessarily know was bad and because of that you don't need to have every word document that was transferred on the wire to you the one hundred percent right and this is on looking at what's related which connection came from what other connection and whatever and what I've noticed to ride is you've got this a new breed of security vendor. That's coming up at the moment where they've clearly had a lot of design clearly a lot of design influence from people who've worked in incident response wants and I'm thinking in that case like companies like Alpha sock right which is Chris McNab who is very much an incident responder who's doing stuff like real time the main analytics and Ip analytics and things like that call. That's another one I had another one in my head but it's not quite there anymore but yeah I I'm definitely seeing that fusion fusion between people working incident response now saying well hang on if we had been looking at looking for this more at the time we might have had a better shot at detection here Yeah Yeah Yeah and that brings up a really interesting point you. When you buy our product there is an interface but it's essentially a sensor management health and welfare interface now? There may be some additional things coming to that. I've I've been encouraging and helping develop at core light but for the most part our product is built on giving you the data we don't WanNa be another pane of glass that you have to monitor and somehow integrate into your workflow so be initially. I thought this is GonNa be kind of difficult perhaps to due to sell to customers because they want to see the data but it turns out at this point in the in the market. Everybody's got a place for the data to go right. They already have their spunk. Infrastructure structure or the market honestly is being disrupted very heavily. I think companies like a back store companies the chronicle within Google with their back story product people are seeing that you can do a lot with with just really good high fidelity data whether it's from the host or in are cases from the network through through Corlett Zeke so we don't sell you painted glass. We give.