Experience with NDR Solutions

travisdh1

@dafyre said in Experience with NDR Solutions:

If you want to stick in that vein, I'm familiar with two of them. Snort and Suricata.

I've run both in IPS mode (where they actively block attacks). Suricata is the more performant option from my experience.

It's been a while since I've run either of them on live traffic though.

We're supposed to be reselling Cylance. I haven't heard of any actual sales or installs yet, so I don't really know the ins and outs of it yet.

jclambert

When you drill into some of the solutions out there, some are just black boxes that give you a result. However, what was missed? In these cases, you don't get an audit trail on anything other than what was identified.

scottalanmiller

@travisdh1 said in Experience with NDR Solutions:

We're supposed to be reselling Cylance. I haven't heard of any actual sales or installs yet, so I don't really know the ins and outs of it yet.

Cylance is gone. It's Blackberry now. Imagine trying to tell a customer that you recommend stuff by Blackberry. jajaja. I think not.

Florida_man

@scottalanmiller the truth is that this is something that AI is not really capable of doing right now. Sure solutions can automatically block things, but many times they block legitimate traffic, too. The amount of machine learning that must be in place far exceeds the benefit this automation can provide.

Build your solutions with zero trust and this really isn't much of an issue anymore. The main reason people do this shit is for compliance purposes to check boxes. If they really cared about security, they'd design the infrastructure in a way where this type of shit isn't even necessary.

dafyre

@Florida_man said in Experience with NDR Solutions:

Build your solutions with zero trust and this really isn't much of an issue anymore. The main reason people do this shit is for compliance purposes to check boxes. If they really cared about security, they'd design the infrastructure in a way where this type of shit isn't even necessary.

The problem with doing that is what if there's a vulnerability in the application/website itself? Something that allows unauthenticated attackers to do 'Bad Things'.

I think you are right in that a lot of the tools will block some legit traffic, but that's also why you spend some time with the tools you use to learn them and figure out where and how to fine tune what is allowed / blocked and what it sends you alerts on.

Florida_man

@dafyre said in Experience with NDR Solutions:

The problem with doing that is what if there's a vulnerability in the application/website itself? Something that allows unauthenticated attackers to do 'Bad Things'.

That's the whole point of zero trust. You assume every component is a bad actor and only provide minimum permissions for each microservice of the application.

scottalanmiller

@Florida_man said in Experience with NDR Solutions:

@scottalanmiller the truth is that this is something that AI is not really capable of doing right now. Sure solutions can automatically block things, but many times they block legitimate traffic, too. The amount of machine learning that must be in place far exceeds the benefit this automation can provide.

Build your solutions with zero trust and this really isn't much of an issue anymore. The main reason people do this shit is for compliance purposes to check boxes. If they really cared about security, they'd design the infrastructure in a way where this type of shit isn't even necessary.

Zero Trust is hard to do when you don't make bespoke software. Most firms run uncontrolled third party stuff.

notverypunny

Darktrace does some pretty cool stuff. I've had some experience with the detection part, the automated response wasn't part of the package that was in use but the potential looked interesting.

FieldEffect has some interesting looking stuff too, not sure if they offer an automated response piece or not.

Florida_man

@scottalanmiller said in Experience with NDR Solutions:

@Florida_man said in Experience with NDR Solutions:

@scottalanmiller the truth is that this is something that AI is not really capable of doing right now. Sure solutions can automatically block things, but many times they block legitimate traffic, too. The amount of machine learning that must be in place far exceeds the benefit this automation can provide.

Build your solutions with zero trust and this really isn't much of an issue anymore. The main reason people do this shit is for compliance purposes to check boxes. If they really cared about security, they'd design the infrastructure in a way where this type of shit isn't even necessary.

Zero Trust is hard to do when you don't make bespoke software. Most firms run uncontrolled third party stuff.

That isn't the an issue anymore. Alot of COTS and open-source software runs in containers. Each container has its own microservice.

https://blog.aquasec.com/zero-trust-kubernetes

It's time to embrace containers @scottalanmiller

scottalanmiller

@Florida_man said in Experience with NDR Solutions:

@scottalanmiller said in Experience with NDR Solutions:

@Florida_man said in Experience with NDR Solutions:

@scottalanmiller the truth is that this is something that AI is not really capable of doing right now. Sure solutions can automatically block things, but many times they block legitimate traffic, too. The amount of machine learning that must be in place far exceeds the benefit this automation can provide.

Build your solutions with zero trust and this really isn't much of an issue anymore. The main reason people do this shit is for compliance purposes to check boxes. If they really cared about security, they'd design the infrastructure in a way where this type of shit isn't even necessary.

Zero Trust is hard to do when you don't make bespoke software. Most firms run uncontrolled third party stuff.

That isn't the an issue anymore. Alot of COTS and open-source software runs in containers. Each container has its own microservice.

https://blog.aquasec.com/zero-trust-kubernetes

It's time to embrace containers @scottalanmiller

"A lot" is subjective. Try finding any that customers actually use. MY embracing containers is irrelevant. And not the source of zero trust. Containers are a red herring in that case.

First you need software that has zero trust. Then containers can or cannot be used, not super relevant. Just more buzz, like cloud, but not actually important. But until the products you are deploying support zero trust, it's all moot.

scottalanmiller

For the customer in question, an ERP dedicated for the produce logistics industry.

Or for many of my customers (who don't need NDR) a Veterinary Clinic Management System (PIMS).

Which of these do you know with microservices or with native container support or any addressing of zero trust? We can't deploy theoretical software for contrived customers, has to be the actual software that people need. In the real real world, we have to deploy the software that they are already on, almost never is IT consulted or listened to when it comes to which software to use. But even if it theoretically was, what software is out there that we could even recommend for real customer usages in most industries unless it is bespoke?

Florida_man

@scottalanmiller said in Experience with NDR Solutions:

For the customer in question, an ERP dedicated for the produce logistics industry.

Or for many of my customers (who don't need NDR) a Veterinary Clinic Management System (PIMS).

Why not just purchase a SaaS solution?

stacksofplates

@scottalanmiller said in Experience with NDR Solutions:

For the customer in question, an ERP dedicated for the produce logistics industry.

Or for many of my customers (who don't need NDR) a Veterinary Clinic Management System (PIMS).

Which of these do you know with microservices or with native container support or any addressing of zero trust? We can't deploy theoretical software for contrived customers, has to be the actual software that people need. In the real real world, we have to deploy the software that they are already on, almost never is IT consulted or listened to when it comes to which software to use. But even if it theoretically was, what software is out there that we could even recommend for real customer usages in most industries unless it is bespoke?

Vetastic could easily be containerized and deployed on Kube.

stacksofplates

Also you don’t need Kube for zero trust. You can essentially apply it to anything with SPIFFE/SPIRE. SPIRE provide attestations for nodes and workloads as SVIDS.

It’s easier on Kube because service meshes like istio and Kuma use spire under the hood for you.

OPA is another step in this direction. You don’t need Kube for OPA either.

scottalanmiller

@stacksofplates said in Experience with NDR Solutions:

@scottalanmiller said in Experience with NDR Solutions:

For the customer in question, an ERP dedicated for the produce logistics industry.

Or for many of my customers (who don't need NDR) a Veterinary Clinic Management System (PIMS).

Which of these do you know with microservices or with native container support or any addressing of zero trust? We can't deploy theoretical software for contrived customers, has to be the actual software that people need. In the real real world, we have to deploy the software that they are already on, almost never is IT consulted or listened to when it comes to which software to use. But even if it theoretically was, what software is out there that we could even recommend for real customer usages in most industries unless it is bespoke?

Vetastic could easily be containerized and deployed on Kube.

Yes, of course Vetastic could But 99.99% of the industry won't switch to that. If I could switch them to that, that would be amazing.

Except for Vetastic, all (literally all) on premises (the only app type applicable for vet clinics) is Windows based and client/server. Archaic beyond imagination.

Although the benefits of something like Kube for Vetastic are nominal since it is already zero trust and very secure.

But the customer prompting the question is produce logistics, a field in which we create no software (currently).

stacksofplates

@scottalanmiller said in Experience with NDR Solutions:

@stacksofplates said in Experience with NDR Solutions:

@scottalanmiller said in Experience with NDR Solutions:

For the customer in question, an ERP dedicated for the produce logistics industry.

Or for many of my customers (who don't need NDR) a Veterinary Clinic Management System (PIMS).

Which of these do you know with microservices or with native container support or any addressing of zero trust? We can't deploy theoretical software for contrived customers, has to be the actual software that people need. In the real real world, we have to deploy the software that they are already on, almost never is IT consulted or listened to when it comes to which software to use. But even if it theoretically was, what software is out there that we could even recommend for real customer usages in most industries unless it is bespoke?

Vetastic could easily be containerized and deployed on Kube.

Yes, of course Vetastic could But 99.99% of the industry won't switch to that. If I could switch them to that, that would be amazing.

Except for Vetastic, all (literally all) on premises (the only app type applicable for vet clinics) is Windows based and client/server. Archaic beyond imagination.

Although the benefits of something like Kube for Vetastic are nominal since it is already zero trust and very secure.

But the customer prompting the question is produce logistics, a field in which we create no software (currently).

Fair, but the second post I had above covers that. SPIFFE/SPIRE would work in that case.

stacksofplates

Although the benefits of something like Kube for Vetastic are nominal since it is already zero trust and very secure.

Kube gives you a ton. Arguably the biggest advantage is service discovery.

How are you doing zero trust with Verastic? Is it all JWTs ?

scottalanmiller

@stacksofplates said in Experience with NDR Solutions:

Kube gives you a ton. Arguably the biggest advantage is service discovery.

How would service discovery assist? That would not help in any way. Adding service discovery for a single instance is a lot of work for no benefits. That's a great tech, when you have a use for it. But most software does not.

scottalanmiller

@stacksofplates said in Experience with NDR Solutions:

Is it all JWTs ?

We do, in fact, use JWTs. Pretty manual, but given that it's very simple and limited and deployed in replicable ways simple makes the most sense.

scottalanmiller

@stacksofplates said in Experience with NDR Solutions:

SPIFFE/SPIRE

Cool stuff, but seems far more appropriate for multi-service environments. When you are presenting a single static configuration it seems like more work to solve a challenge that doesn't exist in the environment. In others, absolutely, not knocking the tech at all. Just, for small businesses implementing simple workloads (or ones that they don't control) that's either solving something that isn't a problem and/or not applicable because the infrastructure doesn't exist.