Could taking security back to the basics (know what's on your network and how everything is behaving) help solve today’s security challenges?

I think that notion sounds great. But from somebody who spent almost 24 years at a technology company that had almost 500,000 addressable end points on it, and moving on to work at a financial sector company that has over 250,000 endpoints, I get challenged every day by my leadership to know what's on the network, “what's it doing, and how are you protecting it?” It sounds easy to say, but it's a significant challenge. Somewhere along the line, something is going to pop, and I’ll get asked, "well, why didn't you know about it?" I got 250,000 problems and that one wasn't one of them.

Anonymous Author
I think that notion sounds great. But from somebody who spent almost 24 years at a technology company that had almost 500,000 addressable end points on it, and moving on to work at a financial sector company that has over 250,000 endpoints, I get challenged every day by my leadership to know what's on the network, “what's it doing, and how are you protecting it?” It sounds easy to say, but it's a significant challenge. Somewhere along the line, something is going to pop, and I’ll get asked, "well, why didn't you know about it?" I got 250,000 problems and that one wasn't one of them.
0 upvotes
Anonymous Author
I've seen some really cool things done when you started basic and built a model around that. Many years ago, our engineers in the SOC at Verisign built a model where they just ran statistical analysis on firewall port activity. What they did was they profiled our clients. Because they recognize that you have business hours and do things at different times. This was very basic, compared to what you can do today. But they profiled, on particular ports, what kind of activity and number of packets were coming in at 8:00 o'clock on a Monday morning and compared it to the previous 8:00 o'clock on Monday mornings. When all of a sudden something went X standard deviations outside of the norm, it generated an alert to say, "Hey, maybe something's going on here." We're not looking for signatures, we're looking for differences. But that very thing, I think it was successful only because they said, "We're only going to look at port traffic. We're only going to look at successful TCP connections on ports and count the packets and build a model that way." They knew what they were doing the whole time. They knew where the source data was coming from. They knew what they were analyzing. There was never any question. There was never any magical tool that was being applied to come up with something.
0 upvotes