Buzz surrounds zero trust security at RSAC 2019
With over 40,000 visitors, RSAC USA 2019 continues to be the leading cybersecurity event across the globe. Here, we share our thoughts and impressions from the perspective of the telco industry – which relies on IP-based technologies when architecting the next generation of mobile networks – about what we found most relevant in network security design and protection, virtualization, assurance and global threat landscape.
RSAC USA 2019 was held in San Francisco from March 4-8, and this year, as in others, the conference attracted a large security community from industry, academia, governmental and independent organizations. This year's conference included hundreds of tutorials, trainings, presentations, panels, keynotes, hands-on sessions, all of them in parallel tracks and with a large expo.
Prior to RSAC we understood zero-trust as the modern paradigm for architecting networks, and we have established our own association with what zero-trust means for the telecom industry, but at RSAC this year we found as many interpretations as vendors, including those selling zero-trust as an added feature. A common understanding is that zero-trust means that the traditional network-based perimeter is replaced, or one can also argue, complemented by the view that the endpoint is the new perimeter.
The need comes from the fact that enterprises are moving their operations to the cloud; the corporate networks management is outsourced to 3rd parties, partners need to access the corporate resources, the mobile workforce outside premises, employees bringing own devices and cellular-connected IoT devices becoming an essential asset. Therefore, the conventional intranet is no longer suitable; instead a zero-trust corporate architecture is designed according to novel security design principles, both technical and non-technical, for managing access, data and identity to protect assets and detect attacks.
Telecom networks are and will continue to undergo a transformation whereby a zero-trust approach will become more engrained, as is illustrated in 3GPP standards, how networks will be deployed and operated. There are several possible implementations based on zero-trust enablers, such as software-defined perimeter, identity-aware proxy (through which access to resources is controlled), identity management and strong multi-factor authentication, device evaluation and behavioral analysis. For details see this presentation.
The last few years' high attention on "cloud security" as a fairly vague concept now seemed to have matured into a set of more concrete themes with lots of talks and vendor attention: how to deal with container security, how to establish a DevSecOps workflow for rapid releases of cloud-native applications, zero-trust, and the Cloud Access Security Broker (CASB) vendors. This is a particularly interesting area for us because as telco network functions are virtualized, we strive to maintain the high level of security expected of telco applications in diverse cloud environments – challenging to say the least!
It is evident that security in container deployments still needs to mature, but we found some interesting talks on run-time monitoring of containers and practical suggestions for getting security people and developers to work together for DevSecOps. Usually interesting is also the startup competition, where this year's finalists also addressed cloud-related topics, VM, container security and cloud SecOps.
There were not many mentions of cellular networks this year, except for one talk by Anand Prasad, chairman of 3GPP SA3, who gave an overview of security improvements from 4G to 5G. It was a good overview and the session was well attended.
IoT Security continued to be a hot topic addressed in different talks from technical, business and regulation perspectives, attracting many vendors. According to one startup "last year everyone was doing cloud security, now they're all doing IoT".
As more and more attractive IoT devices keep coming to the market – kettles, dolls, hot tubes – ethical hackers show how easy it is to hack them to invade privacy or use them for DDoS attacks.
In fact, flaws are not only in the devices themselves, but in the shared backend APIs. Cheap IoT devices had a vulnerable backend authorization API (no high-risk) but when that same API is used by a company operating connected vehicles then the risk is high. The way to address this is through mandatory regulation on IoT products before market release, pretty much as safety is regulated today. For details check here.
Fortunately, policy makers drive initiatives in the right direction, though still not mandatory today: ENISA's IoT Security Recommendations, UK IoT Security Code of Practice and California State Bill 327. The Wireless Communication Industry CTIA also announced last year an IoT Certification for cellular connected devices with Ericsson's Labs as one authorized IoT certification center.
IoT-based DDoS attacks keep increasing and competitions between DDoS-aaS providers is fierce with prices dropping making DDoS a commodity that can be anonymously ordered from providers that keep developing sophisticated botnet mechanisms. Several talks mentioned ML-assisted monitoring to predict and detect DDoS attacks. Several expo vendors claim they already apply ML in their engines, but it is not easy to qualify to what extent.
ML itself is seen not only as a double-edged sword, used by adversaries and defenders, but even as an asset that itself can be attacked using adversarial ML technics that fool ML models using perturbations in input data, leading to wrong classifications/predictions or to leaking confidential training data or model parameters. There is intensive ongoing research that seeks to improve the ML model development process to make models robust against such attacks. While such robustness improvements should be important for many applications, most academic work has been done in the field of image analysis, and there is a lack of results for other domains on our research radar.
There was a valuable presentation comparing different threat detection methodologies: (i) Indicators of Compromise (IoC) (ii) Anomaly Detection and (iii) Behavioral Analysis. Many Threat Intelligence platforms today are focused sharing IoC – e.g. malicious URL/IP addresses or hashes from malicious binaries – which is not enough for detecting new sophisticated attacks. ML-based anomaly detection is more flexible in adapting to new threats by learning normal behavior and flagging deviations but generates too many false positives that create alert fatigue. Behavioral analysis includes in threat modelling the adversary tactics, techniques, and procedures with the ability to correlate data from multiple sources and logs, but behavioral analysis is not easy to automate, and probably it is not meant to be, as it requires extensive domain knowledge and human involvement. We should not consider these three methodologies as competitors or believe that one of them is enough, but instead combine of all them as different layers of defense.
Related to this topic, the MITRE ATT&CK is a threat modelling framework that has gained popularity as an asset and methodology for behavioral modelling of the adversary's Techniques, Tactics and Procedures (TTPs). The SANS Institute had an engaging talk on how ATT&CK can be used by blue teams for adversarial emulation and how red teams can use it to devise playbooks. We found novel the introduction of purple teaming was advocated as process to achieve continuous assessment and improvement by red and blue teams working closer together for regular knowledge exchange. We are inspired to see how we can incorporate the ATT&CK framework also in telco to improve our assurance process which is part of our Security Reliability model and also for the Product Security Incident Response Team .
As every year, SANS organized a keynote with experts presenting the five most dangerous attacks and recommendations how to avoid them. The ones relevant to network security were (i) DNS mischief, which uses enterprise compromised credentials to logon to DNS providers and manipulate enterprise DNS records to point - we leave the rest to your imagination, and (ii) Domain fronting, whereby a compromised site avoids detection by establishing a TLS channel towards a Command&Control (C2C) center via a proxy in a trusted CDN that in turn talks to the C2C center in another CDN.
On understanding the threat landscape, several panel discussions with invited speakers from leading security firms and governmental bodies touched upon the soft aspects of security such as people, processes, education, tactics, threat assessment and investments to be able to fight always increasing and never-ending cyberattacks. Important observations were that there is a persistent cybersecurity war and there will never be perfect security. There are plenty of situations where response must be immediate to mitigate damage rather than waiting for the ideal solution and bureaucratic decisions.
Along several presentations we heard discussions speculating on what would be the major next cyberattack that would have a profound impact across the globe. Two predictions captured our attention: a cyberattack that would cause significant human loss of lives and a cyberattack that would collapse the financial system. Considering that cellular mobile networks are part of the critical infrastructure of most countries, and as part of the security community, we join the collaborative efforts from industry, academia, and government – defining technologies and solutions that would prevent these worse-case scenarios from playing out in real life.