Experience with NDR Solutions
-
@Florida_man said in Experience with NDR Solutions:
@scottalanmiller said in Experience with NDR Solutions:
@Florida_man said in Experience with NDR Solutions:
@scottalanmiller the truth is that this is something that AI is not really capable of doing right now. Sure solutions can automatically block things, but many times they block legitimate traffic, too. The amount of machine learning that must be in place far exceeds the benefit this automation can provide.
Build your solutions with zero trust and this really isn't much of an issue anymore. The main reason people do this shit is for compliance purposes to check boxes. If they really cared about security, they'd design the infrastructure in a way where this type of shit isn't even necessary.
Zero Trust is hard to do when you don't make bespoke software. Most firms run uncontrolled third party stuff.
That isn't the an issue anymore. Alot of COTS and open-source software runs in containers. Each container has its own microservice.
https://blog.aquasec.com/zero-trust-kubernetes
It's time to embrace containers @scottalanmiller
"A lot" is subjective. Try finding any that customers actually use. MY embracing containers is irrelevant. And not the source of zero trust. Containers are a red herring in that case.
First you need software that has zero trust. Then containers can or cannot be used, not super relevant. Just more buzz, like cloud, but not actually important. But until the products you are deploying support zero trust, it's all moot.
-
For the customer in question, an ERP dedicated for the produce logistics industry.
Or for many of my customers (who don't need NDR) a Veterinary Clinic Management System (PIMS).
Which of these do you know with microservices or with native container support or any addressing of zero trust? We can't deploy theoretical software for contrived customers, has to be the actual software that people need. In the real real world, we have to deploy the software that they are already on, almost never is IT consulted or listened to when it comes to which software to use. But even if it theoretically was, what software is out there that we could even recommend for real customer usages in most industries unless it is bespoke?
-
@scottalanmiller said in Experience with NDR Solutions:
For the customer in question, an ERP dedicated for the produce logistics industry.
Or for many of my customers (who don't need NDR) a Veterinary Clinic Management System (PIMS).
Why not just purchase a SaaS solution?
-
@scottalanmiller said in Experience with NDR Solutions:
For the customer in question, an ERP dedicated for the produce logistics industry.
Or for many of my customers (who don't need NDR) a Veterinary Clinic Management System (PIMS).
Which of these do you know with microservices or with native container support or any addressing of zero trust? We can't deploy theoretical software for contrived customers, has to be the actual software that people need. In the real real world, we have to deploy the software that they are already on, almost never is IT consulted or listened to when it comes to which software to use. But even if it theoretically was, what software is out there that we could even recommend for real customer usages in most industries unless it is bespoke?
Vetastic could easily be containerized and deployed on Kube.
-
Also you don’t need Kube for zero trust. You can essentially apply it to anything with SPIFFE/SPIRE. SPIRE provide attestations for nodes and workloads as SVIDS.
It’s easier on Kube because service meshes like istio and Kuma use spire under the hood for you.
OPA is another step in this direction. You don’t need Kube for OPA either.
-
@stacksofplates said in Experience with NDR Solutions:
@scottalanmiller said in Experience with NDR Solutions:
For the customer in question, an ERP dedicated for the produce logistics industry.
Or for many of my customers (who don't need NDR) a Veterinary Clinic Management System (PIMS).
Which of these do you know with microservices or with native container support or any addressing of zero trust? We can't deploy theoretical software for contrived customers, has to be the actual software that people need. In the real real world, we have to deploy the software that they are already on, almost never is IT consulted or listened to when it comes to which software to use. But even if it theoretically was, what software is out there that we could even recommend for real customer usages in most industries unless it is bespoke?
Vetastic could easily be containerized and deployed on Kube.
Yes, of course Vetastic could
But 99.99% of the industry won't switch to that. If I could switch them to that, that would be amazing.Except for Vetastic, all (literally all) on premises (the only app type applicable for vet clinics) is Windows based and client/server. Archaic beyond imagination.
Although the benefits of something like Kube for Vetastic are nominal since it is already zero trust and very secure.
But the customer prompting the question is produce logistics, a field in which we create no software (currently).
-
@scottalanmiller said in Experience with NDR Solutions:
@stacksofplates said in Experience with NDR Solutions:
@scottalanmiller said in Experience with NDR Solutions:
For the customer in question, an ERP dedicated for the produce logistics industry.
Or for many of my customers (who don't need NDR) a Veterinary Clinic Management System (PIMS).
Which of these do you know with microservices or with native container support or any addressing of zero trust? We can't deploy theoretical software for contrived customers, has to be the actual software that people need. In the real real world, we have to deploy the software that they are already on, almost never is IT consulted or listened to when it comes to which software to use. But even if it theoretically was, what software is out there that we could even recommend for real customer usages in most industries unless it is bespoke?
Vetastic could easily be containerized and deployed on Kube.
Yes, of course Vetastic could
But 99.99% of the industry won't switch to that. If I could switch them to that, that would be amazing.Except for Vetastic, all (literally all) on premises (the only app type applicable for vet clinics) is Windows based and client/server. Archaic beyond imagination.
Although the benefits of something like Kube for Vetastic are nominal since it is already zero trust and very secure.
But the customer prompting the question is produce logistics, a field in which we create no software (currently).
Fair, but the second post I had above covers that. SPIFFE/SPIRE would work in that case.
-
Although the benefits of something like Kube for Vetastic are nominal since it is already zero trust and very secure.
Kube gives you a ton. Arguably the biggest advantage is service discovery.
How are you doing zero trust with Verastic? Is it all JWTs ?
-
@stacksofplates said in Experience with NDR Solutions:
Kube gives you a ton. Arguably the biggest advantage is service discovery.
How would service discovery assist? That would not help in any way. Adding service discovery for a single instance is a lot of work for no benefits. That's a great tech, when you have a use for it. But most software does not.
-
@stacksofplates said in Experience with NDR Solutions:
Is it all JWTs ?
We do, in fact, use JWTs. Pretty manual, but given that it's very simple and limited and deployed in replicable ways simple makes the most sense.
-
@stacksofplates said in Experience with NDR Solutions:
SPIFFE/SPIRE
Cool stuff, but seems far more appropriate for multi-service environments. When you are presenting a single static configuration it seems like more work to solve a challenge that doesn't exist in the environment. In others, absolutely, not knocking the tech at all. Just, for small businesses implementing simple workloads (or ones that they don't control) that's either solving something that isn't a problem and/or not applicable because the infrastructure doesn't exist.
-
No idea how I got in this thread… content moved
-
@notverypunny I run away from DarkTrace don't trust their business practices.
-
@scottalanmiller said in Experience with NDR Solutions:
@stacksofplates said in Experience with NDR Solutions:
Kube gives you a ton. Arguably the biggest advantage is service discovery.
How would service discovery assist? That would not help in any way. Adding service discovery for a single instance is a lot of work for no benefits. That's a great tech, when you have a use for it. But most software does not.
I wasn’t saying it would help. I was saying the biggest advantage kube gives is service discovery. Things like zero trust are secondary.
-
@scottalanmiller said in Experience with NDR Solutions:
@stacksofplates said in Experience with NDR Solutions:
SPIFFE/SPIRE
more appropriate for multi-service environments
You can treat systems as services. Comparing the machine someone is accessing the service from along with the time and location are all valid checks that should be done if you are even thinking of something like NDR software. It’s best demonstrated in multi service environments but is still very valid with even single service environments.
-
@scottalanmiller said in Experience with NDR Solutions:
@stacksofplates said in Experience with NDR Solutions:
Is it all JWTs ?
We do, in fact, use JWTs. Pretty manual, but given that it's very simple and limited and deployed in replicable ways simple makes the most sense.
I don’t get what you mean by manual?
-
@stacksofplates said in Experience with NDR Solutions:
@scottalanmiller said in Experience with NDR Solutions:
@stacksofplates said in Experience with NDR Solutions:
Kube gives you a ton. Arguably the biggest advantage is service discovery.
How would service discovery assist? That would not help in any way. Adding service discovery for a single instance is a lot of work for no benefits. That's a great tech, when you have a use for it. But most software does not.
I wasn’t saying it would help. I was saying the biggest advantage kube gives is service discovery. Things like zero trust are secondary.
Ah, I understand now. Makes total sense.
-
@stacksofplates said in Experience with NDR Solutions:
@scottalanmiller said in Experience with NDR Solutions:
@stacksofplates said in Experience with NDR Solutions:
SPIFFE/SPIRE
more appropriate for multi-service environments
You can treat systems as services. Comparing the machine someone is accessing the service from along with the time and location are all valid checks that should be done if you are even thinking of something like NDR software. It’s best demonstrated in multi service environments but is still very valid with even single service environments.
Oh, like service "consumption" discovery?
-
@scottalanmiller said in Experience with NDR Solutions:
@stacksofplates said in Experience with NDR Solutions:
@scottalanmiller said in Experience with NDR Solutions:
@stacksofplates said in Experience with NDR Solutions:
SPIFFE/SPIRE
more appropriate for multi-service environments
You can treat systems as services. Comparing the machine someone is accessing the service from along with the time and location are all valid checks that should be done if you are even thinking of something like NDR software. It’s best demonstrated in multi service environments but is still very valid with even single service environments.
Oh, like service "consumption" discovery?
Yeah kind of. That's one of the big parts of zero trust is verifying everything. Why is Sally accessing this service from a non work computer at 3 am her time with a chinese IP address? Sure this request has the password but that doesn't sound valid. So things like SPIRE will assign SVIDS to services and machines and those can be compared in rule engines like OPA.
So sure, you don't own the ERP or whatever software, but you can set up the infra to allow traffic to it based on a zero trust model. For example: OPA could be your rule engine, any traffic passing to the ERP is validated through a call to OPA based on a JWT assigned at the proxy/api gateway and then OPA would verify the JWT claims (SVID, issuer, etc) before allowing the traffic to hit the ERP.
-
@stacksofplates said in Experience with NDR Solutions:
Why is Sally accessing this service from a non work computer at 3 am her time with a chinese IP address? Sure this request has the password but that doesn't sound valid.
Which means you can automatically perform additional validation with MFA, or straight up deny access.
There's a lot of options really. You can only allow access to certain systems and/or services via company devices enrolled in MDM, with up to date OS, encryption, and endpoint protection. You can verify endpoints and users with passwordless auth via Beyond Identity and in certain cases use additional MFA via Duo or whatever you want to set up.
Sally is trying to log in to her company email. She's authenticated via passwordless auth via Beyond Identity on her work computer. Her work computer passes the health check seamlessly through BYID and allows her to access her email. Maybe she's also prompted for MFA always, or maybe only if she's logging in outside her normal geographic area on her work computer. Maybe (e.g. email) access is denied totally if from a non-company device. Options...
