Experience with NDR Solutions
-
@stacksofplates said in Experience with NDR Solutions:
SPIFFE/SPIRE
Cool stuff, but seems far more appropriate for multi-service environments. When you are presenting a single static configuration it seems like more work to solve a challenge that doesn't exist in the environment. In others, absolutely, not knocking the tech at all. Just, for small businesses implementing simple workloads (or ones that they don't control) that's either solving something that isn't a problem and/or not applicable because the infrastructure doesn't exist.
-
No idea how I got in this thread… content moved
-
@notverypunny I run away from DarkTrace don't trust their business practices.
-
@scottalanmiller said in Experience with NDR Solutions:
@stacksofplates said in Experience with NDR Solutions:
Kube gives you a ton. Arguably the biggest advantage is service discovery.
How would service discovery assist? That would not help in any way. Adding service discovery for a single instance is a lot of work for no benefits. That's a great tech, when you have a use for it. But most software does not.
I wasn’t saying it would help. I was saying the biggest advantage kube gives is service discovery. Things like zero trust are secondary.
-
@scottalanmiller said in Experience with NDR Solutions:
@stacksofplates said in Experience with NDR Solutions:
SPIFFE/SPIRE
more appropriate for multi-service environments
You can treat systems as services. Comparing the machine someone is accessing the service from along with the time and location are all valid checks that should be done if you are even thinking of something like NDR software. It’s best demonstrated in multi service environments but is still very valid with even single service environments.
-
@scottalanmiller said in Experience with NDR Solutions:
@stacksofplates said in Experience with NDR Solutions:
Is it all JWTs ?
We do, in fact, use JWTs. Pretty manual, but given that it's very simple and limited and deployed in replicable ways simple makes the most sense.
I don’t get what you mean by manual?
-
@stacksofplates said in Experience with NDR Solutions:
@scottalanmiller said in Experience with NDR Solutions:
@stacksofplates said in Experience with NDR Solutions:
Kube gives you a ton. Arguably the biggest advantage is service discovery.
How would service discovery assist? That would not help in any way. Adding service discovery for a single instance is a lot of work for no benefits. That's a great tech, when you have a use for it. But most software does not.
I wasn’t saying it would help. I was saying the biggest advantage kube gives is service discovery. Things like zero trust are secondary.
Ah, I understand now. Makes total sense.
-
@stacksofplates said in Experience with NDR Solutions:
@scottalanmiller said in Experience with NDR Solutions:
@stacksofplates said in Experience with NDR Solutions:
SPIFFE/SPIRE
more appropriate for multi-service environments
You can treat systems as services. Comparing the machine someone is accessing the service from along with the time and location are all valid checks that should be done if you are even thinking of something like NDR software. It’s best demonstrated in multi service environments but is still very valid with even single service environments.
Oh, like service "consumption" discovery?
-
@scottalanmiller said in Experience with NDR Solutions:
@stacksofplates said in Experience with NDR Solutions:
@scottalanmiller said in Experience with NDR Solutions:
@stacksofplates said in Experience with NDR Solutions:
SPIFFE/SPIRE
more appropriate for multi-service environments
You can treat systems as services. Comparing the machine someone is accessing the service from along with the time and location are all valid checks that should be done if you are even thinking of something like NDR software. It’s best demonstrated in multi service environments but is still very valid with even single service environments.
Oh, like service "consumption" discovery?
Yeah kind of. That's one of the big parts of zero trust is verifying everything. Why is Sally accessing this service from a non work computer at 3 am her time with a chinese IP address? Sure this request has the password but that doesn't sound valid. So things like SPIRE will assign SVIDS to services and machines and those can be compared in rule engines like OPA.
So sure, you don't own the ERP or whatever software, but you can set up the infra to allow traffic to it based on a zero trust model. For example: OPA could be your rule engine, any traffic passing to the ERP is validated through a call to OPA based on a JWT assigned at the proxy/api gateway and then OPA would verify the JWT claims (SVID, issuer, etc) before allowing the traffic to hit the ERP.
-
@stacksofplates said in Experience with NDR Solutions:
Why is Sally accessing this service from a non work computer at 3 am her time with a chinese IP address? Sure this request has the password but that doesn't sound valid.
Which means you can automatically perform additional validation with MFA, or straight up deny access.
There's a lot of options really. You can only allow access to certain systems and/or services via company devices enrolled in MDM, with up to date OS, encryption, and endpoint protection. You can verify endpoints and users with passwordless auth via Beyond Identity and in certain cases use additional MFA via Duo or whatever you want to set up.
Sally is trying to log in to her company email. She's authenticated via passwordless auth via Beyond Identity on her work computer. Her work computer passes the health check seamlessly through BYID and allows her to access her email. Maybe she's also prompted for MFA always, or maybe only if she's logging in outside her normal geographic area on her work computer. Maybe (e.g. email) access is denied totally if from a non-company device. Options...