The Power of a Threat Aware Network with Mike Spanbauer

Published on:
Mike Spanbauer TestGuild Security Feature

About this Episode:

Security is a difficult discipline to master. It requires experts to continuously challenge themselves and learn new tools and technologies to protect their organizations. In this episode, Mike Spanbauer, Technology Evangelist at Juniper, will discuss some ways to build a threat-aware network. Discover a new way to think about your approach to security architecture and more. Listen up!

TestGuild Security Testing Exclusive Sponsor

Micro Focus Fortify is the recognized market leader in application security and is the most comprehensive and scalable application security solution that works with your current development tools and processes. Try it today

About Mike Spanbauer

Mike Spanbauer

Mike Spanbauer is a Security Evangelist for Juniper Security. Mike's work and expertise in network and security advisory, consulting, and product strategy over the last 25 years provides a breadth of perspective across network and security execution, as well as approaches to solve for operational and governance needs that organizations face. He most recently served as Vice President of Research Strategy for NSS Labs, driving the enterprise research and consulting practice for NSS global clients. Prior to that, Mike held leadership roles at Current Analysis and HP in research, strategy, and competitive intelligence. Throughout his career, Mike has possessed a passion to help guide organizations to make well-informed decisions that ensure delivery on their intended technical outcomes. He brings this passion to Juniper's customers, partners, and prospects, listening to their needs and challenges and ensuring Connected Security continues to address them, day in and day out.

Connect with Mike Spanbauer

Full Transcript Mike Spanbauer

Joe [00:03:00] Hey Mike! Welcome to the Guild.

Mike [00:03:03] Well, thanks Joe for having me.

Joe [00:03:04] Awesome to have you on the show. Is there anything else in your bio Mike that you want the Guild to know more about?

Mike [00:03:09] No, I think that you did a good job covering it. I've been working with enterprises and organizations of all types, all sectors around the world for the last 20, 30 years around infrastructure and security, and a number of conversations that I've had been exciting and challenging and really just happy to share.

Joe [00:03:25] Awesome. So as you mentioned, you have a ton of experience, which I love. So is there anything in the space that you've been seeing over and over again you're like I can't believe like 20, 30 years later we're still addressing this in the security space?

Mike [00:03:36] I think there's a host of areas that I see as not making a lot of progress as an industry or as a macro. And some of them involve continuing to think that security is separate from networking and largely these are false premises or disciplinary areas that perhaps are holdovers from ages ago when there were discrete requirements and capabilities that demanded dedicated teams because the complexity was just beyond what any single organization can handle. But if you look back over the last 10 to 15 years, the convergence has been occurring. The fact of the matter is that whether organizations are managing it that way or not, the technologies are one, especially when you bring in to focus the cloud context and as a result to manage them as discrete disciplines without considering the overlap and policies, the overlap in capabilities and frankly, the visibility that those combined functions provide both the security organization but also the network organization, as both share a common goal for business continuity and ultimately reduce risk.

Joe [00:04:46] So do you see then DevSecOps as a real thing where they're merging basically, the whole team getting involved, or do you actually see it still as you still need a separate security team and network team, you just need them to communicate more with one another about it?

Mike [00:04:59] So I'm not sure that there's one answer for that. It's a great question, and I think it depends on the organization's own maturity regarding their security policy and processes, whereas there are risks disposition or tolerance and how aggressive or how conservative is there allowed or a physical site strategy for consolidation and for links. So, you know, for some it indeed may be at a combined or unique capabilities of a cloud architect, for example, but does require mastery of both network and security disciplines as well as to a fair degree application and architecture all rolled into one. Or do you keep them as separate disciplines in the case of NBM carriers and service providers who demand incredible insight into the tolerance of specific links, which is its own mastery and requires incredibly deep discipline and expertise to manage the network infrastructure where you have a sister team of the security capability sitting alongside, working closely, and collaborating on both incident awareness, visibility to activities and really collaborating on outcomes as a joint function? So I think there's more than one path but many possible success avenues for organizations.

Joe [00:06:14] Absolutely. So have you seen anything that's worked for companies to help foster this collaboration or to actually bump up the visibility? Like you said, it's needed now.

Mike [00:06:21] I think it comes down to understanding which outcomes each team is looking to achieve. There's a lot more shared interests than perhaps, you know, some orgs realize. And it's not just that they all roll up under, you know, the technology budget. It's that the common outcome of ensuring successful, secure connections for their users, right? Be that an employee or their customers, users in the context of anyone accessing data across the environment. And so the network team shares the same interests, right? And where perhaps their priorities list a little different there's a lot of shared capabilities. And once they have a chance to discuss and understand where those differences may lie, then you can develop at least a common communication framework. If not a common strategy that represents both and does achieve the business outcome of a secure and hyper available (??) organizational infrastructure.

Joe [00:07:20] Nice. So I did see the title of your black hat session on “The Power of Threat Aware Networks' and it caught my interest. I actually didn't see the session. So I'm just curious to know, as I mentioned, the preshow, I'm a beginner. What is an aware network?

Mike [00:07:32] It's a good question. Something that we've been pursuing here at Juniper for some time is the concept of connected security. So, as it mentioned right, that convergence that has been occurring naturally over many years, where networking and security are intermingled, regardless of how you've organized the people and the processes in the company. The fact is that technologies are codependent. And in order to be able to respond to the, you have an adversary right of threats today leveraging the insights that the network telemetry offers be that perhaps a piece of malware on a client that's making the command in control callback, asking for additional instructions, right? One of the things that in particular, a new infection will often do and potentially then requesting download of a secondary payload that call-out of the environment to the remote location that perhaps is a known malware or C&C of a certain location. Just that very action of I'm calling the bad guy, the network sees. Now, if the security technology is working with the network, then that activity becomes an event that can be an active mitigation. And then the network can have a control implemented to cut off that session or the entire client. In the case of there's a clear infection on this particular PC or this whatever the device is, the network contributed to the security intelligence, which then resulted in a definitive mitigation action that can happen autonomously from any user interaction and does, in fact for our customers on a daily basis. That is the prospect of enabling your network to be threat aware and able to effectively address security risk.

Joe [00:09:17] So I love how it's autonomous. I think I was watching another session by someone at Juniper and they talked about AI in automation that helps with this. Is this part of a threat aware network?

Mike [00:09:25] So today we have a considerable amount of AI. It heard a few risks in our advanced threat prevention or ATP product. We've been dependent on it and most of the security industry has been using AI for many years as a tool or technique to just more rapidly handle data. But in addition, and I'd wager that the session you heard was from the network folks, we made an acquisition of an incredibly awesome wireless network company last year, 2019 called Mist Systems and Mist is the state of the art wireless LAN, a system that's designed around the premise of understanding connections of users across the wireless environment to automatically or autonomously adjust for consistent experience. So in that, they use AI for that outcome and to determine what the network can self-address or adjust for that optimal experience. Now, behind the scenes, of course, we've been working on that and we're not ready, of course, to share too much. But I can promise you that the potential and the excitement around what AI will offer for a security solution as both the existing solutions as well as we move to the cloud premises, is considerable. To be able to move at the pace of again, threats at the pace of business today is ultimately the outcome that we all desire.

Joe [00:10:52] So when more and more companies trying to ship software quicker and faster get it out the door, have you seen an increase in security attacks or the surf speed increase because people aren't aware that maybe they're consuming an open-source library that has something built-in that makes it unsecure or anything like that?

Mike [00:11:08] Absolutely, Joe. I think the point that you just made about the dependence on code that perhaps is not developed in the house, shared libraries, common stock pieces. It does expose organizations to perhaps incorporating vulnerabilities that they may not have been aware of. And while that's just arguably part of the software development lifecycle that has been the case for the industry for ages, it's how fast you can address vuls (??) when they are discovered. And it's the pace at which you can roll in fixes and patches that challenge most organization because the identification of vuls (??) are one thing. But when those vuls (??) become exploits and become exploitable, that's where the weaponization motion occurs. And that's where security demands a more heightened and frankly, rapid response. That becomes the premise of the threat aware network, knowing where the potential issues lie, as well as where there are clear, bad activities and moving rapidly to address those weaknesses, as the goal.

Joe [00:12:09] Nice. So are there any new challenges for enterprise to take why you really need to have a threat aware network in place? I think I read somewhere there's like malware is a service now. You mentioned Cloud a few times. I'm sure that exposes people to certain security risks that they may not be aware of. So I guess at a high level any new challenges for the enterprise that you see that is really bubbling up, too?

Mike [00:12:30] I think it's a great question. I could certainly sit here and offer some relative to the additional or the accelerating consumption of as a service emotions because, you know, you don't always know what apps and outputs and potential API exposures are in there. That's the space that I think as an industry we're getting better at API weaknesses and vuls (??) themselves. But, you know, tomorrow there'll be more. I think it comes back to recognizing that you must have a robust process in place to constantly investigate and be diligent about the identification of these opportunities to better secure vuls (??) or even, frankly, apps, right? Because vuls (??) are known, right? It's the unknown things that are frankly more challenging because that's where true zero days lie and where, in essence, threat actors are always going to be looking out. Good news. Largely, that remains the realm of incredibly well-funded actors with technical add ups and capabilities that are generally far beyond the quote-unquote average cyber-criminal. But suffice to say, there is enough of the other we'll call them incredibly well-organized actors that contribute donations or whatnot, but rather those with enough discipline to consistently take apart a code and look for weaknesses and vulnerabilities to then exploit from them. And no organizations are immune to this of any scale. And largely that's where you need to know what code you have, what assets you depend on, where those apps reside, where the data is, and how it's to be used so that you can build the right policies and tolerances around these motions, these connections so that you can take action when something odd or anomalous happens.

Joe [00:14:17] So, yeah, I guess I am a beginner. I don't know. I think I heard before someone said if someone wants to hack you, you're going to get hacked. I know that's pretty a fatal kind of view of it, but it's that a true statement or like, how much can you actually prevent? I keep reading about ransomware lately like Garmin I think paid out ransomware. Like how preventable is that? Is it like you could only do the best you can and eventually you're going to get hacked anyway.

Mike [00:14:41] So I'm not fatalistic but indeed there is some truth to that statement that if you are indeed targeted by some elements, there's not a whole host of things you can do to prevent the infection. That said, having an effective process in place and knowing how to respond quickly and ably in order to address that before that initial cut becomes an open wound, becomes something potentially far more dire. I think that's where an organization needs to ensure that they have a response plan that's in place that they can effectively execute. And they did drills on this. You need to practice these things like in the disaster context. There's no difference for an epic breached level event, knowing how to handle the whole procedural piece in the event something like this does occur as part of it. Now, that said, let's step back a moment because oftentimes people make that statement about, you know, somebody wants to hack you. They will. So they did that based on predominantly the amount of breaches or just the prevalence in the news of the security issue. And the bulk of them are preventable. So while if there's somebody focused on you, there's probably not a lot they can do if they're well-funded. But most people are, in fact, more often hit by commodity malware or vulnerabilities that frankly been in place for years. right? We've had protections in place for a long time. So that speaks to something else, which is effectively understanding what's running in the environment, identifying infections when they're before they grow into something much more severe, right? In the case of one media infection, and I'm not going to name the individual organization, but the infected client was infected for 16 months prior to the actual incident occurring. And, you know, in that scenario, it was actually a system that was sold on the second-hand market for like twenty-five hundred dollars in the dark web to a very organized actor that then did something far, far more significant. After that, the system was sold, but the initial malware was just sitting there late for quite some time. So the right processes inspection, you know, virus controls, and network software likely saw what was in place and just did not take action. So visibility is part of this throughout the environment. And that's our premise, is that we're gonna combine security and network visibility in one. When you leverage that information and make it intelligent, that's where you can take decisive action and really help to protect the environment and the users.

Joe [00:17:15] So how would that have worked so soon? Say someone used Juniper and they had a threat aware network. How would it bubble up that malware? Does a scan on the machines and then it bubbles up a report and like does a percentage of high probability of being an issue. How does that work?

Mike [00:17:29] Now, in regards to that specific incident, we know there was a communication that had been occurring from that client out to basically keep the logs that ensured that that was still there, that it was still an active infection, but it was done so subtly. But the fact of the matter was that the server that it was connecting to was known to be a CNC or a secondary actor. There was an adversarial asset. It wasn't like connecting to some popular major site. That sequence, that connection was visible. That would have flagged at least an investigation event, if not a direct flag. And so from that alone, SOC would have at least had visibility. Now, at that point, it would have been dependent on the processes and the people to take action and to investigate. But the network itself could have informed the security teams that, hey, this is strange, right? Why is it connecting communicating with this you know? That there's no business services that our organization depends on that are there. And it is also a known host for a number of bad actions. So that alone, you know, the reputational pieces could have condemned that client connection.

Joe [00:18:42] Got you. So we did touch a little bit on AI. think a lot of people have unrealistic expectations about it. But I think with machine learning if you have like a real threat aware network, you're probably collecting a lot of data, a lot of log files, a lot of different things. I would think machine learning would be a perfect user case for this. So have you seen an increase in machine learning? And is that part of the solution that you have for being able to really detect these things?

Mike [00:19:03] Absolutely. So, yeah, ML AI right?. These are all names for either the intelligence to make sense out of large volumes of information or data right? It's just information until you infer from it something actionable, something particularly important, and that that becomes intelligence at that point. And so we've, you know, certainly had a number of machine learning and AI capabilities within our ATP technologies, as well as embedded in the firewall and the management framework itself that help various components of our complete solution to indeed infer and to draw out of that information and data insights into actionable threat guidance or customers to then take decisive measures in order to intercept or to intercede a potential activity, a breach or whatever infection growing worse.

Joe [00:19:58] So in the description of your “The Power of Threat Network,” they did for black hat it says how to thwart botnet traffic blocking the traffic at the edge of a nontraditional security device but Juniper connected security. So that's sentence is a mouthful. Could you break that down? As for a newbie what that means? Is that a common type of attack that you've been seeing recently?

Mike [00:20:17] It is. And so let me make it simple. That is quite a statement. So in that particular scenario, what I walked through during the session was the example of botnets are host to drones or devices that have the software installed on them that can be in concert controlled and basically commanded to do certain things, right? Some denial of service actually do other things. So that's this piece. Now, recognizing that you have a device that is a part of a botnet, an identified source is part of the intelligence that I've mentioned before, and the threat aware network recognizing that. But the other pieces are being able to intercept and to block those communications before it even bothers the security plots. And so you can drop that traffic, that activity, those command actions at the WAN edge of the environment so that you don't even pollute the interior of your infrastructure and your organization once you know definitively that that is a botnet connection. And so we can do so either on Juniper routers or on competitor routers, right? You know, we're keen on ensuring customers can use the capabilities that our connection security strategy offers throughout, you know, the infrastructure they have today because, you know, well, we believe it absolutely does work a little bit more effectively or efficiently to deploy on a Juniper infrastructure. The reality is that you know, we can't expect an organization to adopt our solution. And then frankly, there are some cases where it may not be the ideal solution of being able to support our premise and the connected security strategy by being able to drop bad connections in their existing wireless, their routers, et cetera. That's fundamentally what we're supporting our clients, our customers today doing around the world. And so in the talk, I walked through being able to drop a specific client at the routed edge before it ever traversed the DMZ into the interior environment except we don't even have to cross the firewall in our case. And we can drop that connection right there at the WAN port.

Joe [00:22:28] So it sounds like in a network architecture, the router may be your first line of defense, and is that an area you're seeing people kind of avoiding or maybe not having enough emphasis on?

Mike [00:22:39] I don't think that folks realize that it can be a capable ally or element in a security intercept beyond your typical stateful rules, right? So routers have always been able to manage and direct based on IPs and in ports, which is what they do. However, by using the security intelligence and instrumenting a command that this specific IP, that this specific port is malicious and that that client shouldn't be talking to that server, that's where you could turn a router into more. That is the fundamental pinning of the threat aware network, is that we can turn, you know, typical infrastructure, non-security devices into able security technologies to empower the entire environment.

Joe [00:23:26] So I can mention the router has been around forever. What I've been hearing more about and I think it's a buzzword because it's been years “Internet of Things”. So have you seen as more and more things connect to the network nontraditional devices like “Internet of Things”, that it expands the attack surface for people that may not be aware of what they need to do in order to make sure that those aren't compromised?

Mike [00:23:46] IoT is indeed a significant challenge. And we've seen only a fraction of the devices that we're likely to have the next 5 to 10 years attaching already with 5G, you know imminent. The performance of those connections is going to increase exponentially, right? You know, multi-gig connections on a per device basis. That opens up a whole host of potential challenges if you do not have a network or an infrastructure and security model in place that can monitor and provide visualization or visibility to all of those communication actions and all that data transference. Indeed, we're only seeing the beginning stages of what kind of potential risk it opens for organizations who perhaps haven't thought through it because for years we raced to connect based on convenience and admittedly there was good logic to doing so, right? Water meters and so forth. But we didn't think that people would be, we wouldn't think there was a risk and or taking advantage of that. And so we have devices and technology out there, these little simple sensors and monitoring nodes that don't even have the memory or CPU capabilities to have a security instrumented on it. So where can you protect those elements? The only place you can do so is at the network or upstream from that device. And doing so at the connection, that's really the core of our strategy and why security and Juniper's network heritage are combined to provide our customers that stack. So IoT is it's going to be a handful. And I think we're up for the challenge, but it's going to be a journey for the industry to get their hands around.

Joe [00:25:24] Nice and I keep mentioning I am a newbie to security, but every time I look up security Juniper always comes up. So I guess for the folks that are like me, what is Juniper? What are your solutions? How does it help folks? Why do I keep seeing it every time I look for security-related items?

Mike [00:25:38] It's a good question, Joe. I appreciate we do come up often. I mean so we've been in security for a very long time. Juniper was in fact, one of the first network security leaders in the industry, you know, since 2003 when an acquisition was made of at the time the market-leading firewall technology vendor NetScreen, right for folks who've been around a while. It's a logo that perhaps stayed up as we mentioned some time, but Juniper's then very much, you know, one of the fundamental vendors and driving in a leadership position, the network security architecture for the last almost two decades. And so, you know, our solutions entail both a network or next-generation firewalls as well as a host of adjacent and complementary technologies that support that agile and sort of flexible visibility as demanded by organizations of all sizes, and by all sizes, you know, referring to all the way up to the absolute largest environments on the planet, depend on and rely on Juniper security and network technologies to how are their communications every day? In fact, we're very likely communicating across two or more infrastructures that are on Juniper right now, given the presence on 98, 99 percent of all providers and hosting locations in the world.

Joe [00:26:57] And that must be a lot kind of stressful too. I guess because say if something had a Juniper had a security hack somewhere. Then there'll be an exploit that'll be open to a lot of folks, I guess.

Mike [00:27:06] Yeah. So, I mean, we definitely need to remain diligent. I mean we've got a lot of software, right? So any organization is potentially vulnerable, depending. And so we have a team that looks very closely at and constantly monitors for it. There's no one immune to it no matter how diligent you are. But it's also how fast you respond to it and how well you, you know, enable your users, your customers to handle this thing.

Joe [00:27:30] Awesome. So, Mike, those are all the questions that I have. I have one last question I ask everyone. But is there anything you definitely want me to ask or anything you think I should have covered?

Mike [00:27:36] The piece that I'll offer and I think the one that I hear most often is, so how do I get to a place of a truly secure infrastructure? Is there a perfect network security environment? And I'm a pragmatist, right? You know, having seen an awful lot of things, some rather experimental. Some proven out over time, that there is no single perfect. And I think that you know, it largely comes down to picking a technology provider that you know is passionate about delivering the best possible technology products and capabilities, listening to you actively and hearing from customers what they need, what is legitimately the real challenges that they face. That's the best possible in a direction I can provide. And I spent a decade, like I said, consulting prior to this, helping guide organizations pick the best technologies for them. I personally feel that Juniper's got an awful lot to offer, practically any organization, but I won't sit here and say that it's perfect for everyone. And so it really comes down to ensuring you can trust the technology vendor that you've chosen because you are partnering with them and you need to feel that they're on your side to provide the best possible solution that can be. And to that point I'll offer folks, you know, mspanbauer@juniper.net, you know, if you have questions for me, I'd be happy to take them personally, as I do indeed want to hear from organizations around the world who either use us today and everyday life and your means, as well as where you feel that there's something else, some opportunity and more, right? So we're here for you. And that's what I'll leave.

Joe [00:29:12] Okay Mike, before we go, is there one piece of actionable advice you can give to someone to help them do security testing efforts? And what's the best way to find or contact you?

Mike [00:29:20] I think as far as the best security testing advice, you can never make an assumption that the device is behaving exactly as you expect it. You must do your own proof and then not. That doesn't just include the purchase motion, but also instrumented controls and policy, right? Make certain that it is, in fact behaving as you expect it to before you roll out the production code keys and to validate that it is doing what you anticipate. There is no substitute for that. That hands-on validation, it's what in a sense does and it remains very much in a court of my being that will help an organization arrive at a confidence level. And then as far as contacting me, my e-mail address is mspanbauer@juniper.net, or of course, you can find me on LinkedIn also, Mike Spanbauer with Juniper Networks. So I'd love for folks to reach out and we're happy to chat.

SecureGuild

Join mike at this year's SecureGuild online conference to learn how you can develop a security test methodology!

***Register Now***

Rate and Review TestGuild Security Podcast

Thanks again for listening to the show. If it has helped you in any way, shape or form, please share it using the social media buttons you see on the page. Additionally, reviews for the podcast on iTunes are extremely helpful and greatly appreciated! They do matter in the rankings of the show and I read each and every one of them.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Mike Spanbauer TestGuild Security Feature