Practically all vendors of the latest breed of network-based threat detection technology require varying levels of network accessibility to the appliances or virtual installations of their product within a prospect’s (and future customers) network. Typical types of remote access include:
- Core software updates (typically a pushed out-to-in update)
- Detection model and signature updates (typically a scheduled in-to-out download process)
- Threat intelligence and labeled data extraction (typically an ad hoc per-detection in-to-out connection)
- Cloud contribution of abstracted detection details or meta-data (often a high frequency in-to-out push of collected data)
- Customer support interface (ad hoc out-to-in human-initiated supervisory control)
- Command-line technical support and maintenance (ad hoc out-to-in human-initiated supervisory control)
Depending upon the product, the vendor, and the network environment, some or all of these types of remote access will be required for the solution to function correctly. But which are truly necessary and which could be used to unfairly manually manipulate the product during this important evaluation phase?
To be flexible, most vendors provide configuration options that control the type, direction, frequency, and initialization processes for remote access.
When evaluating network detection products of this ilk, the prospective buyer needs to very carefully review each remote access option and fully understand the products reliance and efficacy associated with each one. Every remote access option eventually allowed is (unfortunately) an additional hole being introduced to the buyers’ defenses. Knowing this, it is unfortunate that some vendors will seek to downplay their reliance upon certain remote access requirements – especially during a PoC.
Prior to conducting a technical evaluation of the network detection system, buyers should ask the following types of questions to their prospective vendor(s):
- What is the maximum period needed for the product to have learned the network and host behaviors of the environment it will be tested within?
- During this learning period and throughout the PoC evaluation, how frequently will the product’s core software, detection models, typically be updated?
- If no remote access is allowed to the product, how long can the product operate before losing detection capabilities and which detection types will degrade to what extent over the PoC period?
- If remote interactive (e.g. VPN) control of the product is required, precisely what activities does the vendor anticipate to conduct during the PoC, and will all these manipulations be comprehensively logged and available for post-PoC review?
- What controls and data segregation are in place to secure any meta-data or performance analytics sent by the product to the vendor’s cloud or remote processing location? At the end of the PoC, how does the vendor propose to irrevocably delete all meta-data from their systems associated with the deployed product?
- If testing is conducted during a vital learning period, what attack behaviors are likely to be missed and may negatively influence other detection types or alerting thresholds for the network and devices hosted within it?
- Assuming VPN access during the PoC, what manual tuning, triage, or data clean-up processes are envisaged by the vendor – and how representative will it be of the support necessary for a real deployment?
It is important that prospective buyers understand not only the number and types of remote access necessary for the product to correctly function, but also how much “special treatment” the PoC deployment will receive during the evaluation period – and whether this will carry-over to a production deployment.
As vendors strive to battle their way through security buzzword bingo, in this early age of AI-powered detection technology, remote control and manual intervention in to the detection process (especially during the PoC period) may be akin to temporarily subscribing to a Mechanical Turk solution; something to be very careful of indeed.
-- Gunter Ollmann, Founder/Principal @ Ablative Security