It is the Third Tuesday of the month, and we bring you to Control 13. This is an exciting Control (they all are) because it is often confused with being legacy, it is also potentially cost-prohibitive, and we believe it will likely only be doable when partnering with third-party resources. Matt Lee brings it home as he always does!
[00:00:00] Welcome to MSP 1337. I'm your host Chris Johnson, a show dedicated to cybersecurity challenges
[00:00:14] solutions, a journey together, not alone.
[00:00:22] Welcome everybody to another episode of MSP 1337. That's right. It is the third Tuesday
[00:00:28] of the month and we are doing fireside chat with Matt Lee. And this week we are on control
[00:00:34] 13 network monitoring and defense Matt. Welcome to the show.
[00:00:38] Man, I tell you these things are going by fast. They're gonna have to invent new controls
[00:00:43] and new safeguards just so we can have something to talk about in fireside chat. Right Chris?
[00:00:47] I was actually thinking like what framework would we... No, I'm not going.
[00:00:52] Maybe there's another one we could even correlate to that has more expansiveness in different
[00:00:57] categorization. You mean like NIST? No, I was thinking trust mark. Yeah.
[00:01:04] Well we could digress anyways. Yeah, that's a good idea. Man, I can't believe I didn't
[00:01:08] think of that. Yeah, yeah. No, I did. I think what I would propose doing the next time
[00:01:13] around is maybe talking about some of the domains that don't exist in NIST and the
[00:01:18] importance of those domains to the practice. So stay tuned. We might tackle governance
[00:01:24] little g and big g before we get through all 18 of CIS.
[00:01:29] Fair enough, we may but for now, back to 13 and Chris to your point in order to understand
[00:01:36] who killer the dog is. No, sorry, I might have made a reference there.
[00:01:40] Now, in order to just understand 13 one has to have a healthy 12 and you're actually
[00:01:45] going to see that 12 and 13 have this high amount of correlation right between each other
[00:01:50] as far as dependence like what we're going to be doing how we're going to be gathering
[00:01:54] it the things we're talking about here are going to come into and feed some stuff that
[00:01:59] was given you in 12 that you weren't prepared for. Sure, right 12.2 says establish
[00:02:04] and maintain a secure network architecture. What is that? Right, we're going to see some
[00:02:08] of that in 13 I mean in that it says you address minimum, you know, segmentation
[00:02:13] and some other things but ultimately, we're going to see some of those suggestions
[00:02:17] build upon 12 with 13 specifically 13 three and four and a few others. But let's
[00:02:24] get into it, Chris. What would you like to say before we get started?
[00:02:26] I think before we get started, you know, you brought up the trust mark and I think it's
[00:02:29] important to say this like there are no IG one safeguards in this control and
[00:02:36] capability standpoint. I think this kind of comes through two lenses. One is okay.
[00:02:40] Yeah, it may not be the easiest of the control domain controls to do. Obviously
[00:02:46] it comes later in the set of 18. One of the things that comes to mind for me is
[00:02:51] our ecosystem, our world has shifted drastically post COVID. The traditional
[00:02:57] network that we would monitor has changed dramatically as far as what is
[00:03:02] quote internal or the enterprise. And so I think it's important as we're going
[00:03:06] through this to maybe touch on that like, hey, this safeguard might not directly
[00:03:10] apply to you in the same way. And I love saying this to people that go, oh,
[00:03:15] it's such a legacy safeguard. I'm like, well, it might be a legacy
[00:03:18] safeguard. How would you address it? Yes, if we take that word legacy out,
[00:03:24] assume it's not because we hear this all the time. My favorite one yet today is
[00:03:28] tied to the wireless network. Like, yeah, we don't have any wireless access
[00:03:32] points on our network. I'm like, until you do what happens when that changes?
[00:03:37] What happens to your organization if that changes? What if it's not up to
[00:03:40] you to put that wireless access point in and now it's there? Do you just go
[00:03:44] with like, yeah, well, we don't have anything in place to handle this new
[00:03:47] change in our environment? And there's nothing we're going to do about it
[00:03:50] because that's just too hard.
[00:03:53] Well, and I think I mean, keeping it back to the point of not having IG ones,
[00:03:58] even then, to your point when we start thinking about an IG two group like this,
[00:04:03] and we start saying, okay, it's because we built one through 18 in IG one,
[00:04:08] one through 12 in IG two. And now here we stand looking at an IG two.
[00:04:14] And also to your point of this, like the delineation of what is a network,
[00:04:18] right? When we start thinking about, you know, look at control 13 one, let's just
[00:04:22] start it. Well, first, let's start where we are. Let's start where we are. So
[00:04:25] what's the overview of this safeguard? It is or control family. It is to operate
[00:04:29] processes and then you look at this operate is called out. And this gets me into a little
[00:04:33] bit of a diatribe, right? So strategy versus tactics versus operations. Strategy is what
[00:04:40] kind of war are we going to fight? Right? Is that going to be a war of attrition,
[00:04:44] some type of strategic war where the strategy is going to be to take out their tactical
[00:04:48] capabilities and operational capabilities to deliver war without killing more humans?
[00:04:52] Or XYZ tactics are going to be which hill, which way, which place supports that,
[00:04:58] which factory do I take out to take out the or which oil field, things to that nature,
[00:05:02] right? Of that. But operations are going to be like, who's the bloke driving the
[00:05:06] truck towards that hill? Like that's, that's operations. So when they look at this,
[00:05:10] operate processes, meaning you better be doing this, this needs to be operational and functional
[00:05:15] and tooling to establish and maintain comprehensive network monitoring and
[00:05:19] defense against security threats across the enterprise's network infrastructure,
[00:05:23] comma space and user base. And this is where that shift you're talking about
[00:05:28] becomes so poignant in that if my user base has shifted outside of my castle,
[00:05:33] and I haven't addressed that shift, then there are some core network decisions
[00:05:38] that also need to be made. Am I moving the sassy? Am I dealing with things with VPN?
[00:05:42] How am I going about this in that regard anyways?
[00:05:45] No, you're, this is great because I think this kind of goes into, we were talking about,
[00:05:49] you know, what's my, what's my capability, right? And I think
[00:05:53] most solution providers today probably aren't standing up a sock in their own MSP.
[00:05:58] They are probably contracting out to a third party.
[00:06:02] Sure.
[00:06:02] Think about how that might work and you're like, well, if I have a third party sock
[00:06:07] and they're not in my quote local network, then that means that the things that they
[00:06:12] can monitor feasibly would be beyond what is the quote legacy for walls because that's
[00:06:18] when you're seeing that, right? You're seeing that be in the, you know,
[00:06:22] and I don't want to name any names, but the players that are monitoring Microsoft or
[00:06:25] identity extensibility and things. And I think, you know, you and I've said this
[00:06:29] many times, I've been saying this for years, but you know, I think identity is the new edge,
[00:06:33] identity is the new definition of security. But moreover, when we think about this shift,
[00:06:38] we're moving in my mind from this beeps and boops centric world of this one off and there's an
[00:06:43] anti malware, they're in a malware event and to that's Matt's machine, Matt has this privilege
[00:06:48] and access. These are the things and the identity becomes that extensibility, right?
[00:06:52] And I think that's the biggest part we should focus on.
[00:06:54] Let's talk about that permanent as we get into the safeguards.
[00:06:57] The first thing that popped into my head when I was going through this control is the
[00:07:02] responsibility matrix is drastically different than what it was in the quote legacy.
[00:07:07] Oh yeah, especially the shared responsibility matrix, right? That SRM
[00:07:11] context shared responsibility matrix where does you know, and especially in the MSP world that
[00:07:16] we serve as clients, right? So like thinking about, I've got a sock and okay, so it's
[00:07:22] a third party vendor and the sock is monitoring not just me, but it monitors my
[00:07:26] client and what does the, as we get into like this first one, you know, event alerting 13.1
[00:07:31] and 13.2, which is, you know, host based intrusion detection, like what happens
[00:07:39] when these events occur? Who's getting notified? Is it me? Is it my, you know,
[00:07:44] like is it someone on my team? Like there's so many things that popped into my head when I was
[00:07:48] going through this. So like, yeah, walk me through. Let's start with 13.1.
[00:07:51] Well, 13.1 is also I want to solve and throw out maybe a little bit of a salacious point
[00:07:56] here with 13.1. A lot of people say 13.1 says I have to have a SIM, right? But it ends with,
[00:08:03] and I'll read this to you, centralized security event alerting across enterprise assets for log
[00:08:08] correlation and analysis. So we'll unpack that in a second. Best practice implementation
[00:08:12] requires the use of a SIM comma space, which includes vendor dash defined event
[00:08:19] correlation alerts, period space. A log analytics platform configured with security
[00:08:27] relevant correlation alerts also satisfies the safeguard, which means it's not just a SIM.
[00:08:33] You may not have to be able to search forever in history of a stored and ever growing SIM that
[00:08:38] has constant capabilities of past data or those things you may be able to subscribe to an MDR
[00:08:45] platform of extensibility that allows those data sets to be done through log analytics platform
[00:08:50] with security related correlation alerts brought to that. You forgot one thing. You normally catch
[00:08:56] all the commas and spaces, but I'm going to say this. The first thing that it says is the
[00:09:00] statement that is this control and it says, yes, centralized security event alerting centralized.
[00:09:07] Let's go back to privileged access management as an example. We don't say you must have
[00:09:13] one central repository. Yeah, I love to read that. Yeah. So I think it's important to look at that
[00:09:19] through the lens here too because it does give you two examples of ways to satisfy this. Yes.
[00:09:24] And obviously it gives you a best practice. But I think it's important to say like, but
[00:09:27] there are things that I may not be able to centralize into just one place. And I think
[00:09:34] that's really important, especially for MSPs dealing with lots of clients and lots of
[00:09:38] different environments is like, as best you can. Right? Yeah. You might have three
[00:09:42] central places to be your central locations. And I think to that extent they've said that many
[00:09:47] times before, I love that you bring that back up is it is really about if you're going to
[00:09:51] centralize, it doesn't all have to be in one place when I will make an argument against
[00:09:55] though Chris, when it comes to security event alerting, I would make it an argument
[00:10:00] it would be very hard to do an effective job of that without one core central point. And
[00:10:06] I'd also go far to say that when you're dealing with centralization of anti malware,
[00:10:11] or centralization of identity, or centralization of access control, all of those have limitations
[00:10:17] that event and security event alerting do not in the sense that event alerting actually can be
[00:10:23] sent to a common platform in all of those cases as the event security event being alerted to.
[00:10:30] This also could be your ticket system potentially when you get to that aspect of it. And I
[00:10:34] don't mean every event now I mean incidents, but certainly at the event level you could have a
[00:10:39] SOCAS, right a SOC as a service and MDR platform is willing to absorb all of those things.
[00:10:45] Because you just kind of describe several different things like I'll use this as an example.
[00:10:50] Think about an XDR vendor and their process. I mean, that in some respects is a centralized
[00:10:56] location for what is happening on endpoints and most endpoints and network now growingly
[00:11:03] you have Syslog and other extensibilities. But my point is that's a centralized environment
[00:11:08] and in a lot of cases, you see this a lot that might be the extent of what they have in place.
[00:11:14] Now is it best practice per the SIM statement in this control? Probably not but again,
[00:11:20] we're not looking for perfection the first time. Well, and I want to clarify something I'd
[00:11:24] said so that I don't like make people throw rocks at me. I'm not saying your PSA can become
[00:11:28] your SIM. I want to make sure that's not what's taken away from that. What I'm really saying is,
[00:11:33] let's say I'm hiring a Schmack point and they're going to receive all of my end point related in
[00:11:39] you know data and I'm going to send them log analysis pieces that they'll pilfer through for
[00:11:44] the things that matter and comma space they are providing log correlation comma space and
[00:11:50] analysis whether that be through human method measures, SIM or through log analytics platforms
[00:11:55] that are looking at these things for those patterns or you know TTPs or whatever it may be IOCs
[00:12:01] to that nature. And so when we think about that, those type of companies in my mind could then send
[00:12:06] those tickets to your PSA and the PSA becomes where something becomes risen to an incident
[00:12:10] or something that needs to be an event that needs to be managed. Whereas what they're doing in
[00:12:14] 11-13-1 is really just saying bring all this stuff together all these beeps and boops that go
[00:12:19] off so that somebody can go that beep is Chris's machine that beep is Chris Chris now had
[00:12:24] an access to this platform that beep now means that these combined beeps indicate we have an
[00:12:29] incident we need to deal with. So jumping into 13.2 deploy a host-based intrusion detection solution.
[00:12:36] Yep, good old hints. Yeah so I think about the number of times that you know you've done
[00:12:40] forensics on an end point and you're looking at the event and alert log. Well wait there's
[00:12:45] an event alert log that's centralized for that host right like that is a place that's
[00:12:50] going to have all of those things in it. I think sometimes we forget that what are we doing with
[00:12:54] that information? Why is it important? Yeah back to 13-1. Send it somewhere else. Right to your point
[00:12:59] and what we're getting at when you're talking about and I want to just clarify 13-2,
[00:13:03] 13-3, HIDS, NIDS, host-based intrusion detection solution, HIDS, H-I-D-S,
[00:13:09] and network-based intrusion detection solution. What's the principal difference between that
[00:13:13] and the later ones? Well HIDS can only detect and not do anything about it. It is not
[00:13:17] in a position to take action whereas HIPs and NIPs which we'll get to later are. But to your point
[00:13:23] when 13-2 goes beep and says we found something or 13-3 goes beep it says I found something
[00:13:28] but it has to go to 13-1 where something can correlate and analyze those beeps and boops.
[00:13:33] Back to the point of what is a HIDS or NIDS or HIPs and NIPs. Host-based intrusion says
[00:13:37] it's an agent on the host that's looking at things from the host context, network-based
[00:13:41] intrusion or looking at the network side of it. Now sometimes in a sassy world back to your
[00:13:46] initial point or in a world where I'm agent delivery of what is a network or a software-defined
[00:13:51] networking methodologies then 13-2 and 13-3 might come together or it might be married
[00:13:57] together in a solution where they're happening the network parts happening inside let's say
[00:14:02] Schmodel's network and the host-based stuff's happening on Schmodel's endpoint agent.
[00:14:07] Remember when this used to be like crazy hard to do? I mean I think it's all packed
[00:14:13] into stuff now right? I mean it's mind-boggling when you think about today like there are tools
[00:14:18] and services out there that have made some of this that used to be like even the response time
[00:14:25] has shrunk dramatically as a result of the ability to actually. Of course, time to detect right?
[00:14:29] Yeah. And now that you call this out 13-1, 2 and 3 are all detection capabilities they're
[00:14:33] all trying to find when something went bad why do we care about that? Well for all those
[00:14:38] people out there if you can do simple math until NIST 2, all three point O breaks this
[00:14:42] I have identified protect that's 2, detect respond recovered that's 3, that's 3-5 versus 2-5
[00:14:48] which means that the 3-5 is more which means more stuff that makes a difference in my outcome
[00:14:53] happens after the explosion and so 13-1, 2 and 3 is saying how do we detect this quicker to your
[00:14:58] point response times more information more contextual more valuable to what its value
[00:15:03] is to the impact of this organization and then we get into 13-4 which is sounds simple
[00:15:09] sounds like it should be already addressed and is part of what would be ascribed in 12.2
[00:15:13] but it says not only do we have segmentation now we're actually looking at what Chris's
[00:15:18] network segments trying to do to poor old victim Matt's network segment right I'm
[00:15:22] paying you as the bad guy Chris you know I have to say on this one this is one that I've seen
[00:15:26] a lot in in the years that I've done you know network assessments where I've looked for
[00:15:31] you know vulnerabilities and it's looking at a VLAN segment you're like this VLAN can
[00:15:35] talk to all the VLANs actually the first yeah you know as I looked at talk to all the
[00:15:39] they've done it back only at the layer 3 switch so that any of their filtering can't happen because
[00:15:44] it's just actually making the router the funds that layer 3 right that is a perfect example of it
[00:15:49] and you're like you guys I mean I get that you understand how the topology works but did
[00:15:54] you understand how the intention of this and this is a protect safeguard right this is protect
[00:16:01] network why because if I land in this magic honeypot that is Chris's terrible security posture on his
[00:16:06] machine I don't want that to necessarily pivot and permeate into other segments and I want
[00:16:12] there to be capabilities of network intrusion detection between those two segments that say
[00:16:17] hey this Chris guy just got super shady all of a sudden and we're seeing some traffic
[00:16:22] happen that says it's shady let's block that and hopefully you limit my access and what I can
[00:16:27] do across those network segments so that I'm limited in what I can do to summarize I think
[00:16:31] what you're talking about in the the threat actor spaces they've moved laterally yes thank you I would
[00:16:38] want to limit lateral movement as a definition thank you yes um so 13 four is saying filter
[00:16:43] between them and that can get into your dlp that can get into a lot of other things that
[00:16:48] you could now be filtering for between those especially if you have packet inspection capabilities
[00:16:52] all kinds of stuff that's really fancy at that level that can do kind of checking what's happening
[00:16:58] there um 13 five manage access control for remote assets like hey maybe maybe maybe manage access
[00:17:06] control for assets remotely connecting to the network determine the amount of access based on
[00:17:10] hold on guys and gals up to date any malware software being installed configuration compliance
[00:17:15] with secure configuration process that does include not running a Plex server out of date on a home
[00:17:21] asset that you're connecting into my my network it doesn't have any malware running windows xp
[00:17:27] right like i'm losing my crap here but um actually happen i think oh by this fake company called
[00:17:33] schmast pass right that was out there i've heard about um and so when you get into this these
[00:17:37] are basic basic concepts this is an ig2 but still it's saying if you're letting people touch your
[00:17:43] data and this goes back to your point chris it is nata what is a network and i like to say
[00:17:48] what phyllis lee has said many years ago which is your users network your your company's network ends
[00:17:54] where your users fingertips lands yeah and that and that's the point here is when you're talking
[00:17:59] about that network it now needs to include those other places where i'm at at home and that means
[00:18:04] that as i'm getting into access data that means i'm coming in remote as a remote access
[00:18:09] and therefore i need to look at these things like do i have any malware am i encrypted
[00:18:12] do i have my os up to date am i meeting compliance policies those things that are
[00:18:17] mattering and you can see that to your point earlier these things never existed before i had to
[00:18:21] buy a separate tool to this from duo for device health i can do this with microsoft conditional
[00:18:25] access now for a lot of things yeah anyways so before we move into the next group of safeguards
[00:18:31] which are now the would be the id3's i think it's really interesting to look at where we've gotten
[00:18:35] to and 13.5 kind of highlight some of that when we talk about remote control for for remote or
[00:18:42] manage access control access control where have we heard that before we heard it at the end of three
[00:18:49] right and then we heard it again in five and six and i'm glad you brought this up this is a new
[00:18:53] type of access control being brought up exactly and you name what it is because we've done our back
[00:18:58] um and and we've gone down that path what would this be it starts with an a and ends with back
[00:19:03] a back what is a back arp nope it is attribute based asset control
[00:19:10] and the point is is that we're now starting to say what's some of those attributes like is anti
[00:19:15] malware up to date is is configuration compliance held is this in its configuration process does it
[00:19:21] have an insured operating system up to date those are all parameters or attributes that then now when
[00:19:26] i'm doing access control i'm saying yeah that's chris and yes he's coming in from a company device
[00:19:30] fine but is it healthy those are attributes right and company device attributes think about
[00:19:37] taking that a little bit further remember when detecting an asset could identify things like
[00:19:41] ooh that's coming from a chrome browser period yeah today it can identify that it's
[00:19:47] edge or chrome or fill in one can identify right right and to your point um it can usually only
[00:19:54] see user agent string in context but when you add in an agent yeah adding in these type of
[00:19:59] capabilities of saying especially if they're authenticated yeah totally we'll think about
[00:20:02] where this would be applied in a vpn land you in the past would have used like a schmoo agent
[00:20:07] like this fictitious company schmoo and that schmoo agent would have then done some health attribution
[00:20:12] as part of its authentication flow but really also authorization doesn't meet the requirements
[00:20:17] before we move on and i think this is really important because i think you know to some
[00:20:22] extent you know we can see how this safeguard actually could have lived elsewhere right like
[00:20:26] it could have it's it's not that it but it should live here like i but it needed maturity
[00:20:31] first you needed 4.1 and 4.x you needed 12.1 and 12.x you needed 10.x as the 1.1s and so
[00:20:39] yeah good call out one of the things that i think we should highlight as we move into the next
[00:20:43] safeguard is that we go into like you know well this one specifically is it uses the word logs
[00:20:48] and i think that's an interesting statement because uh we've been here before like whoa isn't
[00:20:53] that 8.9 right isn't that 8 yeah and i think it's important to see this here again because
[00:20:59] it goes back to what we're just talking about in in 13.5 when we're talking about like ensuring that
[00:21:05] things are up to date ensuring that things are compliant that's one of the great values of collecting
[00:21:09] logs is you can start seeing some of that data flow in and tell you things that you wouldn't
[00:21:13] necessarily otherwise know if you're not collecting that information yeah and hopefully in more near
[00:21:17] real time and when our traffic flow when we're talking about traffic flow we're really
[00:21:21] talking about established because you're getting into 13.6 collect network traffic flow logs
[00:21:25] it's really talking about establishing connections and destruction of connections and
[00:21:29] what flowed there overall right and so net flow or network flow logs are really more net flow
[00:21:34] session states that talk about what did baton chris do as communicators as they talk to each other
[00:21:40] right and where did they go and your point more data um so we're in detection again
[00:21:44] line and just export my entire you know c colon slash to some different no no i need net flow
[00:21:51] so i want to session states uh in the moment yeah and that is the point to call out actually
[00:21:55] detection of network traffic flow logs traffic flow logs are different than traditional other
[00:22:00] logs in the sense that they are moment of state type information like what did matt do and win with
[00:22:05] these flows like what data went where how did it go who did he communicate with those kind of
[00:22:09] things and i don't want to miss um this jump from you know network traffic flow is a detection
[00:22:16] right and it's meant again we were surrounded by these detections then protection protection
[00:22:21] now detection again and that's because we're looking at logs to your point and trying to
[00:22:25] figure out what's going on whether that be during the moment of battle or post-humously
[00:22:29] to your to your point right um and sometimes pre-humously and pre-battle of is it configured
[00:22:34] right is it up to those contend and look back at uh 13.5 13.5 is a pre-battle because
[00:22:40] it's saying let's look at this and see if anti-mowers in there before i let chris connect
[00:22:44] to the vpn that's pre-battle that's protection right again hips and then now we're at hips and nips
[00:22:50] which are not only should you be able to detect crap when it's flowing between those networks
[00:22:54] but now you should be able to stop it you should be able to actually do something like an edr or
[00:23:00] an IPS based agent on some some device that says now chris did bad stuff let's stop chris's
[00:23:05] from communicating from the world well you keep using these you keep saying acronyms as words
[00:23:10] and i know we're going to start getting bleeped because yes true and do explicit content so
[00:23:17] host-based intrusion prevention and network-based intrusion prevention yeah
[00:23:22] talk talk to me about that because we had the one that you know a one in the middle of a lot of
[00:23:27] protect so hits and hips and nips basically what they're doing if you look at this in escalation
[00:23:34] it probably is a legacy of price-based discussion and what i mean by that is if you get to
[00:23:40] hips and remember when you used to have ids type solutions in a firewall but then you could pay for
[00:23:44] IPS solutions that were on top of ids that actually did something about it one of your firewall or
[00:23:49] behind your fire they were part of it in the way but the point being is like when you had to pay
[00:23:54] for those extra things um those were why you had a classification and you'll see these are i g
[00:23:59] threes versus i g twos so i believe that that hips and and hids would not be separable when i
[00:24:04] teach my class on this i don't separate hips and hits you don't even see that really anymore
[00:24:08] in firewalls that are out there of having it you know one versus the other no you can see them
[00:24:12] together yeah so that's my argument and what's really about 13-8 i want to read into this though
[00:24:17] because 13-7 gives the example implementations include edr great okay good but the next one
[00:24:23] says example implementations include a csp service or cloud service of sorts right starting
[00:24:30] to get into this understanding of the belief in a sassy solution that's a network that goes beyond
[00:24:35] the legacy yes yes that is and to your point this is almost johnny foreshadowing where we sit today
[00:24:41] from when our forefathers many moons ago like four years ago wrote this document
[00:24:47] they didn't have wireless because there was no getting through the walls okay so we're through
[00:24:53] the hips nids hids nids uh aspect so that gets us through 13-8 13-9 is is interesting because it
[00:25:00] says deploy port level access control so it's another type of access or another access control
[00:25:05] applied at a different level now saying and this brings us back to that traditional network but
[00:25:10] could be redefined right we saw this before right remember when we had the examples around wireless
[00:25:16] with regards to oh 802 1x and wpa2 in our in our current days yes yes they blended two together
[00:25:23] that was like wait a second we're talking about wireless there's a little bit of confusion
[00:25:28] here and i think there's a clarification even though it's unintentional there's less
[00:25:31] delineation here and what i mean by this is what we're talking about now in the in the i-triple
[00:25:37] a infrastructure identify authenticate authorize authorization and auditing now we're actually
[00:25:43] talking about the the authorize in that second piece as well as identify and authenticate
[00:25:49] mixed together so do you're supposed to go back in time matt i would argue control time
[00:25:55] i would say that if you added the language that's in this particular control where it says
[00:26:01] or similar access control protocols and may incorporate user and or device authentication
[00:26:08] is actually what would have been nice to see in a previous control domain that had similar language
[00:26:15] you're not wrong like in 12 and in 5 yes yes thank you uh agreed but so port level is just
[00:26:21] saying when i plug into the hole does it give me an access right away or do i have to authenticate
[00:26:25] and say who i am first and these are things coming down to zero trust right we're starting to get
[00:26:29] into these zero trust principles being applied at this level what's unfortunate about this is
[00:26:33] the port level access control assumes that i've got a physical location and a physical switch
[00:26:37] and a physical network and even if you didn't let's look at these through a different lens
[00:26:41] i think there's also to your point earlier about the cost factor that's in here like there's
[00:26:45] a lot of network infrastructure out there that's still current infrastructure that does not support
[00:26:51] everything that's listed out yeah i might have to radius as an extensibility model exactly
[00:26:56] that nature we're adding complexities in that i've seen this in environments where they're like
[00:27:00] i don't want to go out and buy all new switches so what we did is we locked the server room and
[00:27:04] if you plug into the patch the port on the wall you don't get anything because the physical
[00:27:09] connectedness in the server room has been pulled out of the switch yeah and i think to your
[00:27:14] point when we're looking at things of be where you are and start where you are that's a start
[00:27:20] challenges the intention of this is the change in identity because now i could just change that
[00:27:25] cord to another device that's already been plugged in but to your point well it's not physically
[00:27:29] connected but yeah yes okay so to your point and this gets into a lot of things that we don't
[00:27:34] necessarily have control over today it's a difference of zero trust and then trust but
[00:27:38] verify right and that is the issue here is this not a maturity process if we said you can
[00:27:43] get these right all of them all at once yeah time you go through this slap me if i ever say that
[00:27:49] yes please let me know if this is you 100% yeah you know you're not mad this is a deep fake deep
[00:27:54] fake mad if you're saying those things yeah that's like all all oh so basically 139 if you took it
[00:27:59] into that broader context it really is identify your user before giving them access to the
[00:28:03] network and when you think about sassy they already kind of do that this way right you
[00:28:07] already have to identify before being able to sign into the sassy network and that is a form of
[00:28:12] this so i just wanted to codify that port level could be shifted in its definition today it means
[00:28:17] traditional port like you said in that way and me authenticating as a device whether it be through
[00:28:21] certificates or other methodologies to validate that i'm me before i'm even able to access this
[00:28:26] is a maturity again a maturity thing like so even in the if you go outside of what we're talking
[00:28:30] about in the in the physical office they can set things sassy like think about early on in the
[00:28:35] detection process you could say hey if your ip addresses are coming from the following locations
[00:28:40] in some respects that's similar to saying hey we're unplugging the patch cable from the switch so
[00:28:44] that yeah like prior to a sassy type model sure you can see things like that those are steps in
[00:28:49] that layer areas from a technology standpoint i don't think it meets it fully but it meets it
[00:28:53] in the way we're trying to apply a trust mark right it meets it in that statement of can you get
[00:28:57] better do you know the problem are you working on the problem you have to start somewhere
[00:29:00] technology didn't already always support this when sassy applications came out we're seeing that
[00:29:05] evolve and i think that's what are you doing today sass for sassy i think you and i are getting
[00:29:10] confused it yeah go ahead sass i mean you know software as a service but sassy i mean secure
[00:29:15] access service edge and they're meeting when i vpn or or tls methodologies into that sector
[00:29:21] secure access service edge that's my new network and those are saying sassy or not a why i am
[00:29:26] i am sorry about that i'm glad we said that okay so we clarified for our clarification here
[00:29:32] all of the sassy references matt's making are not about being super sassy they're about talking
[00:29:36] about secure access service edges comes with a little sizzle but the then the next piece is 1310
[00:29:41] perform application layer filtering like actually do application firewalls and application gateways
[00:29:47] and when you think about this this is interesting if you looked at 1310 in the the cloud um
[00:29:53] companion guide which there's a cis cloud companion guide you should be familiar with it's
[00:29:57] actually a very good companion guide it starts saying that when you're talking about application
[00:30:01] layer filtering as an msp that is hosting your own rmm there's an advocation that you should be doing
[00:30:07] wafs or web or wireless that web application uh or wafs firewalls right um and the ability to
[00:30:14] protect against those firewalls for application layer service thanks my dog agrees she just said
[00:30:19] so i just heard her i think that's the truth it's true right preaching here but application
[00:30:24] layer filtering and having that ability between segments external segments internal applications
[00:30:28] external applications 1310 is an ig3 for a reason because it's deep and it does require a lot of
[00:30:34] configuration like if you have a website and you don't have a waf in front of it it's configured
[00:30:38] to block common wordpress attacks you're failing here in 1310 that's what it's intended for is
[00:30:43] those we saw a lot of this we saw a lot of this with application as a service right where
[00:30:47] you're like oh no i got this account i log in and i can do these things and it's just simple
[00:30:52] and easy right like and you're like well how is it being protected like oh no it's handled by
[00:30:56] filling the blank you know blank uh boobool or whatever vendor it was and you don't have to do
[00:31:01] anything with it right like like but that's not how it like i digress i mean okay we we could go
[00:31:09] down a rabbit hole with this one so we have one safeguard left this is the one that i think
[00:31:13] is perhaps one of the biggest stumbling blocks but it's also probably one where when you're
[00:31:18] pie paying a so-cas provider okay or in PR they're getting paid to do this for you i think you're
[00:31:23] right it's hard to do on your own so and in fairness i think there are things that if you implement them
[00:31:29] and don't tune immediately the thresholds for tuning is going to get a sprawl yeah very difficult to
[00:31:36] rain back in yeah well we're getting out here 1311 says tune security event alerting thresholds
[00:31:42] this is what's called establishing a clipping level this might be the shortest safeguard
[00:31:46] there is it is and they really should be more damn it this is too short um what we're really getting to
[00:31:52] is establishing what's called a clipping level and a clipping level says okay if matley wakes up and
[00:31:58] types in his password wrong three times before he gets it right the fourth time every day then
[00:32:03] why would we alert when it's that second time typed in wrong as somebody attacking his machine
[00:32:07] perhaps it might make more sense to set the alerting level to when mat has reached that
[00:32:12] fourth time that is congruent with his day-to-day activities now i'm not getting
[00:32:15] that granular on all of these things and i would argue there's a different problem with that particular
[00:32:19] example but yes i get your point to true story it's probably the the efficacy challenge of my
[00:32:24] passwords i think but the second point being you know you have to set clipping levels or else
[00:32:29] you're wasting your time on superfluous crap and in the same breath if you ignore so many
[00:32:33] things that you write off as superfluous you miss the things that were actually real
[00:32:37] in that event and so it's all about the fine sweet spot of where is the this is just noise to
[00:32:44] holy shit this is something and that level where that happens well and you're using the
[00:32:49] clipping from an audio analogy for those no no it's a it's a term from the c from the isc squared
[00:32:55] um material that is talking about clipping levels because then you get the audio the noise
[00:32:59] and i'm like oh clipping noise okay so same way to though same concept let's follow audio for
[00:33:05] a second because if i was thinking about running sound and i think about like this is where you're
[00:33:09] when you talk about tuning we're talking about putting gates and compression on here right so
[00:33:13] that it doesn't so that we don't have to hear noise so that we don't have to have the distortion
[00:33:18] that would come from but what was noise and what was that artist's really cool waspy voice in the
[00:33:23] bottom okay right that's that's genuinely the challenge of this yes and i think that's where
[00:33:28] the balance of this is really hard because you're trying to make that perfect spot where
[00:33:31] you're capturing just the audio subject you want right but also clipping out the crap that's
[00:33:36] just gonna annoy your people people to train in the background so well in page of the team
[00:33:42] yes right that's the real challenge here 20 alerts that matt's been compromised to the one that really
[00:33:47] was real it's it's boy who cried wolf and we saw that with like the the you know a duo uh push the
[00:33:53] button overload like keep sending it until finally you say yes so i think along those lines is something
[00:33:58] interesting that comes to mind and a clipping level on this would say after number seven you
[00:34:02] just turn off the user they're being attacked right those are those are clipping levels right
[00:34:07] so i started thinking about that and i'm like well this kind of gets into policy process and procedure
[00:34:13] around doesn't it though i think there's and feedback loops engineering level feedback loops of am i right
[00:34:20] and and to your point about the you know the fourth or fifth time with matt lee you know having
[00:34:24] trouble with his password do we get into sanctions like do we just say the true story maybe perhaps
[00:34:30] and we need to put a sanction on that because every time he does this he's potentially putting in
[00:34:35] i digress but like you get the idea here like as we've gone through this one of the things that
[00:34:39] we really haven't highlighted or talked about is the importance of the policy the process and people
[00:34:45] even that make this work like you don't just tune an alert just because you're not like bro hit that
[00:34:51] autotune button right this isn't how this works like right like hey we're pitch correcting here
[00:34:55] not a con here yes yeah um matt uh we have um butchered completely uh no um i think this was a
[00:35:04] great conversation around this this control i i think a lot of people struggle with this and
[00:35:10] shouldn't and i think the areas that make a lot of things what we would say is ig3 from a
[00:35:14] complexity standpoint or actually ig3 because of the cost prohibitiveness of them at least in the
[00:35:20] previous you know we've evolved a long ways in the last few years from technology costs coming
[00:35:25] down in some respect true um so that some of these that are in here that and complexities are normalizing
[00:35:30] right think about it we'd both have to go but think about how much you're seeing the same
[00:35:35] type of sass software you're seeing the same type of network access the same identity providers
[00:35:39] you're seeing a normalization that's making scale and i guess my big takeaway of 13 is
[00:35:44] most of 13 is something you partner with someone for absolutely i was going to say
[00:35:48] the same thing if you haven't partnered with somebody and you were struggling with this control
[00:35:53] that's because you have not partnered with somebody that's fair or if you think you're
[00:35:56] doing well at this one you might be up for an episode of like how of what is it the bar rescue
[00:36:01] or whatever yes i would say go back in time and start again i would argue that if you are
[00:36:07] doing well with controls one through six potentially one through seven in cis then
[00:36:11] you have a great foundation in place that's fair these controls should not be complicated
[00:36:16] to process even though they may be complicated from a i just can't do this i don't have the money
[00:36:21] oh wait because you haven't partnered with somebody to help you pull this off amen last great win close
[00:36:26] it peace out thank you everybody have a great week