RSA Takeaways: No Security without Visibility
Last week, the RSA Conference was back in San Francisco. It is still the cybersecurity industry’s largest event, with more than 400+ exhibitors and 26,000 visitors. Fewer than the 42,000 visitors pre-pandemic, but still more than any other cybersecurity show. You could feel relief and excitement about meeting in person again, and comfort in seeing familiar themes, such as AI, automation, and difficulties in recruiting.
It was clear that Cloud security remains a strong megatrend accompanied by an alphabet soup of ZTNA, SASE, SSE, CASB, SWG. But “Zero Trust” wins the award for the strongest buzz at this year’s event.
With cloud security so hot, everyone was looking to know how to make it effective.
Well, we have the answer to that! Traffic visibility.
And how do you get the right traffic visibility? I hear you ask.
Easy! That’s Next Gen DPI!
Deep Packet Inspection is widely deployed to get traffic visibility in networking and security solutions. It analyzes network traffic flows to identify the protocols, applications and services in use, and extracts additional information in the form of metadata to support specific networking and security functions. However, as networks evolve and cyber attacks become more sophisticated, the visibility provided by traditional DPI can be limited.
Next-generation DPI (NG DPI) integrates new techniques to handle encrypted traffic, identify advanced cyberattacks, and meet the performance and scalability needs of cloud-based solutions.
On the Enea booth at RSA, Qosmos product experts were very much in demand. They were kept busy showing solution vendors how to best use NG DPI to ensure the differentiation and high performance required to keep their products one step ahead in the new cloud networking era. The most popular topics were ZTNA, CASB and SWG.
SSE Architecture: All Functions Can Embed or Use Qosmos ixEngine Output
Why NG DPI is crucial for strong cloud security solutions
Here are some examples of actions that NG DPI enables:
ZTNA (Zero Trust Network Access)
- Detect and block a user trying to connect with prohibited anonymizers like Cyberghost or Ultrasurf.
- Prevent domain fronting by revealing the use of routing schemes in Content Delivery Networks (CDNs) and other services that mask the intended destination of HTTPS traffic.
- Continuously evaluate trust by monitoring traffic to detect anomalies, such as the transfer of a file using a false MIME type (e.g., an executable masked as an image), or the presence of non-standard tunneling activities over legitimate protocols (such as DNS or ICMP), which may indicate unauthorized or illegal activities.
CASB (Cloud Access Security Broker)
- Add granularity to CASB policy, such as transaction-based rules like allowing users to access YouTube, but not upload any content to it.
- Deploy CASB agents on managed devices (or a data feed from NG DPI-powered SWG) to discover shadow IT apps that should be brought under CASB management, for example, adding Dropbox as a sanctioned app (with appropriate rules) after discovering it is widely used within the organization.
- Use detailed NG DPI metadata to build behavioral profiles of users so that anomalous behavior can be detected and investigated.
- Use NG DPI output to build a highly compact audit trail of activities for forensic investigations (reduced by up to 150x compared to full packet capture)
SWG (Secure Web Gateway)
- Develop fine-grained application controls in line with company policies (e.g., prohibit access to Dropbox or all external file hosts; allow MS Teams but not Zoom).
- Allow full access for certain social networks like LinkedIn, but only partial access to others like Facebook, with a restriction on file uploads, and deny others altogether, like Instagram.
- Prohibit evasive traffic connections over HTTP/S, crypto mining pool traffic inherent to crypto jacking attacks, or P2P apps such as BitTorrent.
The discussions at RSA once again confirmed that strong cloud security is based on strong traffic visibility. This is where NG DPI delivers: encrypted traffic classification, detection of anomalous and evasive traffic, wide application coverage, and cloud-grade scalability and performance!
