Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

At RSAC, SOC 'Sees' User Behaviors

Instruments at the RSA Security Operations Center give analysts insight into attendee behavior on an open network.

RSA CONFERENCE 2018 – San Francisco – At RSAC 2018 the SOC is a demonstration site. It has some hard limits — no visibility to the external IP interfaces being the most significant — but it has tremendous visibility into what happens on the wireless network that supports the tens of thousands of attendees using the open system. And that network visibility translates into great visibility into the behavior of network security professionals in the wild.

A team of network security specialists including Cisco's Jessica Bair staff the SOC, watching traffic of various sorts flow to and from the devices carried by attendees, exhibitors, and staff. Because the SOC isn't blocking any traffic, there's great interest in the monitoring, which happens courtesy of RSA NetWitness Packets; potentially malicious traffic is further given static analysis by Threat Grid.

One of the things visitors notice in the SOC fishbowl is a screen filled with a rolling list of partially obfuscated passwords. That's when they see two important things about conference attendees, one of them good, one of them not so much.

Almost all of the passwords are either strong or very strong. That's great, and shows that security professionals, at least, have acted on the need for stronger passwords.

The problem comes in the fact that the passwords can be seen to be strong; they're being sent in clear text. It's a sign of a lesson half-learned and indicative of problems likely to plague all levels of the computer-using population of companies.

And passwords aren't the only data being sent in the clear. Other examples of documents analysts have seen traversing the network include business plans, resumes, and information on competitors, according to one of the engineers staffing the SOC. 

While the passwords and documents traversing the network represent a significant security risk, Bair quickly points out that there is no threat of long-term information release; the hard disks from the monitoring and analysis appliances are crushed at the end of the conference.

Of course, the monitoring infrastructure established in the SOC sees more that just potentially embarrassing clear text documents. Malware and possible malware were identified and analyzed through Cisco's Advanced Malware Protection (AMP) Anywhere with its Threat Intelligence Cloud. Information on potential malware seen was communicated among all nodes of the security network and other security networks related to the RSA Conference infrastructure for more rapid identification and (potential) remediation.

Ultimately, Bair likened the activity of the SOC to the basic instruction given to fighting women and men of the U.S. Army. "You have to do three things: Shoot, move, and communicate. If you're not doing all three three, you're [redacted] dead."

In cybersecurity terms, the system must actively defend the organization's assets, be agile in shifting its activities to meet evolving threats, and share information and commands with other networks looking for malware and malicious behavior. With all three, an organization has a chance to practice effective behavior. Without the three, then sooner or later your organization is truly [redacted] dead.

Related content:

Interop ITX 2018

Join Dark Reading LIVE for a two-day Cybersecurity Crash Course at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the agenda here. Register with Promo Code DR200 and save $200.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19698
PUBLISHED: 2019-12-10
marc-q libwav through 2017-04-20 has a NULL pointer dereference in wav_content_read() at libwav.c.
CVE-2019-4428
PUBLISHED: 2019-12-09
IBM Watson Assistant for IBM Cloud Pak for Data 1.0.0 through 1.3.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session....
CVE-2019-4611
PUBLISHED: 2019-12-09
IBM Planning Analytics 2.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 168519.
CVE-2019-4612
PUBLISHED: 2019-12-09
IBM Planning Analytics 2.0 is vulnerable to malicious file upload in the My Account Portal. Attackers can make use of this weakness and upload malicious executable files into the system and it can be sent to victim for performing further attacks. IBM X-Force ID: 168523.
CVE-2019-4621
PUBLISHED: 2019-12-09
IBM DataPower Gateway 7.6.0.0-7 throug 6.0.14 and 2018.4.1.0 through 2018.4.1.5 have a default administrator account that is enabled if the IPMI LAN channel is enabled. A remote attacker could use this account to gain unauthorised access to the BMC. IBM X-Force ID: 168883.