An Interview with Mitrasingh (Danny) Chetlall, Product Manager, Qosmos Division, Enea (seen here with the Enea Qosmos Division team at RSA Conference 2020 – Danny is front row, 2nd from left)
At a Glance:
A few weeks ago, the cybersecurity community gathered in San Francisco for its flagship annual event, the RSA Conference.
On his return, I sat down with Danny Chetlall, Enea Qosmos ixEngine Product Manager, to discover the top takeaways from the 2020 event.
Question: What was your overall impression of the event?
Danny: Traffic was a bit slower than in previous years, and we had to continuously check our impulse to shake hands, but other than that, the sessions and personal interactions were as informative, timely and relevant as in previous years.
I found the emphasis on governance, procedures and best practices – in line with the “Human Element” theme – to be a welcome and truly necessary complement to the usual tech subjects. On the purely tech side, the discussions about encrypted and evasive traffic, ICS & IoT security, machine learning, and 5G were, for me, the most surprising and urgent topics.
Q: What struck you most in conversations about encrypted and evasive traffic?
Danny: The challenge that came up in nearly every discussion was traffic blindness – people are really worried about their systems going dark. And the changes that everyone has long feared have now arrived. For example, TLS 1.3 with encrypted SNI (eSNI) extension is finally here – it is used by default in Firefox. The server and client certificates are encrypted, and the server key is session-based, not static, meaning no more storing the key and using it to decrypt out of bound traffic. Furthermore, eSNI requiring DNS over HTTPS makes the analysis of DNS requests a major challenge. And with that, a whole lot of security tools go out of the windows since server names and certificates are no longer accessible.
On a positive note though, encryption and its sister challenge, evasive traffic, are spurring a lot of innovation. It’s what prompted Qosmos to move beyond DPI some time ago. We developed a range of new analytical techniques to maintain visibility in encrypted and evasive traffic. Some of our customers and partners joined us in the search for innovative ways to address the new challenges. They are implementing and adding to our techniques to reach higher levels of visibility in areas like Network Traffic Analysis, Zero-Trust Networks, Endpoint Security and the evolution towards SASE. It was good to see so many security vendors (whether our customers or new market entrants) working to keep the lights on.
Q: What about those securing OT networks or hybrid OT/IT networks? Is encryption a concern for them too?
Danny: Securing OT and hybrid OT/IT networks is obviously a significant challenge with today’s levels of encrypted and evasive traffic, and it is intensified by the latency impact of trying to integrate TLS with OT encryption standards. One big topic of conversation in this context was cryptocurrencies and crypto mining within evasive traffic. It’s a question of scale. If someone hijacks some servers, it slows everything down and jacks up utility bills. But if a mining pool takes over the microprocessors in an ICS network, that could cause the shutdown or malfunction of critical equipment, with potentially catastrophic human or environmental consequences.
The same goes for other types of threats like viruses and ransomware, and leads to another major concern: the way the Internet of Things (IoT) and Industrial Internet of Things (IIoT) are blurring the line between OT and IT networks. The expanding connection points between networks mean that IT-focused cybersecurity vendors need to absorb and address OT requirements, and vice-versa. What I picked up at RSA was there’s a real learning curve going on right now. And people are working very hard on it because the stakes are sky high.
Q: It seems 5G is going to accelerate this integration of OT and IT networks. Did you have many discussions about this?
Danny: Yes. It is commonly accepted that standardization across currently discrete communications networks, and the overall IoT/IIoT support capabilities central to 5G, will open new pathways between the OT-IT worlds. I talked with a lot of people who are concerned about the expanded attack surface this will create. The challenge will be to secure networks with even more functionality at the edge, and which have a distributed, service-based architecture that criss-crosses providers.
Some said they think that Radio Access Networks (RAN) are inherently more secure in a number of ways. But even so, the threats represented by devious cloud service providers, the inherent difficulty of tracking lateral movements in 5G networks, new evasive techniques and API exploitation at the edge, to name but a few, are weighing heavily on everyone’s mind.
Q: You mentioned machine learning earlier. Is there a role for machine learning in addressing 5G concerns?
Danny: Quite possibly, especially with regard to the modeling of ‘normal’ device or agent and network behavior so abnormalities can be detected. For the most part, machine learning works in the same way in the hybrid IT/OT world as it does in conventional networks. It can help automate tedious tasks, improve threat detection, and optimize alert triage, but it’s just one tool in the toolbox. Knowing when to use it and when not to is a sign of ML maturity, and I think that’s what struck me most at this year’s RSA: how mature and fully integrated ML has become in cybersecurity!
As usual, many reviews of RSA have hyped the top X hottest, most innovative products at the show. A large majority of these lists have focused on products that highlight the use of AI and ML. But, when I walked around the show, I was really struck by how invisible ML was in the description of various products. However, when the vendors showed me demos, I found many had indeed incorporated ML into their solutions. I realized that the vendors had chosen to focus on what they were doing for their customers, the value they offered, and not how they were doing it. This, for me, is the sign that machine learning is really coming of age in cybersecurity!
So, I think that now will come the fun part. Now, we can expect some breakthrough innovations. Vendors will start to find new uses for ML that are particularly well-adapted to specific challenges. On the way, they will discover, as has happened in other industries, that the quality and relevance of the data they are using to build their models is a key factor in the results. That the higher the quality and relevance of the data, the more accurate the results.
The maturity is there, the potential is there. And I think it’ll be good for the industry in attracting much-needed talent. We had a tag line on our booth pointing out the value of our data in ML, and it proved to be a magnet for students and researchers. That so many are engaged in the subject is a really great sign for the future of ML and AI in cybersecurity.
Thanks, Danny. It’s good to hear vendors are focusing on customer value over technical means. I was visiting the sites of the RSAC Innovation Sandbox Contest winners and noted the same thing.
About the Interviewer
Erik Larsson is Senior Vice President of Marketing at Enea, where he drives product marketing, demand generation, branding and communication. Erik’s views on high-tech trends are regularly featured in articles, blog posts, webcasts, video interviews, and industry events.