Splunk CTO Urges Collaboration Against Cyberattacks - And 'Shapeshifting' Networks

"The cost of cyber attacks is 1/10th to 1/100th the cost of cyber defense," says the CTO of Splunk -- because the labor is cheap, the tools are free, and the resources are stolen. "He says what's needed to bring down the cost of defense is collaboration between the public sector, academia and private industry...the space race for this generation," reports Slashdot reader davidmwilliams.

Splunk CTO Snehal Antani suggests earlier "shift left" code testing and continuous delivery, plus a wider use of security analytics. But he also suggests a moving target defense "in which a shapeshifting network can prevent reconnaissance attacks" with software defined networks using virtual IP addresses that would change every 10 seconds. "This disrupts reconnaissance attacks because a specific IP address may be a Windows box one moment, a Linux box another, a mainframe another."

1/100th the cost?

[hsmith]

Depends on the industry. Yahoo? will pay $0 in fines for their breach. If you were a hospital you'd see $50k per patient, which adds up quite fast, and doesn't include stupid things like credit monitoring.

Good infosec doesn't cost a lot - the problem is no one gives a shit until after something happens. Then you shit can your CISO, who you ignored the entire time, because you need someone to take the blame.

Coming from an information security academic

What he proposes is infeasible.

Think about a simple shipping trip to amazon. If your DNS cache is wrong after 9.2 seconds, how are you going to maintain your session long enough to finish your purchase?

The CTO here is confused as to how virtual IP addresses work. The virtual IP doesn't change, the actual IP of the servers in the cluster does. Without a reasonably constant IP, the availability portion of the CIA triad does not exist.

Secondly, "reconnaissance attacks"- footprinting, is reasonably handled with traditional techniques. Stopping what comes after is much harder. Stopping the easiest to exploit attack vector, the human factor, is orders of magnitude harder than that.

Re:Coming from an information security academic

[lucm]

Who cares what the Splunk CEO has to say? Splunk is a tool that is supposed to make it easy to search and aggregate logs, but it sucks at searching and aggregating logs. It's so slow and clunky that most people at the office ignore it and use awk or vi.

The day his company creates something useful maybe I will pay attention to him.

Godel's hand reaches from the grave

[Etcetera]

...to keep them out of your network in the first place?

The shifting addresses could only apply to internal systems. Externally available systems (like, say, web servers) have to have known addresses for access, or you've defeated the entire purpose of having them externally accessible.

Which leads us back to firewalls and IDS and such.

Shape-shifting has to "bottom out" somewhere with known addresses, and that's where you're going to be vulnerable. You can test this now with low TTL DNS servers and (assuming your TTL is respected) you just send the traffic over to the new destination. If he's referring to external services, that about covers it. If it's external access to internal networks, then why are you running IPv6? Use NAT and a FW like everyone else and get that stuff off the internet. If he's referring to internal services, they're just as vulnerable for the same reason. Your internal services will have to have a lookup system (DNS, or your super-awesome low latency replacement for DNS because what good is a wheel if it isn't being reinvented), and that can be used for following whatever you need around. You've added one small, boring step for your hackers that's just as HOBE as anything else because the lookup has to be automated to make all your systems work internally.

Hosts aren't going away any time soon because they're an architecture more than anything else. There's this wacky vision some in the industry have of containers running on top of Cisco gear that they seem to think will be a panacea for all of their tech issues. Software-defined stacks won't fix everything, and they really won't fix this.

You've got to be fucking kidding.

[thermowax]

And now you've got to shell out for an SDN infrastructure, too.

That's a cute idea, but he's obviously never had to operate or troubleshoot issues on a production enterprise network. What happens when an machine changes IPs in mid-tcp conversation? I have stuff that maintains ssh sessions for days, the client isn't doing constant nslookups to see where the server has gone. Not to mention the fact that sshd is going to interpret the client IP changing as a session-hijacking attack.

That's just one example, the more I think about it leads me to downgrade my opinion to "dumbass".

J-.