These are scary times when it comes to cybersecurity. Following on from high-profile breaches at Equifax, British Airways, Ticketmaster, Newegg and more, it’s not surprising that companies are prepared to pay top dollar for the very best in security software.
What does the very best look like?
Well, it seems to me that for a lot of people, it comes in the shape of…
"A slightly useless, but sexy looking interface!"
Fear of breaches and love of shiny things together account for the rise (and rise) of Darktrace. Founded in 2013, the company was valued at $80m by 2015, and is now worth a whopping $1650m. They report customer numbers doubling every quarter, with top clients including eBay, the National Health Service and Gatwick Airport. They’ve won more than 100 awards, and landed on a whole load of prestigious lists.
I can’t deny that Darktrace are the flavour of the month. They certainly spend a whole lot of money on pushing their product. Positioning themselves as ‘the world’s most advanced machine learning technology for cyber defense’, they compare their machine learning and AI algorithms to the human immune system.
Then there’s that oh-so-pretty interface, which offers an impressively futuristic, gaming-style visualisation of issues. Gartner analyst Laurence Orans said in a recent Financial Times article,
‘People generally like the interface. They think it’s sexy… it demos well’
So far, so flashy — but what’s it like to actually use?
The same FT report interviewed an engineer at a business using Darktrace, who confessed that many IT staff ignored the pricey security software because it sent so many false alerts.
‘Half my team won’t look at it once during the day... It’s very expensive, I’m not going to lie.’
Another cyber security researcher said he had:
‘I've heard feedback that it is very difficult to cut through the noise of false positives and get at the problem.’
So now your state-of-the-art cybersecurity system — acts more like a fire alarm that starts screaming every time you use the toaster?
And though the interface is good at presenting information about threats, I don’t think it offers much help when it comes to actually dealing with them. Darktrace make a great deal of noise about self-diagnosis and machine-learning models, which do a great job in looking for ‘unknown’ threats. But realistically, what do you then do with this information?
You can pay Darktrace to help you diagnose issues. But I would cynically suggest they aren’t actually very interested in doing so, because that’s hard work - and not as profitable as selling pretty interfaces.
This excellent blog highlights some of the seriously good stuff about Darktrace, yet also make it pretty clear just how much hard work is left in diagnosing supposed threats.
Would you like to diagnose 35,000 possible security issues?
Too many false positives is one of the reasons I’ve never liked Intrusion Detection Systems (IDS) like Snort. I don’t like Intrusion Prevention Systems (IPS) either, because ‘If an IPS is not tuned correctly, it can also deny legitimate traffic’.
Surely it’s better to focus on your known pain points, rather than your ‘known unknowns’ (with apologies to Rumsfeld)?
Obviously you will already have firewalls, anti-virus and secure authentication systems to deal with these main pain points. But the biggest threat out there right now is application level attacks - and for that, a properly configured WAF is the ideal tool to help you.
The ugly WAF duckling
A WAF configuration file doesn’t have space-age graphics. In fact, it’s a bit of an ugly duckling.
SecRule REQUEST_FILENAME "/login.php" "phase:2, t:none, t:normalisePath, t:lowercase, t:urlDecodeUni, chain, deny, log, id:1011" SecRule ARGS:login|ARGS:pass|REQUEST_COOKIES:login|REQUEST_COOKIES:pass "'" "t:none, t:urlDecodeUni" SecRule REQUEST_FILENAME "/login.php" "phase:2, t:none, t:normalisePath, t:lowercase, t:urlDecodeUni, chain, deny, log, id:1012" SecRule ARGS:level|REQUEST_COOKIES:level "!^[0-9]+$" "t:none"
The logs are EVEN WORSE:
[Sun Feb 18 21:29:47.151788 2018] [:error] [pid 32289:tid 140260134610688] [client 172.16.202.152:60354] [client 172.16.202.152] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/opt/httpd-waf/modsecurity.d/activated_rules/modsecurity_crs_60_correlation.conf"] [line "37"] [id "981204"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 102, SQLi=29, XSS=): 981243-Detects classic SQL injection probings 2/2"] [hostname "support.loadbalancer.org"] [uri "/staff/index.php"] [unique_id "WonwQn8AAAEAAH4hPNIAAABD"], referer: https://support.loadbalancer.org/staff/index.php?/Knowledgebase/Article/Edit/35
Which is why we’ve put a lot of effort in to simple tools to help you diagnose them...
Looks aside, what our WAF does do is work like you need it to. At Loadbalancer.org we have a great deal of experience working with clients to protect their applications in this way. For example, in our partnership with Metaswitch:
“The Loadbalancer.org appliance includes a fully integrated industry standard Web Application Firewall (WAF) by default. An off-the-shelf WAF isn't much use unless it's specifically configured to protect against the application. Loadbalancer.org have developed five custom WAF rules specifically to protect a Metaswitch EAS DSS/SSS deployment, ensuring total protection against security vulnerabilities.”
Darktrace has the potential to be an awesome tool if you put enough resources into it. But fixing known problems first should be your priority.
We build industrial-strength solutions that stop hackers dead in their tracks.
Isn’t that more important than looking pretty?