6 things we learned from Zone Fox at Infosec 2017
This month was Infosec Europe 2017 an information security conference held in the Olympia London. During the event I sat down with Jamie Graves, CEO at Zone Fox, a company that offer event monitoring on the operating system. Here are 6 interesting things we learnt from the team.
1 – GDPR isn’t all bad
Their’s natural scepticism towards GDPR and those companies that deal with it. With people assuming that there is some sort of ulterior motive behind it all. In reality GDPR is one of the nicer compliance standards out there. With organisations like Zone Fox being available to help you meet the standard. Jamie commented:
When you look up previous compliance standards it comes down to your ever complaint or you’re not. While if you look at some of the details of GDPR you get some really insightful stuff around it. It’s a really good information security theory practice and I’m really stoked to see all the good stuff in there and not just ‘we’ll beat you up if you get it wrong’.
2 – Snort but for the OS
During our talk Jamie referred to Zone Fox as ‘Snort but for the OS’. What this means is that the Zone Fox platform monitors a networks data patterns using hosts or connectors and flags traffic accordingly. Jamie stated:
It takes a feed of what people are up to with data, compiles it and learns from it. You still want something on your network to look for network based attacks but this will give you insight into what’s happening around your user data.
3 – Behaviour data is the future
Zone Fox focuses its event monitoring by looking at how data moves on a network. This being if the data is entering, leaving or doing something internally. It’s real focus is to build patterns from the behaviour of its users. This is something that’s becoming more and more frequent with organisations but for the moment is still quite niche. Jamie referred to this as:
Being purely focused on behaviour and data is super niche but we’re finding that it resonates really well. For example when people have fairly large polluted solutions they’re not quite sure what to focus on, while with Zone Fox people really understand what they get out of it.
4 – Encryption is not the problem it once was
The Zone Fox platform operations on agents or, as the team referred to them, connectors. These connectors operate on items from laptops to coming soon items like Office 365. That being the case the solution can monitor traffic before it is encrypted and so doesn’t face the problems of network based solutions. Jamie stated:
Because we have endpoint connectors we see it before it gets encrypted. It gets encrypted lower down the stack so it’s not an issue for us. So you get a lot of network solutions nowadays that require keys and it’s really kind of messy, we don’t need that.
5 – Behavioural analysis can help against Zero Days
Behavioural analysis is really one of the only means we currently have for monitoring Zero days. It’s the principle of identifying what we deem as normal behaviour, for example working 9 till 5, and logging everything else as abnormal behaviour, signing into an office machine at midnight. Without this sort of analysis it would be almost impossible to detect Zero days on a system. Jamie commented:
When it comes to a zero-days it may be something that allows an attacker in, for example it may provide some ability to open up a shell. Now what if a shell hasn’t been opened up on that machine before? That’s where we start to see the outlines and behaviour on that machine itself and that’s where we’d be able to give some insights.
6 – The best detection is in Rule and Behaviour
On the idea of behaviour detection, Zone Fox also offers rule based detection methods to help protect a system during the behaviour analysis’ 2 week detection period. This means that in the long run the system will learn user behaviour but in the short term you won’t be vulnerable to malicious actors getting into the network. Jamie phrased this as:
We’ll run both. Some systems just ditched the rule set almost entirely, I’m not necessarily in agreement to that as you still have policies that are requirements to live up to. So marrying the two creatures is a very powerful approach.
There you have it, 6 interesting things we learnt from Zone Fox at Infosec Europe 2017. There is plenty more on the company online and I recommend giving them a look, you can find them at zonefox.com.