First full day at RSA Conference 2017 started with an excellent keynote and the expected rush of mobile devices to the wireless network. After a bit more than a day the Wi-Fi network is regularly pushing 500-700mpbs of traffic, which the RSA NetWitness® packet decoder is handling nicely. The port scanning activity detected on the evening of day 1 appears to have stopped, along with the high frequency of installs of endpoint firewalls and AV, which was likely show floor demo stations loading and updating.
Figure 1 Network traffic on day one of #RSAC
The SOC question of the day was "do you know what your assets are doing when they are not behind a corporate firewall?"
We saw a number of instances of asset locator software (a sort of LoJack® for digital assets) calling home and checking in as devices moved around the show floor. It is also interesting to see how corporate assets behave when not on corporate networks. Do you know if your devices are giving away corporate network information based solely on the device names and protocols seen on the conference network? Do your devices call out for internal LDAP servers, printers, other internal systems, software updates or consoles? What secrets do these devices leak over insecure networks? Network security is difficult enough devices are behind many layers of defenses, but it is even harder when they are alone and unprotected on public Wi-Fi.
Being a security conference, we expect to see all sorts of traffic from privacy-conscious users that might not be normal on a corporate network. In this case we are seeing Telegram (messenger clients) and Tor2Web traffic, which makes sense for those trying to stay secure, as well as the usual push notifications for the various mobile OS vendors. For most of the well-known mail protocols we have observed roughly 75% of the traffic encrypted, leaving a small but exposed set of users unencrypted. While a good start for on the encrypted devices there is still enough clear text data visible on the network to be concerning for those looking for it.
Figure 2 SOC dashboards
A fresh set of summary dashboards have been loaded in the SOC display windows for the day's traffic. The curious #RSAC attendees and the SOC tours fill our SOC windows with interested faces, making us feel a bit like fish. Check back this week as we share more views from the fishbowl as #RSAC rolls on.
Author: Eric Partington
Category: RSA Fundamentals, Blog Post
Keywords: Devices, Network, RSA Conference, Security Operations Center, Traffic, Wi-Fi