Tim: 0:13

Hello and welcome back to another episode of the Cables to Clouds Fortnightly News. I'll be your host this week, tim. With me, as usual, is Chris, the other guy. We go back and forth. I don't know if you noticed, so it's my turn. I, chris, the other guy. We go back and forth. I don't know if you noticed, so this is my turn. I like being the other guy. Yeah, that's the other guy. So, um, okay, so let's just uh jump right into the news. We got some good, uh, good ones this week, uh, and a decent number, so we'll just roll out into it.

Tim: 0:37

The first one comes to us from forester and, uh, it's called zscaler, snatches up red canary, the good, the bad and the. So Red Canary is an MDR, which I actually had to go look up what MDR meant. I know what some of the other DRs are, like N, like November DR, network Detection Response. The MDR means Managed Detection and response. So Zscaler, the you know SASE SSE company, zero Trust, you know the Zero Trust model company has acquired Red Canary. Red Canary is managed detection and response, which is a fancy way of saying outsourced security operations, basically like cybersecurity for hire, and they do a lot of platform integration, like you know, getting telemetry and threat detection and then actually mobilizing response against it via managed, like they have actual humans, but essentially that you're retaining to do work.

Tim: 1:37

So this is kind of and the article points out kind of what I was thinking when I read about this, which is, first of all, it's a good Zscaler doesn't have anything like this right now. Right, so it's a big hole in Zscalers and, you know, with the trend towards platformization, which is, which is to kind of try to for enterprises to are now trying to acquire single vendor products that cover the spread rather than having a bunch of multiple vendor solutions, from that perspective this kind of makes sense. You know, you've got an MDR and you've got the SASE company and they both do literally nothing that the other one does, and you know. So they're filling functionality gaps between each other. However, it does go on to point out that, while they cover each other's gaps, they also do nothing really to complement each other.

Tim: 2:32

If you take Zscaler, which is a SASE company, sse, zero, trust this is something that enterprises have been running for a long time and outsource security to the cloud or whatever and then you have this MDR, which is essentially a manned outsourced SOC and, yeah, there doesn't seem to be any good way to do integration between these two products. So interesting acquisition from Zscaler. I know they're trying to platform themselves, basically give themselves a full suite of security offers, but yeah, so yeah, I don't know. What do you think about this one?

Chris: 3:15

Yeah, like you said, there's obviously a gap there in what Zscaler offers today that doesn't do anything like this. So there's definitely white space there for them, which is good. But the idea here is, you know, they currently have an existing you know, saas offered type platform and this is another platform that has a lot of integrations built in for things like, you know, even some borderline competitors with C-Scaler, which makes this a bit interesting. You know even some borderline competitors with C-Scaler, which makes this a bit interesting. You know they have integrations on the site today for things like Microsoft, crowdstrike, sentinelone, even the other major cloud providers as well. So yeah, it's. I mean, we've kind of seen this in the past when company A acquires company B and they both offer platforms, integrating those platforms can be a very rocky road and a very difficult process.

Chris: 4:08

Yeah, I wasn't going to you hit it, um, but uh, yeah, so that's uh, hopefully this doesn't turn out to be something like that Um, but it's um it, like you said, it's like it's a when you, when you hear about the acquisition and you're like, ok, well, now that I know what Red Canary does, that seems, you know, that doesn't compete with any of Zscaler's existing product set, which is good. But at the same time, like you said, I don't understand how this meshes very much, unless they just, you know, kind of fold in Zscaler's kind of threat detection type or enforcement into the platform from Red Canary. But I don't know, I don't, I wouldn't necessarily see them just doing that. I feel like it would have to be something much bigger than that. So I don't know, maybe, maybe soon this will get rebranded as a, you know, zero trust sock. As a service type thing, I don't know, we'll see what happens. All right. As a service type thing, I don't know, we'll see what happens, All right.

Chris: 5:10

And next up we have a somewhat smaller of announcement. But we have an article here from the AWS blog, the AWS Networking blog, that the AWS Network Firewall has added support for multiple VPC endpoints. So now AWS Network Firewall now supports enabling multiple VPC endpoints for a single firewall, and I know that might sound kind of basic, but the basic, the communication that we've seen from AWS employees about this is that it's basically a way to consume and use AWS Network Firewall without having to actually deploy and use something like AWS TGW. I'd say, if you're an AWS Network Firewall customer, odds are you're also a TGW customer. I wouldn't see there's a ton of customers that need this today that don't already use TGW. But you know, there is the concept of things like island VPCs that aren't connected to the corporate network in some sense, right. So this could be something just to alleviate those island ones that sit off to the side, or maybe just growing organizations that haven't yet got to the point where they need a transit gateway.

Chris: 6:24

I think this, like we said, this is a small announcement, but I feel like this is probably kind of a bit of smoke to kind of lean towards where AWS may be going with network firewall. We've heard some rumblings in the market necessarily about how AWS is looking to make AWS network firewall more consumable for customers. Most of the time what we see is it's very cost prohibitive for a lot of customers, and that seems to be kind of one of the major sticks in the mud, so to say. But if this is a way to kind of let you get more out of less with a single firewall rather than having to deploy a network firewall in every single VPC, maybe this is the first step in that direction. I don't know, but that would be cool to see. What do you think, tim?

Tim: 7:17

I think island VPCs is the play. Yeah, because. So Gateway Load Balancer already you know they have Gateway Load Balancer. So Gateway Load Balancer already you know they have Gateway Load Balancer. It's already kind of normally deployed for AWS Firewall, for kind of this purpose. Using VPC endpoints instead makes it probably cheaper. First of all, I think, like you said, one of the big things was to make a firewall, or needs a firewall, or has enough VPCs to need firewalling, probably already has some kind of cloud networking in place, except for the case of something like island VPCs or you know where they don't have a need for east west and they really only need to worry about egress traffic, right. So so this seems like, honestly, this feels like a stepping stone on the way to something else. Also, like you know, just doing VPC endpoints is okay and, like you said, it fills a niche that probably not a large percentage of customers have or need right now, but it does feel like it's a stepping stone towards another bigger you know, expansion of how network firewall is going to work in AWS, all right.

Tim: 8:29

Next one is AWS is now bowing out of the 5G market. This article from Network World says AWS no longer offers private 5G seeds the fields to establish industry players and carriers and honestly, I'm amazed that it lasted as long as it did. You know it was always going to be. Aws is very interested in owning the roads, as it were, because that helps it deliver the service right. So you know, like, look at a Kuiper, like the satellite constellation satellite that they've been deploying, right, what does that do? It gives connectivity to a lot of places. Anywhere you can put connectivity, you can deliver services right, and that's really what AWS is after. So this was originally, I think, another method by which AWS could deliver private connectivity for its services.

Tim: 9:21

The thing is that it never really I don't think it was ever really able to break into the telco market Like AWS obviously doesn't. They're not a telco, they are kind of a telco provider, but they're not really a telco provider. And so the technologies associated with telco, especially with like 5G, right, there's a very specific technologies and unless AWS wants to create them out of whole cloth, you know they're kind of bound by third party, and the article actually goes to point out that that was one of the biggest challenges that AWS had was third-party hardware and of course, also the bands. Right, like 5G is not an infinite. You have to license the radio, essentially the radio waves, and all that for the 5G. So a lot of the established telco providers already have it. So this does go on to point out which is what they probably should have all had done from the beginning, which is AWS will be partnering with Verizon, at&t, other 5G providers to provide the actual 5G service and essentially be a pass-through for their customers to do that.

Tim: 10:27

So I would say end of an era. But it's not quite, it's not even that critical, you know what I mean. Like it's just to me it's something that makes sense and I always thought it was ambitious for them to go after 5G. But remember when 5G first launched what, three, four years ago now or something like that there was a. You know that was something that was supposed to be the case. It was supposed to be kind of a wide, open new band to go after and everybody was going to, you know, had their chance.

Tim: 10:52

But anyway, but any anything to add here.

Chris: 10:55

Yeah, um, kind of kind of, like you said, end of an era that we didn't even, uh know was was coming to an end or what it wasn't. We didn't even know if the era was existing, to be honest. But uh, um, yeah, but uh, um, yeah, like you said, is the way aws works, is, like you said, they like to own the roads. So, to say, um, and the reason people consume those services when they own the roads is usually aws has has put on top of it enough value, um, in that ownership to make it, you know, consumable and, um, you know better for the, for their customers.

Chris: 11:29

It seems like in this case they couldn't get over that hump right. I wonder if it was more. You know, there's kind of some details in this article leaning towards, you know, reliance on third-party hardware and things like that, which doesn't really sound like Amazon's typical approach. It seems like they'd want, like you said, they want to own everything. So maybe they just didn't see the reward there. But also, telco is a very established market and has some nuance to it. So I almost wonder if some of the telco providers were just basically like nah, fuck you, and just kind of put their foot down, just frozen out Like and just kind of put their foot down Just frozen out?

Chris: 12:10

Yeah, exactly, but I mean, at the end of the day, I think this is probably the right way to go. Let let the you know dominant partners that do that for their end customers remain in that space. And then you have this, this service you're talking about, which is the integrated private wireless, which basically just sounds like they have some kind of back-to-back pairing with those partners that offer the private 5G and 4G LTE services. So, overall, it seems like that's. It does seem weird that there's probably going to be an intermediary now in between AWS being on-prem versus AWS in the cloud. So you know, like, if you're using something like what is the product set? Now it's not Snowfall, I think that might be the full product set. Now, I can't remember, there's Snow something, aws Outposts and things like that. So I think that I don't remember if they changed the name of it.

Tim: 13:05

Yeah, I'm trying to think if they yeah, what is it now?

Chris: 13:08

Yeah, nonetheless Snow something Snow of it. But yeah, I'm trying to think, if they, yeah, what is it now? Yeah, nonetheless snow something um snow family, we'll call it that. Um, but yeah, interesting, interesting stuff, all right, um, and last, no, not last one. Is this last one? This is the last one, okay, so last up, we have a, uh, an article from securitybriefcomau. Yeah, we gotta say the au every time in Australia. It really annoys me.

Chris: 13:31

But just so you guys know securitybriefcomau that checkpoint has made a motion to acquire a company called. We don't know how exactly to pronounce this, so if we get it wrong we apologize, but I think it's Veritai. Tim said Veriti earlier. That would also work. So I don't know which one this is, but I'm going to go with Veritai. Tim said Veriti earlier. That would also work. So I don't know which one this is, but I'm going to go with Veritai. But basically they're acquiring Veritai Cybersecurity to expand their offer for threat exposure and risk management. So it sounds like Veritai is an automated multi-vendor platform for preemptive threat exposure and mitigation per the article, multi-vendor platform for preemptive threat exposure and mitigation per the article and this is something that's going to automatically integrate into their Infinity platform, which you know Checkpoint's Infinity platform, I think, is kind of this. Again back to platformization, it's all over the place. This is kind of it seems like it incorporates their quantum line, which is their new AI-powered physical firewalls, their CloudGuard firewalls, which obviously run in the public cloud, and their Harmony service, which I believe is their SSE or SASE-type offering. So it looks like this is yet another AI-powered platform which has.

Chris: 14:53

One thing that was called out here was they offer this thing called virtual patching, which Tim actually made me aware of this. I wasn't aware of what this was. So virtual patching essentially is a way for, you know, threats could come in from a certain feed or from some type of platform they mentioned. They have integrations with CrowdStrike, tenable, rapid7, etc. So basically, information about a threat could come into this platform and you can enforce something called virtual patching where, instead of actually going and patching the systems that are made vulnerable by the CVE, of actually going and patching the systems that are made vulnerable by the CVE, um, you could automatically enforce a security rule or a firewall rule that essentially blocks traffic.

Chris: 15:36

That would relate to that CVE, right? Um so, um, that seems to be something that is offered here. Um so, yeah, interesting stuff. Um, I don't know exactly what this will mean for Checkpoint. It seems like it'll just be another kind of ingestion point for threat information, threat detection, and they will have to kind of essentially put that enforcement into the Infinity platform in some capacity. Anything to add to?

Tim: 16:05

Not a lot. So basically Veritai or whatever ends up being the aggregation platform, and then they were always integrating with some kind of enforcement model right On the back end. They were integrating with the threat detection feeds, you know, wiz or the ones that you mentioned private, set, untenable and then they had to essentially talk to the enforcement layer to actually do something with that. Quote unquote virtual patching, and virtual patching, I mean, it's such a marketing term, isn't it? This idea of virtual patching where we're literally, I mean, don't be wrong.

Chris: 16:43

It's a firewall rule. That's what it is. It's a firewall rule.

Tim: 16:46

Right At the end of the day we're saying, oh well, we've detected that this host or whatever this device is vulnerable to a certain type of attack, and then we translate that into a firewall rule that makes the CVE unexploitable in some fashion. Right, until you can. Actually it's not a replacement for actually patching the thing, right, but it's supposed to buy you time, essentially Make it unexploitable so you can wait to patch if you need to patch. But yeah, so from an acquisition perspective, this makes sense for Checkpoint, since I'm sure you know essentially okay, well, now I, as the Checkpoint enforcement layer, gain the ability to do this virtual patching, because now I have this new capability.

Tim: 17:34

And then maybe I'm curious to see, because it said multi-vendor, I'm curious to see after the acquisition, does it remain multi-vendor or does checkpoint just like close shop on the other vendors, or what's going to happen? Yeah, I agree, probably not. Checkpoint's not big enough to throw its weight around like that, I think. But anyway, yeah, so that's interesting. I love the marketing term virtual patching, but other than that, that's it All right. So Chris said that was the last story, but actually we do have one more, not only did I say that you agreed with me?

Chris: 18:07

I didn't agree with you.

Tim: 18:08

I just didn't say anything because I didn't want to be an asshole and be like Chris.

Chris: 18:12

You're fucking wrong again, look if you're watching on YouTube, watch. When I say it's the last article and go back and check Tim's face. He goes.

Tim: 18:18

I was like, yep, last one, even mouth last one it's yeah, whatever, whatever, all right, so this one actually, I don't have the. We didn't add the link to the hold on. Let me open it up. Okay, sorry, it's from cybersecuritynewscom. So North Korean IT workers leverage legitimate software and network behaviors to bypass EDR, which is a weird title for what this actually is. You know, isn't that strange? So let's talk about what the actual attack the EDR is in this case. So who was it that broke this up?

Tim: 18:59

There was an operation federal law, us federal law enforcement agencies raided a suspected laptop farm used to facilitate fraudulent employment and schemes where North Korean nationals posed as legitimate American workers to gain remote access to Western companies. Used to facilitate fraudulent employment and schemes where North Korean nationals, posed as legitimate American workers to gain remote access to Western companies. So they would essentially like forge their credentials and actually go get a job at an American company, get a company issued laptop for this new remote worker and then connect it to this you know, essentially this laptop farm, and then these nationals would exploit the fact that, hey, I've got a backdoor into you know this company, you know this, this company. And all I can think of as I'm thinking about this is the key and peace, the, the, the key and peel skillet, where they're like, where they, where they're playing in the bank, heist. And he's like no, I got a better idea. We're going to go in and we're going to, we're going to walk in and every week we're going to come out with some money and 30, 40 years later, 40 years later, we walk out, happened. He's like that's a job, um, anyway, but no, this is legit.

Tim: 20:06

So these, uh, these back doors, uh, I say back doors, I mean they're freaking remote access vpns for employees, right, this is ridiculous, uh, but they were, they're being used like these, these, these, these nationals were pretending to be american workers and getting back door, you know, via company issued laptop into the backdoor and the VPN. And then, and then you know, at that point you just hope that either they, you know, didn't have a role within the organization that could access anything sensitive, or that you know that you had good zero trust capabilities inside your network to stop lateral movement. So this is really just crazy, this story. It's, I don't know. The system's crown jewel was its Zoom client automation module, which manipulated video conferencing sessions to establish remote desktop access, automatically launched Zoom meetings, joined sessions and approved remote control prompts through simulated keyboard inputs, transferring legitimate collab platform into a remote administration tool. So yeah, this is nuts, like the. The level of sophistication here amazing, I don't know what to say, just amazing. Anyway, what, uh?

Chris: 21:17

do you have anything to add to this one, chris, because I think this is just nuts yeah, uh, I mean, you pretty much covered it, but it's just this one's just like so funny, how, like I mean, maybe this is a prominent thing, but I've never seen this before where, like, they go to the point of actually, you know, getting employed by the company that they want to steal from. And it's funny because you know we talked about this before we hit record but essentially, that means you're paying someone to steal your own data Because if they're an employee, they have to be cutting a paycheck to them.

Chris: 21:49

And albeit they are literally just a laptop that exists in some farm in Korea. You know kind of they touch on these points about how they have these very simple scripts set up to maintain a persistent connection to the um corporate assets, um, while being located in Asia. Um, it's really like I don't know if it touched on it in here, but it's like that makes me like so many things are going through my head Like were they? Like under they? Were they under the impression that the employee was going to be working out of Korea?

Chris: 22:26

Because it seems like there's some very simple things in endpoint detection services that would pick up on some of this stuff. I mean, it's very possible that this company was just not using a kind of modern stack in that capacity which is probably where they will be moving towards now which something that does posture checks and DLP and things like that. But even, like you said, if they were using these kind of like sophisticated things to do like a remote access control prompt and do this all through zoom, like I don't even know if that would get picked up by something like dlp because, like it, yeah there's so many layers to this where things are going to get encrypted and like I don't I don't know exactly how you would detect this or plan for a detection like this.

Chris: 23:13

Like this is like, like how do you, how do you like tell company a bc to to protect against something like this? Like don't hire fake people.

Tim: 23:24

Like I don't look, it's crazy, because they were going as far as capturing uh art packets and sending them over web sockets and stuff like this is, this is nuts. This is so sophisticated um, and I don't know how a dlp or an edr, you know, could have necessarily known to look for this.

Chris: 23:42

Right, Very, very I mean to be honest, pretty cool, Pretty cool that they were able to do this.

Tim: 23:48

Yeah, I got to say I'm actually mad respect actually for this type of cyber attack. That's impressive.

Chris: 23:54

Yeah.

Tim: 23:55

It's like the True social engineering.

Chris: 23:57

It's like the Baxter eating the. What is it? What is it from Anchormanorman? He's like you ate an entire wheel of cheese that's impressive.

Tim: 24:08

Yeah, oh man, okay. So yeah, with that, we'll go ahead and uh and close up shop here. I hope you uh all enjoyed this week's news. If you did, please leave us a comment. Share it with a friend.

Chris: 24:21

That being said, do check the if you want more. Check the news doc, because there was actually quite a bit this week that we didn't get to cover. There was actually a cool article in there about a project called MPIC, which is focused on preventing BGP attacks with their certificate validation Something that Tim and I did not have time to become experts on to talk about before this, but I thought it was super interesting and I will be looking at it after the show. But yeah, definitely take a look, there's plenty in there for this week.

Tim: 24:56

Yeah, there's more than usual articles, Some funny ones too. But yeah, take a look at the article. Sorry, the news, my God, I just lost it. News article and news articles, I guess. The document, the document, yes, Thank you, All right, and with that we'll go ahead and uh end it here and uh we'll see you next time.