'Very Noisy:' For the Black Hat NOC, It's All Malicious Traffic All the Time

Black Hat Asia's NOC team gives a look inside what's really happening on the cyberfront during these events.

2 Min Read
green padlock icon
Alamy

BLACK HAT ASIA – Singapore – When you're in an environment where the overwhelming majority of network traffic is classified as posing a severe cybersecurity threat, deciding what to be concerned about becomes not a needle in a haystack situation, but a needle in a needlestack problem.

That's the word this week at Black Hat Asia, where Neil Wyler, global lead of active threat assessments at IBM X-Force, and Bart Stump, senior systems engineer for NetWitness, took to the stage to give attendees a look inside the event's enterprise-grade network operations center (NOC). The duo oversaw the NOC's design and led the security team for the show, which ran from May 9-12. The multi-vendor network supported attendee Wi-Fi access; internal operations such as registration; the needs of business hall stands; and the communications requirements of technical trainings, briefings, keynotes, and vendor demonstrations.

"When we discuss the traffic, try to explain to others that at Black Hat it's bad all the time — all or most of the traffic is malicious," Wyler explained. "That sounds scary, but for this crowd that traffic is normal. There are people demoing attacks, there are red teams trainings going on, etc., and that means that we don't really block anything. We let that traffic fly because we don't want to take down a demo on stage or on the expo floor. Unless we see a direct attack on our infrastructure, say the registration system, we let it go."

Related:What Is Network Security?

So, in order to ferret out the actual bad, bad traffic, the NOC relies on a number of dashboards that allow a real-time view of everything flowing through the network, with the ability to capture stats on everything from device profiles to which cloud apps attendees are connecting to. It also captures raw packet data so NOC analysts can go back and rebuild sessions in the event something seems abnormally suspicious, to look at "every single thing someone is doing with every packet, in a way we can't using just logs," Wyler noted.

Continue reading this article on Dark Reading

Read more about:

Dark Reading

About the Authors

Tara Seals

Managing Editor, News, Dark Reading

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Dark Reading

Long one of the most widely read cyber security news sites on the Web, Dark Reading, a sister site to ITPro Today, is now the most trusted online community for security professionals like you. Dark Reading's community members include thought-leading security researchers, CISOs, and technology specialists, along with thousands of other security professionals.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like