 |
First full day at RSA Conference 2017 started with an excellent keynote and the expected rush of mobile devices to the wireless network. After a bit more than a day the Wi-Fi network is regularly pushing 500-700mpbs of traffic, which the RSA NetWitness® packet decoder is handling nicely. The port scanning activity detected on the evening of day 1 appears to have stopped, along with the high frequency of installs of endpoint firewalls and AV, which was likely show floor demo stations loading and updating.
Figure 1 Network traffic on day one of #RSAC The SOC question of the day was “do you know what your assets are doing when they are not behind a corporate firewall?” Being a security conference, we expect to see all sorts of traffic from privacy-conscious users that might not be normal on a corporate network. In this case we are seeing Telegram (messenger clients) and Tor2Web traffic, which makes sense for those trying to stay secure, as well as the usual push notifications for the various mobile OS vendors. For most of the well-known mail protocols we have observed roughly 75% of the traffic encrypted, leaving a small but exposed set of users unencrypted. While a good start for on the encrypted devices there is still enough clear text data visible on the network to be concerning for those looking for it.
Figure 2 SOC dashboards A fresh set of summary dashboards have been loaded in the SOC display windows for the day’s traffic. The curious #RSAC attendees and the SOC tours fill our SOC windows with interested faces, making us feel a bit like fish. Check back this week as we share more views from the fishbowl as #RSAC rolls on. The post A View From the #RSAC SOC appeared first on Speaking of Security - The RSA Blog. |
