• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

Security as a Service: zscaler and carbon black

For a EU person or company, do you think SaaS via US servers is a security risk

  • Yes

    Votes: 3 75.0%
  • No

    Votes: 1 25.0%

  • Total voters
    4
Joined
Aug 30, 2006
Messages
7,195 (1.12/day)
System Name ICE-QUAD // ICE-CRUNCH
Processor Q6600 // 2x Xeon 5472
Memory 2GB DDR // 8GB FB-DIMM
Video Card(s) HD3850-AGP // FireGL 3400
Display(s) 2 x Samsung 204Ts = 3200x1200
Audio Device(s) Audigy 2
Software Windows Server 2003 R2 as a Workstation now migrated to W10 with regrets.
Does anyone have any experience with these two, or similar, security software services? They seem to become more and more prevalent on corporate laptops. My understand ing is they work like this:

laptop...internet...security service provider server....internet...WWW or corporate network.

They are man-in-the-middle software services. The idea being that the security service provider provides a DNS service to control where the laptop can go on the internet, does various malware antivirus stuff on incoming/outgoing, and ensures that data heading to or from the corporate network has been scanned and gatekeepered.

advantage
  • No need to be overly concerned about firewall or antivirus software being up to date on the laptop, because the scanning is done on all transmitted files on the security service server
  • Can have various policies that run “in the cloud” and the laptop is forced to be compliant since all WWW and corporate access passes through the security service provider server first
  • Can spy on employees and make sure they arent doing naughty things
Disadvantage
  • Can spy on employees (this is illegal in many countries)
  • To scan the data, all the data on the 3rd party security service server is held unencrypted so that it can check it and scan it. What, private and corporate data stored on 3rd party servers, unencrypted!
  • This means all your data is available for data mining by the man in the middle
  • If SaaS servers fail, you lose access to your corporate network!
  • Various gvt intelligence agencies can monitor your data without you knowing
 
Joined
Nov 1, 2017
Messages
521 (0.22/day)
Hmmm...

I do have experience on Security Software, but not those two.
I know they are endpoint security tool with some fancy behaviour analysis feature.

But let me clear some stuff first of all.

"No need to be overly concerned about firewall or antivirus software being up to date" ; False. It's just an added line of defence, but let's say your environment is as secure as your weakest link.

"Can have various policies that run "in the cloud" and the laptop is forced to be compliante" ; That's true. Usualy those product are managed from a cloud admin panel, then you deploy agents on your clients. The agents will be provisioned from the SaaS using the configuration / featureset you've configured.
Compliance policies are usualy more of a MDM feature (like VMWare Workspace One), so just make sure the featureset you're buying doesn't depend on another product and that it's really included directly in the solution.

"Can spy on employees". Here's the definition of "Spy" : One who secretly keeps watch on another or others. This is a wrong way to use the word spy. You're not spying on what the user do, you're monitoring your network infrastructure. How do you want to protect your network if you don't know what the user do or download? That's the job of any security infrastructure; see what's coming in, and scan it, see what's coming out, and make sure it's legit. Using the term "to Spy" is to ACTIVELY be looking into what your users do and then use the information you gather to know more about your user without them knowing... That's not the purpose of a security software at all. You just draw the line of what's allowed, and what's not, and keep your users within that line, and yes, your users have to be aware of the existence of that software. Usually there's a clause for that in the employee manual or job contract.

Yes there is some data analysis, but it's not the content of the data. The analysis is based on behavioural pattern of applications, services, network protocols and port being used, type of traffic, etc... Not on what the user is watching on netflix.

**edit** - I thought a bit more. You can be right depending on the context. Content can and will be analysed by sandbox appliance, as example, but they do not scan the "content" per-say, but search for macros, scripts or malicious url, things like that.
Tho in cases, like an IBE (Indentity Based Encryption, like encrypted email), you can even scan contents of emails in search of patterns (like credit card number), then force encryption of the email, so yeah. Content scanning can go far depending on the product/features, but you should always have the choice on how you want to store the logs and stuff concerning the content after analysis.

"To scan the data, all the data on the 3rd party security service server is held unencrypted so that it can check it and scan it." Depends on the software, usually the part of the scan engine is local. Do you imagine sending everything to the cloud just for a virus scan? That's uninimaginable. Data sent to clouds are for logs and monitoring purposes, like the file name, MD5 hash, scan result, bla bla bla, and it's over encrypted channel, stored on an encrypted infrastructure. The only time a file can be sent to an external system is when you use a sandbox or for "suspicious" files. The file is unencrypted while on the sandbox, but then it keeps a copy for its logs. You can choose the retention logs usually.

"This means all your data is available for data mining by the man in the middle", hmmm, choosing a security provider is choosing who you trust to keep all your stuff safe and secured. Yeah they use the statistics to build their kb, definitions, behavioural AI, etc..., but the data isn't connected to anyone, it's raw. It's the stats mate, not the file, nor its content. You seem to think those software are like "clouded firwalls", but they aren't, they are not used as a man-in-the-middle. See them as the guy at the costco entrance that checks your card member and your bill at the exit. If he's not there, you can still go...

"If SaaS servers fail, you lose access to your corporate network!", false. It's an antivirus/mdm/anti-exploit/anti-malware/anti-spyware/anti-zeroday, not a router, not a dns server, not a main firewall. If you intend to use their secure DNS, just use your local AD DNS as a failover.

If you plan to use "Conditional Access" based on "Compliance policy", this may lead to access denials if the "compliance database" is down. But you know, those are fancy software, you have tons of failover options if things like that happens, just need to plan in advance. In my case, I never had such issue.

"Various gvt intelligence agencies can monitor your data without you knowing" depends of where the data is stored, if it's encrypted, etc... .In my case, I always make sure the SAAS servers are in the country where the company who use it is based, or use On-Premise appliances.

I hope my reply can help you see things clearer. Sorry if there are some obvious typos and feel free if you have additional questions.
 
Last edited:
Joined
Jan 25, 2021
Messages
34 (0.03/day)
I used carbon black a few years back. We had it on premise. Mainly, any change to a system has to be approved. I.E you want to update Java to a new version you, you need to approve the file. You can pre-approved change like windows update or any change you expect to happen to a system. In our situation, when a user tried to install a file that was not pre-approved they get a "request" for approval, they will forward to the helpdesk, they will either approved it or denied it. You had to provide a reason why you need to install the application/change. That's the way we had it setup. I presumed their service evolved since then.
 
Joined
Sep 5, 2005
Messages
289 (0.04/day)
Location
vt
System Name Money Guilt / immortal X58
Processor 5600X / X5660
Motherboard MSI B550 GAMING PLUS / MSI-x58-PLAT
Cooling Cooler Master - Hyper 212 / Monsoon 3 Dual 120 fans
Memory OLOy WarHawk 2x8 / 2x4 gig Gskill 1600
Video Card(s) EVGA 3060 Ti FTW3 / R9 290 Powercolor PCS+
Storage Crucial P5 1TB / 128gig Samsung D830 2x1 Terabyte Seagates Raid0
Display(s) VIOTEK 32-In 2560x1440 Curved 144Hz / Acer 22in 1920x1080 120Hertz
Case NZXT - H510 Compact / Thermaltake V9 Black Edition
Audio Device(s) Soundblaster Audigy FX
Power Supply CORSAIR - RM Series 750W / Ocz 700 Modular
Mouse G403 / basic
Keyboard G15 / basic
Software Windows 10
Benchmark Scores http://www.3dmark.com/spy/18067733, http://www.3dmark.com/fs/24836348 http://www.3dmark.com/fs/11606
I think it is a double edged sword. Prevents some security ricks and easier for them to monitor, but just one more thing to get hacked. If you are using their hardware surf the net on your PC. I have Zscaler installed on work PC and at the end of the day I shut it off. If they monitor my activity's on my work pc they see me making money!
 
Joined
Aug 30, 2006
Messages
7,195 (1.12/day)
System Name ICE-QUAD // ICE-CRUNCH
Processor Q6600 // 2x Xeon 5472
Memory 2GB DDR // 8GB FB-DIMM
Video Card(s) HD3850-AGP // FireGL 3400
Display(s) 2 x Samsung 204Ts = 3200x1200
Audio Device(s) Audigy 2
Software Windows Server 2003 R2 as a Workstation now migrated to W10 with regrets.
much appreciate the comments, and improving the colloquial language to more common practice terminology.

Carbon Black: wikiquote The company leverages technology known as the Predictive Security Cloud (PSC), a big data and analytics cloud platform that analyzes customers’ unfiltered data for threats


Do you imagine sending everything to the cloud just for a virus scan?

Man-in-the-middle. YES, everything sent from corporate server to client and vice-versa IS routed VIA zscaler cloud presence AND data is unfiltered AND scanned on zscaler, ie, they have total access to your data that is transmitted between you and your HQ.

encrypted VPN from you to zscaler, zscaler sniffs, snoops, policy controls, big data analytics, etc, then encrypted VPN zscaler to your corporate HQ. Man-in-the-middle. Either they or intelligence services that obtain legal right to intercept, can watch, monitor, analyse your full data flow.

zscaler even has a server in Germany to deal with data protection laws prohibiting data being sent out of the country. Nontheless, if this is necessary, it is proof that data IS being sent, stored, sniffed.

the term “spy” was an emotive term targetted at the man-in-the-middle rather than your employer “monitoring” your activities.

i,m new to this, but the more i think about it, and understand the various mechanisms of the SaaS, concerned i am.
 
Joined
Nov 1, 2017
Messages
521 (0.22/day)

Oh god, I just read about zScaler, I was ignorant about this one.
Very interesting indeed.

It's literaly a "security platform" as a service. Could be useful for a 100% remote company or someone who has 0 security infrastructure.
Tho in this case, yep, it's hardcore confidentiality wise. Even more if it's a company who swim in confidential stuff. Imagine if something like the Starwind exploit happens there, ooof.

I don't think Carbon integrates as deep as zScaler, or at least, you may have more leverage as you can make your own virtual appliance.
It really depends on the customer infrastructure, I guess. If it's 100% cloud, then yes it makes sense to go with zScaler.

I have to be honest, I can't be the judge of this solution tho as I know close to nothing about their product and I'm biased as I personally prefer an On-Prem approach/solution or something more "hybrid". That's hardcore full cloud stuff hahaha. :laugh: But, as I said, some scenario might benefit from this solution, like if everyone is working remotely, and there's no branch office or main site. But even then, I would think to rent a rack in a datacenter to make my own "cloud", at least for the data and applications.
 
Last edited:
Top