Silicon Shecky

Infosec Practitioner

Connect

Over Complicated?

By Leave a Comment

“Any sufficiently advanced technology is indistinguishable from magic.” – Arthur C. Clarke

“Any sufficiently advanced magic is indistinguishable from technology.” – 7th Doctor (Sylvester McCoy) in Battlefield

So which do we have? Talk to people and computers is magic, is technology is both. Those of us that understand computers are wizards, magicians, technological experts. To put in terms that someone on Facebook might understand, “It’s Complicated,” and it gets more complicated every day.

I am not going to get into the usability question the way that Wendy Nather did. She does it so much better that I could. Instead lets look a bit more at how the complication has come about and why it keeps increasing.

We have a ton of “solutions” for security. As we get more granular and more “advanced” each solution is more and more targeted and creates sub verticals inside the world of making things more secure. This is the wallpaper that Wendy talks about. Each layer actually makes things less secure overall. Now, I am not saying we do not need controls and software in place. I wish I could find this clip on YouTube, but in Doctor Who back in the Tom Baker era, he opened a really electronically complex door with a bobby in. When asked why he did not use his sonic screwdriver he explained, “The more complex a thing becomes the more susceptible it is to the overlooked simple way around it.” We are headed in this direction. Think about the extra code, the more ways there are way to look at the problem. Just look at the living off the land that teams are using now to avoid detection. This doesn’t though explain how all this complication came about, just where it is all heading. So how did we get to this point?

The way I see it there are two base reasons for the increase in the complexity. The first and foremost one I think is ego. Ego drives us, and it is no inherently a bad thing, actually it can be a very good thing. It also can easily get in the way. Ego drives us at least partially to find bugs, to find new solutions, because we want that recognition, even if it is only on a subconscious level. It also drives us to start up derivative companies in an area of cybersecurity. Why? Because company A won’t listen to our solution so we strike out on our own. this can lead to the second reason, money.

Plenty of solutions start out without money in mind. Small project of love. Then we realize we might be able to recoup costs or even make a living off our labor of love, but to do that we need to bring others in that want to be a part of such a labor of love. Wait, to be able to pay them, we need money, so we either take out loans or get investors. The investors though want to see a profit, so we start making things more complex or entering into side projects that might be related to the original, because we have a name people trust. This creates the other subset that money creates. Lack of collaboration.

The lack of collaboration is easy to see in the anti-virus industry, but it exists across all the verticals. It comes from each company having its own secret sauce to their solution. That secret sauce is what makes each solution different, but also can leave blind spots in said solution. If all these vendors really had security first and foremost in mind, the would be working together in the development of the solutions. Yes this would make the solutions similar across the vertical, but considering each vendor has areas of strength that the others don’t, it creates a solution that is going to be more secure overall, that actually should not have the integration problems that we currently run into. How many times have you run into using multiple vendors items and found an incompatibility between them? I see it quite often. That incompatibility is now a security hole. There is an area that gets opened up. This creates a spot for a third vendor to come in with a solution. More cost, more complexity, more advanced technology, more wizardry.

So how do we fight back on this? Honestly the only thing I can think of is opening collaboration between each other and companies. Work together to bring the simplest, most comprehensive solutions forward. This happens occasionally when alliances and partnerships or buyouts happen. At least they try to happen until the ego gets in the way again. Still collaboration is going to be the key going forward. Many of us talk about the great community we have. We need to work together to simplify the complexity, to remove the wizards and magic, because if we can get out of being looked at in that fashion, those outside of our field will have an easier time helping keep things secure, it gives a way out of the conundrum that Wendy mentions. It is not an easy road, but then again, nothing worth doing is easy. We are the problem solvers, so let us solve this problem.

Lack of Control?

By Leave a Comment

You get a tool to use. The tool looks good, in fact other tools from the same company look good. This tool though seems to be the red-headed stepchild.

Recently, I have been trying to clean up and tune an endpoint solution. It is made by a company I have some respect for, and I had seen in the past. The tool itself seems to work well. The problem, like with so many tools, is getting the best data out of it. The signal to noise ratio on the monitoring aspect is huge! The threat detection and prevention works well enough, but the amount of data to sift through on data that is just being brought in for you to monitor is difficult at best. The issue is a fine line between being able to warn about a potential threat and knowing what normal behavior is. The example I will use here is opening known PDFs. These are seen as an application, each with their own hash by said product, for scanning purposes. All fine and dandy, but when the PDF is opened, certain executables that get called cause a trigger for a monitoring alert to be made. These executables are known and trusted applications (part of the PDF reader), but due to the unknown nature of the PDF, they come up as an alert for running the executable. This creates a ton of noise in the alerts area. The problem is there is no real way to tune out these alerts, as the product is set up now, without risking not seeing alerts that one might need to check on. It makes the monitoring alerts useless, unless you feed the data to a SIEM where you can do the filtering. The kicker is customers have been complaining in the user forums about this for over a year now, and still nothing has been officially announced as being done. The rumor is they stealth fixed this in an update to the product, but there is nothing in the release notes. So in the mean time, I have to go through and keep the alert area clean of the noise, which eats into my time to do other things. A company my size it is nowhere as bad as what could happen in a huge company with tens of thousands of endpoints.

Situations like this can leave a bad taste in the customers mouth. Companies get so overprotective of certain things, and hate admitting mistakes. Personally, I would rather a company be up front and over communicate what is going on with an issue such as this. I am more likely to recommend a company that is upfront and honest, and has good communication with a not quite as mature product than a completely mature product but hides from their customers, especially the smaller ones. They need to remember that while the larger companies bring in the greater money, attackers tend to move from the smaller fish into the bigger ones, therefore showing attention to the smaller companies gives you a good reputation with the larger ones.

The case for proper information or WHY CAN’T I UPGRADE THIS?

By Leave a Comment

Legacy OSes, Legacy systems. We all know that it sucks having them. We all have to deal with them. Software companies do not always account for them though.

When you work internally in a medium to large business change happens slowly at times. I recently ran into a weird issue due to slow change. I went to update my CarbonBlack Response server in the mindset of security and fixing a few annoying bugs. I have done these updates without issue in the past. So when I got an OpenJDK dependency error I was rather taken aback. I tried to update OpenJDK, no go. The repos this version of Linux is using had no update to openJDK (1.8.0.r92 is what I needed). I decided to get CB support involved. We eventually set up a Webex so they could see directly what was going on, since none of the fixes they had sent me worked.

Turns out that it was not documented that the Linux version we were on will not get that version of OpenJDK, or anything newer available for it. Mind you the Linux version is a number of years old, but still supported by said Linux vendor. Nor is there a way around the issue with the upgrade process, so CarbonBlack basically cannot be updated unless I can get the proper change order pushed through to upgrade the Linux version. We tried everything, manually installing new versions of OpenJDK which succeeded but still was not being seen when the dependency check was being done.

The support person from CarbonBlack was going to let the devs there know about this and try to get documentation updated so others who might be looking to upgrade know they cannot with this version of Linux. The other thing that got me thinking was why is a security company like CarbonBlack relying on Java (OpenJDK) since it is so insecure? I like CarbonBlack’s products but this is a huge WTF in my book.