Microsoft | Silicon Shecky

Device vs. User

September 10, 2021 By Michael Kavka Leave a Comment

Identity is the new perimeter. We keep hearing that, especially from Microsoft. Unfortunately, they have not completely bought into this in their Defender suite of security products.

Microsoft Defender security products are nice. They work decently, Gartner likes them, but there is a problem with them. They focus on the device too much as far as some key features go. I specifically am talking about alerting and web filtering. This is made apparent when designing policies for either. Here is an example, you make a custom detection from a hunting query, and it gets applied to a device group. Alert e-mails get sent out to those e-mail addresses that have been specified for that group. This can and does create a bunch of alerts that go to a helpdesk which has no clue on what to do about them, besides the security people who are the ones who should be looking into them. Groups of IT people start ignoring the alerts from Defender, and now you are almost as insecure as you would be without defender. I say almost because there is protection, and maybe even automatic investigations/remediation, but you do not have eyes on it to check for false positives, nor to check the alert overall and see if it is part of a larger attack. This is one way where Microsoft’s Device Group only thinking fails. Make sure you alert only those that need to be alerted. This cuts down on alert fatigue.

Another way I am seeing it fail is with their web filtering feature. This is becoming more prevalent as Defender for Endpoint is now able to be rolled out to mobile devices besides workstations/laptops. This failure is not just a Microsoft problem, I have seen other well known web filtering fail at the whole user identity protection (I’m looking at you Cisco Umbrella, but that is a not keeping up with technological advance (AD vs. Azure AD vs. Hybrid vs. Both)). Microsoft again wants you to apply per device group in your MDE tenant. So if you have person X who has a Laptop, Phone, Workstation and Tablet all of which are suppose to be covered by the web filter policy, you have to manage all 4 devices in their respective groups. Wait, there is more! You now also have to make multiple device groups for similar devices based on a persons function and what they are allowed. All this extra work instead of being able to say people in AD(or AzureAD) group X get web policy Y. You get identity information into MDE, it should not be so hard for Microsoft to allow this for better control.

All of this starts to fall into the identity space, which is definitely the new perimeter. You bring your identity with you everywhere you go. Identity is the most attacked thing right now because it gives that initial foothold. I am not saying get rid of device group policies, but make sure that identity policies are also available. The real answer is both devices and identities do need to be secured, there is no question. The problem is we are tackling the application of these secure controls and alerts to a device instead of to the identities. If you switch devices your new device has to get put into all the right policies instead of being automatically put into the policies that your identity would already be a part of.

This is a starting point, and one that should be discussed and debated respectfully. Security software and alerting has come so far from where it use to be, but I feel we are seeing some major mistakes with how it is being designed. These flaws, just like any flaw, can and will be exploited. The final question is doe the companies like Microsoft actually want to listen to us or are they going to just shove their flawed way of doing it down our throat?

Security – Open Source vs. Closed: It’s a matter of eyes

April 14, 2014 By Michael Kavka 1 Comment

For years there has been the whole what is more secure, Open or Closed source? Microsoft has and still takes a beating over this. Truth, though, is a different thing.

We all have heard of Heartbleed by now. The 2 year old security gap in OpenSSL has been all over the news. During all of this, a hole in the much loved Chrome browser that will allow websites to turn on your microphone and record what you are saying was announced. Another bug that had been around for a while (August 2013). Meanwhile, the hated entity known as Microsoft has been pretty much unaffected by these issues. Maybe it is time to remove our preconceived and ancient thought over security in the Open vs. Closed Source world.

The argument has been, from what I have heard and can tell, that Open Source is more secure because you have more eyes looking at it. The code is open and out there so people can find the issues faster and with the collaborative nature of Open Source, will be patched faster. Truth of the matter, as has been shown over the past week, is that it is not the case, and security holes can get past this set of checks and balances just as they can in any Closed Source system. The surprising thing is how long it has taken to find Heartbleed. One would think, with all those eyes looking at the code, that it would have been found much sooner. Of course this has led to the theories of the bug being an NSA backdoor. True or not, the code was still out there for everyone to see.

Chrome is a slightly different issue. Here is a bug that was found over 6 months ago, that still hasn’t been patched. It was brought to Google’s attention and they sat on it. Could this be another NSA (or insert your favorite Government agency here) backdoor? A way to spy on you without warrants? We will never know for sure, but it does show one major hole. Our thinking of Open Source and security is not completely correct. It is not the be all end all.

What has been lost in this is that Microsoft, and its Closed Source implementations of SSL have been free and clear of the Heartbleed problem. Microsoft at one time was awful with security. In this day and age though, it has gotten a lot better. It is responsive to holes, and the amount of out-of-band patches and workarounds for Zero Days is quite speedy. In fact the biggest security holes in Microsoft systems, is usually Java and/or Flash. Flash is still Closed Source, but Java was at one point more open. Java also is embedded in the web very deep. Try using NoScript at it’s tightest levels and see how much of websites get blocked, and how many websites complain about Java not being turned on. Yet through all of this, Microsoft is the one that still takes the blame, especially in the public’s eye. That is because we, the ones in the know, have done little to reeducate the public, and ourselves.

Do not get me wrong. I have nothing but love for the Open Source community. Collaborative efforts are awesome, and the community puts out some fantastic software, and alternatives to Closed Source (and overpriced) programs. It just has to be realized that it is no more secure than Closed Source. In the end it is all about the eyes on the code and the people looking for the holes. Remember Security is a process, not a destination.

Microsoft Surface. Hit and Miss.

July 22, 2013 By Michael Kavka Leave a Comment

Microsoft entered the tablet hardware business with the launch of the Surface line starting with the RT back in October. The timing on it for me was pretty good because my office was getting ready for a technology refresh, and I got to test it. Now, months later, what I call the new shiny syndrome has worn off.

When you look at what works and what doesn’t in the world of technology you come to realize a few things. First, so much is subjective. Second, people tend to dislike change. Third, change is inevitable. With this in mind, looking at the past 9 months with the Surface RT I have found a lot to like about it. There are pitfalls with it also, but it really is a solid tablet.

The Windows 8 interface is perfect for the RT. I find live tiles to be a great idea that matches and surpasses the widgets I have on my Android Tablet. iOS of course does not have anything like widgets or live tiles to compare to. The problem with the live tiles is the way they update, or at times don’t update. I find news stories to be on the older side half the time. I don’t get decent updates often enough for my liking. These problems though I have found to be true of widgets also. There also is no intuitive way of stopping the live feed on the tiles.

Metro style apps are easy enough to get use to. Gestures for bringing up menus and doing things inside these apps are very consistent, which makes the learning curve a lot simpler than iOS or Android. The issue with Metro Style though is that same thing. If you are use to the way an app works on the other OSes, odds are you will have trouble finding the same features easily. Also the swipe down partially to bring up menus can be a bit trying at times, although not as difficult to master as the swipe completely down to close apps. If you don’t start from the right spot and go at the right speed, closing apps does not work, and I still find myself taking 3 or 4 swipes to close apps.

The biggest plus is the Office apps that come with the Surface RT, and with Outlook being added to that with the 8.1 Windows release, this just becomes better.

The biggest issues for me though come in the touch screen itself. I find it inaccurate. For instance, if I am on Facebook and want to share something on a friends timeline, I find myself going through the steps 4 or 5 times because I think I am tapping on share to friends timeline and it reads it as share to group. I find myself hitting links multiple times before it registers the tap also.

The soft keyboard which I have is decent, but also has its issues. I have found it losing responsiveness when typing, or registering the wrong key. In fact there is no rhyme or reason for this as the keyboard winds up either overly sensitive, or not registering my pressing at random. The Tablet itself will type normal for a moment, then buffer oddly and take 30 second or more to show the next stuff typed, which makes corrections rather difficult and causes delays in getting work done.

The weight and feel of the Surface are my final complaint about it. It shouldn’t feel as heavy as it does. Also the way it is shaped can leave hard marks in ones hand and cause pain if held for extended periods.

Don’t get me wrong, I love the tablet itself, and it gets used way more than my iPad. My ASUS Android tablet is still my primary tablet overall, but the Surface makes a nice backup. People seem to be worried about the amount of apps for the Windows RT environment, but honestly, I find most things I use a tablet for have an app, and most of them are available across the board. A decent free IRC app is all I have not been able to find so far. With the recent price cuts, I would recommend this to most people, although I am sure there are better devices out there from other manufacturers with Windows RT on it.