Are you failing Security Basics 101?

Patching, backups, firewall configuration … when it comes to security, make sure you take care of your infrastructure before you invest in next-level tools.

Security tools are getting more sophisticated. DevOps is bringing us automation in operations, and a more holistic way of looking at how we manage infrastructure. But all too often, we’re not doing basic things to improve security and reliability, like protecting against known vulnerabilities.

Hewlett Packard Enterprise’s 2016 Cyber Risk Report points out that “29 percent of all exploits samples discovered in 2015 continued to use a 2010 Stuxnet infection vector that has been patched twice.” It takes an average of 103 days for companies to patch known network and security vulnerabilities, according to a study vulnerability risk management vendor NopSec ran last year; that goes down to 97 days for healthcare providers and up to 176 days for financial services, banking and education organisations. That’s not taking into account misconfigurations, or lack of communication between different teams.

“If you’re blocking email from an IP address because it’s sending you phishing messages, you probably don’t want it to be logging in to your SQL database either, but your email and database admins probably aren’t sharing that information,” points out Paul Mockapetris, the chief scientist at THREATstop, which offers a cloud service for blocking known malicious IP addresses by regularly updating the block lists on your existing firewalls. It sends the details over DNS “for the same reason the bad guys use it for data exfiltration; it pretty much goes everywhere and every device in the world understands it.”

“We want to show that security can be understandable and simple,” says Mockapetris (best known as the co-inventor of DNS). “We can configure all your firewalls for you automatically.”

Chris Bridger’s, THREATstop’s senior director of security points out the benefits of automation. “Ensuring security controls are in place that govern network access and apply appropriate protection filters to block threats in near real-time becomes a challenge for any organization’s security policy. As the threat landscape is constantly changing, an automated approach which removes the time costs, as well as the potential for human error, has become an essential component.”

[Related: 5 security bad habits (and easy ways to break them)]

But Mockapetris makes a point that applies beyond THREATstop’s Shield service. It might not sound as sexy as threat intelligence systems with dramatic visualizations, he admits, “but you can fix a lot of your life by doing all that simple stuff.”

CaaS – get used to it

The idea of configuration as a service – and treating infrastructure declaratively – is part of the automation and standardization that enterprise IT departments are going to have to get comfortable if they want private and hybrid cloud to work. If you run Azure Stack, Microsoft’s forthcoming hybrid cloud solution, you’ll be following a much more prescriptive way of working. “In the past, we left how to patch systems as an exercise for the customers. Now we’ll provide an update, and an orchestration system together with the patch,” explains Vijay Tewari from Microsoft’s Enterprise Cloud team. “We will orchestrate the patch across the system so it does not take down any workloads.”

The system will check itself as part of the update, he says, using the same Test in Production system it will use to avoid configuration drift. “How do you know the system has deployed correctly? Six months down the line, how do you know it’s still configured well? TIP is a series of scheduled tests for that. And when we use automation to patch the system, we run TIP to check the system is healthy, then we patch it and then we run TIP again so wee that we got what we expected.”

That won’t be disruptive and it shouldn’t involve scheduling downtime. Before Azure Stack, Tewari worked on Microsoft’s Cloud Platform System, a hyperconverged appliance built with Dell hardware running the Windows Azure Pack. “For CPS, we release three patches a year. We can patch a customer on premise without bringing down their workloads,” says Tewari.

For your existing servers, there are plenty of tools for avoiding configuration drift in a more automated way, like a combination of Upguard’s Guardrail to look for changes in configuration over time, or between different servers, PowerShell Desired State Configuration scripts to apply the right configuration and Pester to run integration tests to make sure that configuration does what you want it to.

Doing that kind of configuration management at scale, as a service, is what Microsoft’s Operations Management Suite is designed for. It’s a mix of automation (including backup and recovery) for Windows Server, Linux, VMware, Azure, AWS and OpenStack, with security and compliance tools and log analytics that let you see how well you’re doing at the basics, like applying patches and getting configuration right. “It’s helping IT have a deeper view that makes their world easier,” claims Microsoft’s Jeremy Winter.

Skills gap continues to be a problem

Some of that is analysis you could already do with a tool like Splunk, but many customers didn’t have the expertise for that, he found. “I asked customers ‘why aren’t you using big data? Why don’t you have big analytics systems?’ and they told us ‘I don’t know how to make head or tails of the all data in there; I'm not a data scientist, I'm not the expert that can string this all together, I'm busy at my own job,’ and that's where the readymade solutions came from,” Winter explains.

[Related: People are (still) the biggest security risks]

“This correlation between what's changing, this correlation of configuration and understanding the desired configuration state of your environment, and then overlaying that with security, compliance and everything else; it’s not an individual bunch of siloed tools; it's a mashup of that information that's where you get the power. You bring all your data into this environment and you start to have a nervous center for all this information, so you can correlate across it.”

But as more customers started using the service, Winter started noticing an interesting side effect that he calls ‘data exhaust’; patterns of information that emerge from the data customers are creating inside OMS. By uploading their logs in the Security and Audit Collection, customers don’t just get alerts about attacks that are happening. They also add their information about attacks to the details Microsoft gathers from its own system, making it easier to spot malicious IP addresses that are engaged in attacks.

There’s also a social, community aspect emerging, Winter says. “Another thing we saw – and it seems really simple; how long a patch takes to apply. How long is it taking other people?” That kind of comparison can be invaluable (rather than invidious), because it’s going to help you see how you’re doing on the basics. And if you don’t get those right, the most sophisticated threat intelligence systems can’t protect you.

Join the CSO newsletter!

Error: Please check your email address.

More about AWSDellHewlett PackardinventorLinuxMicrosoftSplunkTest

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Mary Branscombe

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts