Security tools are getting more sophisticated. DevOps is bringing us automation in operations, and a more holistic way of looking at how we manage infrastructure. But all too often, we’re not doing basic things to improve security and reliability, like protecting against known vulnerabilities.
Hewlett Packard Enterprise’s 2016 Cyber Risk Report points out that “29 percent of all exploits samples discovered in 2015 continued to use a 2010 Stuxnet infection vector that has been patched twice.” It takes an average of 103 days for companies to patch known network and security vulnerabilities, according to a study vulnerability risk management vendor NopSec ran last year; that goes down to 97 days for healthcare providers and up to 176 days for financial services, banking and education organisations. That’s not taking into account misconfigurations, or lack of communication between different teams.
“If you’re blocking email from an IP address because it’s sending you phishing messages, you probably don’t want it to be logging in to your SQL database either, but your email and database admins probably aren’t sharing that information,” points out Paul Mockapetris, the chief scientist at THREATstop, which offers a cloud service for blocking known malicious IP addresses by regularly updating the block lists on your existing firewalls. It sends the details over DNS “for the same reason the bad guys use it for data exfiltration; it pretty much goes everywhere and every device in the world understands it.”
“We want to show that security can be understandable and simple,” says Mockapetris (best known as the co-inventor of DNS). “We can configure all your firewalls for you automatically.”
Chris Bridger’s, THREATstop’s senior director of security points out the benefits of automation. “Ensuring security controls are in place that govern network access and apply appropriate protection filters to block threats in near real-time becomes a challenge for any organization’s security policy. As the threat landscape is constantly changing, an automated approach which removes the time costs, as well as the potential for human error, has become an essential component.”
But Mockapetris makes a point that applies beyond THREATstop’s Shield service. It might not sound as sexy as threat intelligence systems with dramatic visualizations, he admits, “but you can fix a lot of your life by doing all that simple stuff.”
CaaS – get used to it
The idea of configuration as a service – and treating infrastructure declaratively – is part of the automation and standardization that enterprise IT departments are going to have to get comfortable if they want private and hybrid cloud to work. If you run Azure Stack, Microsoft’s forthcoming hybrid cloud solution, you’ll be following a much more prescriptive way of working. “In the past, we left how to patch systems as an exercise for the customers. Now we’ll provide an update, and an orchestration system together with the patch,” explains Vijay Tewari from Microsoft’s Enterprise Cloud team. “We will orchestrate the patch across the system so it does not take down any workloads.”
The system will check itself as part of the update, he says, using the same Test in Production system it will use to avoid configuration drift. “How do you know the system has deployed correctly? Six months down the line, how do you know it’s still configured well? TIP is a series of scheduled tests for that. And when we use automation to patch the system, we run TIP to check the system is healthy, then we patch it and then we run TIP again so wee that we got what we expected.”
That won’t be disruptive and it shouldn’t involve scheduling downtime. Before Azure Stack, Tewari worked on Microsoft’s Cloud Platform System, a hyperconverged appliance built with Dell hardware running the Windows Azure Pack. “For CPS, we release three patches a year. We can patch a customer on premise without bringing down their workloads,” says Tewari.
For your existing servers, there are plenty of tools for avoiding configuration drift in a more automated way, like a combination of Upguard’s Guardrail to look for changes in configuration over time, or between different servers, PowerShell Desired State Configuration scripts to apply the right configuration and Pester to run integration tests to make sure that configuration does what you want it to.
Doing that kind of configuration management at scale, as a service, is what Microsoft’s Operations Management Suite is designed for. It’s a mix of automation (including backup and recovery) for Windows Server, Linux, VMware, Azure, AWS and OpenStack, with security and compliance tools and log analytics that let you see how well you’re doing at the basics, like applying patches and getting configuration right. “It’s helping IT have a deeper view that makes their world easier,” claims Microsoft’s Jeremy Winter.
Skills gap continues to be a problem
Some of that is analysis you could already do with a tool like Splunk, but many customers didn’t have the expertise for that, he found. “I asked customers ‘why aren’t you using big data? Why don’t you have big analytics systems?’ and they told us ‘I don’t know how to make head or tails of the all data in there; I'm not a data scientist, I'm not the expert that can string this all together, I'm busy at my own job,’ and that's where the readymade solutions came from,” Winter explains.
“This correlation between what's changing, this correlation of configuration and understanding the desired configuration state of your environment, and then overlaying that with security, compliance and everything else; it’s not an individual bunch of siloed tools; it's a mashup of that information that's where you get the power. You bring all your data into this environment and you start to have a nervous center for all this information, so you can correlate across it.”
But as more customers started using the service, Winter started noticing an interesting side effect that he calls ‘data exhaust’; patterns of information that emerge from the data customers are creating inside OMS. By uploading their logs in the Security and Audit Collection, customers don’t just get alerts about attacks that are happening. They also add their information about attacks to the details Microsoft gathers from its own system, making it easier to spot malicious IP addresses that are engaged in attacks.
There’s also a social, community aspect emerging, Winter says. “Another thing we saw – and it seems really simple; how long a patch takes to apply. How long is it taking other people?” That kind of comparison can be invaluable (rather than invidious), because it’s going to help you see how you’re doing on the basics. And if you don’t get those right, the most sophisticated threat intelligence systems can’t protect you.