maandag 24 april 2017

Put a Canary in Your Coalmine

NRJ Security is not a product company, nor do we focus heavily on pushing security products to our clients. Our philosophy is that the services we offer and the products we suggest help you in making it less costly to run security operations and more expensive for attackers to target our clients.

Through our engagement with clients that leverage our Virtual CISO service, we know that detecting attackers as early as possible often makes the difference between a bad day and a really bad day.

Thinkst Canary ( delivers on the promise of easy setup and high fidelity alerting. With 20 profiles to configure (several Windows types, Linux types, and even ICS profiles) you can deploy the birds in under 5 minutes. Set and forget.

Being on your internal network, the moment the birds are touched will alert you through a variety of means. You can monitor alerts on the Canary dashboard but you can also choose options like e-mail, sms, and even webhooks for integration with technologies like Slack.

Lastly, you also have the ability to integrate Canary alerting into your SOC automation infrastructure through a crisp and well-documented API.

TL;DR, If your challenge is to detect adversaries on your internal network with a minimum of false positives and a maximum of flexibility, Canaries are your best answer.

NRJ Security can help you today to get the birds flying on your network! Get in touch.

vrijdag 24 februari 2017

While your cloud gently weeps ...

Relevant links

As usual when bugs are disclosed that are - for lack of a better word - esoteric but high impact, the information security echo chamber starts buzzing and gets polarized. You're for or against Tavis Ormandy, you're ok with Cloudflare's approach or you aren't, etc. etc.

It does not really matter. Here are a few observations. If you are lazy, just skip to point 5 ... it is the one that matters for you :

  1. Just like Heartbleed, this vulnerability was not the result of a targeted research effort. Tavis was working on internal tooling and got data back that seemed malformed. While he was looking into what was wrong this vulnerability is what he discovered. At least one party that discovered Heartbleed was developing tooling to fuzz OpenSSL extensions and initially thought their tooling was the reason for the results they got. Only through a diligent QA effort did they find that Heartbleed was the reason. Sometimes bugs reveal themselves in interesting ways. They have to be dealt with all the same.
  2. There is no right way to deal with bugs like this as a service provider. Cloudflare did the best they could, as did Google Project Zero. As security professionals, these are teaching moments. We should be grateful for the transparency on all sides and take away what we can. One day it will be us out there, and we better deal with it at least as well as these fine folks.
  3. The response time from Cloudflare on fixing the code that was responsible for this is impressive. Take it as a metric for your software security program. It is unlikely that you will be able to match it, but it is a very relevant metric nonetheless.
  4. The dedication that Tavis showed in purging as much of the cached data as possible is commendable. It goes above and beyond what is generally expected from a researcher. The amount of money he saved Cloudflare and a lot of organizations using their service by writing custom code to scrub data can not be estimated. The fools are blind to this part of the effort.
  5. Your rage is misplaced. What I learned from this is that NONE of the Cloudflare customers impacted have considered a third party service that is critical to their business important enough to QA from a security perspective. Thousands and thousands of organizations that take your money every month have squarely placed a critical component of why you pay them outside their threat model. That is disconcerting. I think I've been repeating the same mantra to companies for at least a decade : "You outsource process and function, but never responsibility." If you include third party services in your product, no matter what they are, you need to go beyond having the supplier fill in a 400 question SIG questionnaire. You have to actually freaking test that component as if it is a pacemaker that your mother will get implanted. THIRD PARTY COMPONENTS REMAIN YOUR RESPONSIBILITY!
For all that is holy, take a chill pill, appreciate the work Tavis, Google Project Zero, and the fine folks at Cloudflare are doing, and - maybe - try to take their work ethic and adopt it into your due diligence effort. Your procurement team is gonna negotiate that 10% discount, but they won't have to deal with the aftermath of a security incident. That'll be you.