Welcome to something different!


Andy Mayle, 2 Nov, 2016

 

This is where we seek to challenge conventional thoughts around security. 

armadillo defines itself by its mission statement:

“To build cyber resilience that enables businesses to grow and operate securely”

So what makes us different to other resellers and security vendors? 

We think out of the box to build cyber resilience that works in tune with your business, preventing downtime and loss of revenue, protecting reputation and enabling you to stay focused on achieving business outcomes.

I’ve just returned from vacation – those savvier of you could find out where I’ve been as my digital footprint whilst private is visible by virtue of my less security conscious friends!  But whilst on vacation I took some time to catch up on the latest series of Mr Robot.  Now I’m not going to debate the accuracy of content within either series: the detail is fairly comprehensive and I for one wouldn’t put any of the scenarios out of scope from a technical perspective.  The challenge with Mr Robot is that it seeks to compromise an organization that has become too powerful and pervasive.  In our modern society we don’t really experience such politically global monopolies of that scale and pervasiveness. 

However, Microsoft, DWP and HMRC are all examples of corporate monopolies within the UK.  All could be substituted in the plot line with similarly catastrophic consequences within our society.  But Fear, Uncertainty and Doubt isn’t my agenda here –  I will leave that to the many vendors and to be clear, this isn’t an attack on the vendors themselves – they all do a great job of creating sales books and storyboards around their individual technologies.  The real problem is that these technologies only solve a particular problem and business case and no single vendor is able to fix every scenario. 

Therefore, whilst there is a valid business case for all security products, the industry is still failing in its duty to protect organisations from bad actors.  Part of the reason for this is that the problem is that we are always playing catch-up with those bad actors and however we try we cannot without any higher level of telepathy anticipate what the next attack vector is likely to be…  We can however  think outside of the box and work across the traditional IT silos  when architecting solutions to problems and this is where organisations commonly lack agility.

BADUSB – Threat or FUD

Taking endpoint device control as one technology that most large organisations have deployed in recent years: it seeks to control what can and cannot be used in endpoints as a method of controlling the potential for data exfiltration on to unsupported USB devices or the execution of malicious code, the technology case is fairly sound.  However, with the creation of BADUSB we now have a scenario whereby a USB device can identify itself as an approved device (e.g. Keyboard) and then deliver functionality that can be more nefariously used such as a storage device for delivering malicious code.  Doesn’t that make device control redundant?  The simple answer in most cases is no as BADUSB devices are thin on the ground so Endpoint Device Control does a great job 99% of the time; but for a Mr Robotesque scenario they are indeed a possibility.  It’s all about risk and reward and therefore the appetite for risk that an organization has.

How then could we mitigate this scenario?  To do this we need to break down the events as they occur:

screen-shot-2016-11-02-at-11-11-15

Now I’m sure many of you will have heard of Big Data and probably looked at solutions like Splunk – the issue I have with such systems from a security perspective is that they are based not on security but operational analytics.  If we’d monitored the above activity in a big operational data lake then we would be looking for the smallest indiscernible ripple on the pond.  What we need is something that I’ve been a fan of for a while – User Behaviour Analytics…  UEBA baselines user and entity behaviour and then looks for anomalous activities.  This can flag early flight activities such as copying or renaming bulk data to a zip file before exfiltration to a memory stick or more nefarious activities such as a user running utilities such as powershell or nmap.  The challenge of UEBA is that it requires a series of logic gates be established to determine bad behaviour and this is where such solutions fall down in their efficiency.  Like any other dynamic security solution, it needs tuning and remediation which can take valuable resource; which is where armadillo fits in. 

Privacy Concerns?  Fret Not!

Now I can hear the calls of foul play, big brother and nanny state rule – believe me if everybody was a paradigm of virtue such solutions wouldn’t need security!  However, for those of you with HR Departments that would balk at such technologies, we’ve cracked anonymization and can deliver this with the right roles based access control (RBAC) model to ensure that only HR can reveal the identity of those bad actors once you’ve properly identified them. …And find them you will – nearly every proof of concept we’ve run has flushed out poor behaviour; some of which has resulted in HR and legal teams getting involved.  If you believe your users are beyond reproach, ask yourself “have you ever left a job without some confidential information?”.

Whilst flexibility and a great reporting engine are essential to any successful UEBA deployment I think it’s important to also consider what’s available out of the box.  It’s the more common examples of bad behaviour that are the majority and if a solution can identify and remediate these out of the box then UEBA can add considerable value as a compensatory control as part of a defence in depth strategy.  Armadillo have a pedigree for adopting innovative and disruptive technologies which is why we’ve already done the hard work in assessing the market and selecting a suite of technologies that give you the best possible competitive advantage of the bad actors working on your network.

Next time you see a security scenario that doesn’t have an obvious traditional solution available then consider how monitoring user and entity behaviour could provide this outcome.