Tuesday, July 17, 2018

Hard Candy Shell – Soft, Gooey Center




Mmmm… crunchy outside, gooey inside - sounds good, right? Well, if you’re talking about a piece of candy, sure it does, but if you’re talking about your IT info-sec posture, it’s not hard to argue it’s just going to make you sick.
If you look at the headlines over the past few years, there is nothing more eye-catching than the millions of customer records that have been compromised due to a known vulnerability. Apache Struts got a lot of press recently and perfectly illustrate this type of activity.


Anatomy of a Compromise

What’s fascinating to know about this is the way the data loss happened. Typically, the valuable data rarely lives on the systems that get compromised due to this type of vulnerability, but rather on disparate systems that may or may not be associated with the system that is vulnerable. The way this works, especially in the example of the well-publicized Apache Struts compromise, is somewhat like this: there is a bug in some code (Struts) that allows a remote attacker to send a specifically designed message to the server and that allows direct access with escalated privileges. The great thing about this from the attacker’s point of view is that it looks like just regular connections from a port/protocol perspective, so many tools won’t see the difference. Of course, the connection characteristics are different, but this type of differential is challenging to get visibility into.
Once the attacker who now has admin rights to the compromised box can start probing the internal network to see if there are high-value systems that they could get information from. It’s not difficult once someone has admin control to load some scanning programs and start digging for well known ports like possibly mySQL or SQL Server or something like that. If there are no digital walls inside an infrastructure, its not hard to see how quickly one edge compromise can lead to an amplified risk to all other elements in the rest of the infrastructure. This is like breaking open the candy to get to the good, gooey center…
Think about it… when you go to a hotel, you would prefer a hotel that has keys for every door, or just one key to get into the elevator? If the one-key-per-door approach didn’t exist, all you would have to do is get in and you could do anything you wan where ever you want. That is what you’d call a “bad thing”.

Make All the Things “More Crunchy™”

So… we can see how one small crack in the outer shell can allow someone to get to all the gooey goodness, so how can we get around this?
Enter Cisco Tetration (and in my head, we cue the “EnterSandman” music).
Edge or perimeter defense is where most people spend almost all of their time securing workloads. That’s good… but as you can see from the gooey center, it’s not enough. The trade off is that if you provide perimeter-like defense for every server and service inside an infrastructure, you will be doing a massive amount of “unnatural things”, such as policy-based routing to ping-pong traffic to firewalls and things like that… but that can increase complexity in a significant fashion and therefore increasing fragility, which is never good. It is possible to do this, but it’s not an easy thing to do, and being able to do it with confidence takes a significant amount of visibility and knowledge, and would also require a significant amount of automation to execute the rules. If all of that can be done, you will also still have to deal with hardware limitations in asics/tcam tables for rules storage and execution. Basically, this is putting a really large amount of strain on a set of boxes that are not really designed for this level of granularity, so that would mean a company’s investment in the size and number of boxes to satisfy this need would be extremely unwieldy.

Why Tetration

What Tetration is built to do is to decrease risk and increase efficiency of building a defense in depth strategy through these high-level intents:

  • Visibility
    • By utilizing sensors on servers, virtual machines and in the network, Tetration can increase visibility down to being able to gather meta data for every packet for every flow inside a DC, in any cloud deployment, as well as data on system integrity and software vulnerabilities

  • Understanding
    • Tetration uses the data from all of the sensors and applies machine learning algorithms to build application dependency mappings, which provides a policy list that can be applied to create the walls between the application tiers and even between the workloads within the tiers
    • This data can be used internally through native protection (see next bullet) and can be exported manually or programmatically for use in other protection mechanisms (i.e. fw, acl, aci contracts/filters, etc.)

  • Protection
    • Systems instrumented with the Tetration software sensors can do native policy enforcement based on the application dependencies that have been discovered
    • Tetration does software inventory checks against a robust CVE database which allows identification protection mechanisms against vulnerable software. In the example above, we could write a rule that says “anything with the apache struts vulnerability cannot talk to production or internet, but can talk to our patching servers”
    • Tetration watches process behavior in the kernel and will report and record process anomaly events, such as privilege escalation and shellcode execution (two of which were used to crack into the candy shell above), as well as other kernel events, such as socket creation, side channel attack, file access, binary changes, and others.


Same Candy, More Crunch

With the tools that Tetration is able to bring to bear, we have the ability to deliver unprecedented understanding of what is going on in the infrastructure as well as new tools to protect the security zones inside the perimeter, providing protection against unwanted lateral movement as well as mechanisms to see vulnerabilities and kernel process abnormalities in ways not seen before.

In other words, with Tetration, it’s the same candy with WAY more crunch.


Give me MORE!

If you'd like to learn a little more about all the good stuff Tetration can help you with, please go check out our lightboard series on Tetration!


Thanks!

No comments:

Post a Comment