Doug Lhotka

Technical Storyteller

Opinions and commentary are mine, and do not reflect those of my employer.

(C) Copyright 2019-2023
Doug Lhotka.
All Rights Reserved.
Use of text, images, or other content on this website in generative AI or other machine learning is prohibited.

Is your security architecture Fractal or Fractured?

By

By Created by Wolfgang Beyer with the program Ultra Fractal 3. - Own work, CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=321973

Fractals are a really cool mathematical concept that reflect an almost recursive like pattern, that reoccurs at smaller and smaller scales.  The classic Mandelbrot image is a perfect example of this – the larger forms come first, then as you scale down, more details emerge, all in perfect alignment and part of a cohesive pattern.  Does your security architecture follow a similar pattern, or is it just fractured?

We’ve all heard the statistics – an average organization will have 100 security tools from 65 different vendors.  On the face, that sounds like an overly complex, unmaintainable architecture, and to be sure, in most cases it is.  The disparate teams across security and IT are constantly seeking their own unicorn solution for a nit problem, without any perspective on how it all will (or won’t) work together.  That’s the classic fractured architecture, and fixing it is something organizations are working to correct, but it’s a large effort.  Entrenched tools, calcified processes, and personal or team agendas all contribute to the fractured nature of most organizations.

And that’s where the fractal concept comes in.  Security is fundamentally an information management problem, so the biggest part of the picture is the information and analytics platform (which is far broader than just a SIEM).  The other big rocks are major information sources – identity, endpoint, network, application, data, and as well as the incident response and threat hunting platforms. Fractals direct us to work on the largest piece first, then iterate down to the next largest and so forth.

Getting the information and analytics platform right is the starting point, and needs to be owned by the security team.  Once that fundamental core is in place, then we iterate down to the next level, for example, endpoint.  Following the fractal concept, we again look for the largest components, perhaps asset management, configuration management, patch management, and anti-malware.  This level is where the fracturing tends to start as each of those four has its own constituency, many of who don’t live in the security organization.  They may own their own budget, have their own preferences or niche needs, and may or may not play well with others.  But following fractals, we focus on the biggest parts at this level – is there a platform that does multiple of those?  Yep, but it’s an 80% solution, so there’s gaps.

So we iterate down to the next level before confirming that solution choice.  After doing a risk assessment on those gaps, we may decide to close them with another tool or may decide to go with the 80% and accept the risk. But always in the context of the overall architectural picture.   If we just whack the finding with another tool, we’ll fracture the picture.  I saw one team that had – seriously – 11 agents running on their endpoints, placed there by separate teams with overlapping capabilities.  Fractured for sure.  They’d never looked at ‘endpoint’ as a whole.  When we finished the building that piece of the as-is architecture, the common emotion was surprise.  Needless to say there was quick consensus that this was a viable target for consolidation.

Fractal architectures allow an organization to transform in sections, rather than trying to do a big bang – got an audit finding on endpoint?  Work on that bubble.  Just make sure that the team doing so understands how it fits into the overall picture.  This isn’t rocket science, it’s just architecture.  And internal politics, but that’s another article.

So how many tools will you end up with?  As with any architect, my answer is “It depends.”  Some organizations may have a robust architecture with a handful of tools, and another may have the proverbial 100.  It’s all based on the organization’s risk tolerance and regulatory environment. The key is that every solution is there by intentional design, integrated as part of the big picture. Otherwise it’s just a bunch of fragments – no matter how pretty each one might be.

Last Four is Foolish

By

I keep running across companies that still, in 2018, are using the last four digits of SSN or mother’s maiden name as an authenticator.  We have 170+ million reasons why that’s a bad idea, and yet it persists.  That’s beyond inertia, past laziness, and nearly into negligence territory.  It’s time to end the practice of using easily discoverable information as an authenticator – especially those two, and especially to setup or validate new accounts.  It’ll take everyone working together to kill off this terrible practice.

If you are a customer of a company that does it, ask to set a password on the account instead (then call later and check to make sure that they actually enforce it!).  If they don’t allow you to do that, or fail to enforce it, then get on social media and shame them.  One company I use will let you do it, but they’ve created a massive barrier – they let you create an insecure authenticator over the phone or line, but require a time consuming in-person visit to use a secure one!

If you’re a developer and asked to write code to implement SSN based authentication, push back.  If you’re the business analyst who wrote that requirement, change it.  If you’re the executive who approved the requirements, unapproved it.  If you’re the QA engineer who tested a system that uses it, fail it.   If you’re a security professional, launch a project to remove it from legacy systems.

If you’re an auditor reviewing a system that uses SSN like this, fail them.  If you’re a regulator defining acceptable practices, ban it.  If you’re a congresscritter, outlaw it.  Everyone, everywhere, needs to push back on this outdated, dangerous and lazy approach to security.

For new account setup, knowledge based authentication (KBA) has issues (particularly after the recent breaches), but it’s still better than a raw SSN.  For existing accounts, two-factor via SMS isn’t perfect, but it’s better than single-factor, or use out-of-band (e.g. US Mail) to send a 6+ digit random PIN code.  Or one of many other alternatives that doesn’t use the single most targeted and compromised piece of personal information in existence.

Security is the poster child for continuous improvement – let’s make it better tomorrow than it is today. Retiring the ‘last four digits of your SSN’ is a darned good first step.

I’m shocked – shocked that Facebook sells data (not)

By

There’s been a lot of commentary about Facebook selling data to third party companies over the past week or so.  The distaste is understandable, but no one should be surprised.  Just who do folks think Facebooks customers are?

There’s a common refrain the privacy community:  if you’re not paying for it, you’re the product, not the customer.  Or put it another way – follow the money.  This article is posted to my blog, free for all, with no tracking.  It’s tweeted about and also posted to LinkedIn, which both definitely track you (I don’t, but they do).  If you’re reading it on the latter, you’ve probably been now ‘tagged’ as ‘Facebook, social media, privacy, LinkedIn’ and a bunch more.  That information is sold to advertisers and data brokers – and that’s how those companies make their money.  Both social media and credit agencies take as much care with your personal information relative to it’s value to them, not to you.

Social media is a powerful force, which is why I participate on certain platforms (selectively).  It’s why I urge people to be very cautious about how and what they share – those platforms never really forget anything.  Of course political campaigns want access to that information, and if they’re going to sell it to one side, they ethically need to sell it to both.  Rhetorical question: would there have been as much outrage in the media if the data broker had been working with the Hillary campaign instead?

All that aside, no one should be surprised that this happened.  That’s how Facebook, Google, Twitter, LinkedIn, and all the rest make their money.  It’s also why I use Apple products when practical – while Apple collects some data, their business model doesn’t involve exploiting their customer’s data.  I’m glad that the market gives me a choice – at least on the platform side.  Right now though, there’s no option on the social media side.  I’d like to see those platforms create a ‘paid private’ option, that allows access, but completely opts the user out from all tracking (even allegedly anonymized), but again, that’s their choice as a business.

I believe that information about a person belongs to that person, and that companies should only be custodians – not owners – of that information.  If that were placed into law, it would then require affirmative opt-in consent before each and every time it was transferred or sold.  Of course, that won’t really happen because it’d break the business model of most of the Internet.  So what can we do?  Something along the lines of GDPR coupled with a ‘plain English’ statement of how and where information is used and sold would go a long way, but even that will be hard.  Maybe eventually our congresscritters will pay attention to the individual instead of the lobbyist. Until then, all we can really do is control what information we share, choose the platforms we participate in, and make sure you read the terms and conditions.

And don’t be surprised.