Double Down Triple Down – Maintain the Paradigm at all Costs

We have fought this battle for years posting multiple times on CSO Online on the problems with software, access, and configurations. Here we are again years later fighting the same battles with the same types of tools.  One of the reasons we left the information security leadership function was due to non-inclusively:

  • CISOs reporting to CIOs
  • CISOs budget a single digit percentage of the CIOs
  • View that information security is IT security and technology based
  • No basic change in the types of tools
  • Inability for stakeholders to understand that security is a constant and grows in need
  • Lack of understanding from DevOps and those who lead it
  • Vendors selling “highly innovative tools and next generation gamechangers” when they are the same thing with minor iterations
  • The view that Infosec owns all of ITs ills

We have been doing this since the days of pdp11s and 4381s. We are losing the institutional knowledge that came with the battles and technologies changes. We are losing this to well-schooled cyber professionals without the historical knowledge, to yearly buzzwords followed like the Pied Piper and end-of-year self-serving predictions.

If they use their own tools and cannot protect themselves, why do you think they can protect you? Continuing to double and triple-down on a see-detect and arrest architecture does not work. It did not work in the 90s. It most certainly does not work now.

When companies release information about a breach, you can bet the release is well calculated with knowledge of other things to come. This is the case with the current breach. Knowing that the breach has broad implications across multiple organizations, in the process of releasing their own information means the core group that is supposed to protect you must present the information first. This is not due to some idealistic need or ethical culture. This is pure business and survival.

  • Why do we have operating systems that require root or admin to monitor?
  • Why do we not monitor ad nauseum, admin accounts?
  • Why do we not scrutinize every update all the time?
  • Why do we allow third-parties trust access?’
  • Why do we leave admin accounts in an always-on state?

Yes, we do need after-the-fact signatures to defend against what is known. But we need to change the paradigm of how operating systems operate. Years ago we proposed a change in how operating systems are written and deployed. Deployment would be closed only opening what is needed with defined exposures each time you change the configuration settings. Then increased monitoring and controls over each exposure. Today (as we always have) we deploy open and expect security staff to understand every nuance of an operating system built without security in mind, with only a care for features and functionality.

We must change the paradigm.

They used the software update mode from SolarWinds that has complete access to all SolarWinds client internal installations embedding malware that sat for a couple of weeks doing nothing after install.  They block detection and anti-virus tools, they encrypted and hid payloads. They used legitimate internal admin accounts. They used SolarWinds admin accounts and required SolarWinds access of requirement of full access (root?) for pushing updates and monitoring systems. Because we operate on an after-the-fact system of signatures, no system of heuristics or behavior-based, they gained access. Because we build and configure defensive tools with administrative access requirements, requirements driven by the operating system and development environments, we expose ourselves to major impacts. Because we inherently trust anything ADMIN, we do not watch ADMIN as we should. Trusted end-to-end just like a person with Top Secret clearance, yet the biggest impacts always come from the trusted sources.

Not one tool on the market today picked up on the malicious activity from installation to lateral movement to data exfiltration. Not one.

An attack is not sophisticated and not “world class’ just because you are the victim. These are just cover words for poorly designed products, poorly configured installations, and ridiculous access requirements. #DefinitionofInsanity still at work 25+ years in the making.

If you want to better secure your environment, change the paradigm. Demand better. Use intelligence for its intended purpose – warning, estimates, and prevention.