In my job at SSH, I meet with IT executives in many large businesses and government agencies.  Aside from their initial surprise that there is an actual company behind SSH, there is one question comes up most often, namely which functional group within IT should own SSH?  The reason that this is such a struggle is that unlike other IT investments, Open SSH comes pre-installed on servers, networking, and storage gear.  By default, it’s just there to be used, which administrators and application developers use extensively.

Some background, SSH is a protocol that is used by both system administrators and application owners to securely communicate, control machines or to facilitate secure file transfers.  SSH works remarkably well, and the encryption is extremely effective at preventing man in the middle eavesdropping attacks.  However, in the wrong hands, this same SSH encryption can be leveraged to circumvent security controls.  SSH use requires the creation of matching public and private key pairs for authentication.  The public key is primarily used for automation and sometimes by system administrators for single sign-on is placed on the target machines and the private key is either placed on a connecting server (for machine-to-machine use) or is given to a user to facilitate human-to-machine interaction.

There is a notion that the PKI management team should also manage SSH access.  Some vendors add to this belief by claiming that SSH keys are similar to managing certificates.  However, comparing certificates to SSH keys is actually more akin to comparing apples with coconuts, they both provide authentication but the similarities end there.  Unlike certificates, SSH keys are easily copied, easily shared, and by default aren’t set to expire.  Moreover, unlike certificates, SSH is also used extensively for machine-to-machine interaction.  For all these reasons, we do not believe that SSH aligns to the function of PKI and would advise against assigning the responsibility of SSH within this group.

Another group often considered to manage SSH is Cryptography.  It’s easy to see why that’s the case since SSH provides encryption – it seems reasonable that the encryption team should own it.  While this is true, SSH also enables remote interactive command and control of machines extending well beyond the purview of just cryptography.   Instead, it’s our view that the most logical group to own SSH is the identity and access management team.  Why?  Well, SSH Keys = Access.  Therefore, granting, monitoring and revoking access to resources via SSH should adhere to the same, if not more process and rigor used to grant system access for employees, contractors, partners, and suppliers.

The inherent challenge to SSH is that unlike identity and access management that applies to humans, there typically is no on-boarding and off-boarding of SSH Key access, which is something we strongly advocate.  Given all the complexities, providing safe and secure access via SSH we feel that three things are needed:  1. Well defined policies and procedures related to SSH 2. Training and education for key employees and 3. Continuous system monitoring and enterprise software to enforce that the issuance, monitoring, and revocation of SSH access is adhered to.

In conclusion, the SSH protocol is a vital technology that is used extensively throughout every business and government agency the world over which makes protecting and managing SSH access a Tier 1 security concern.  In fact, if you investigate the core of most major breaches that a. exfiltrated large sums of data undetected b. installed software or disabled systems or c. occurred over an extended period of time undetected, it’s likely an indication that SSH had been leveraged by the hackers.

SSH protocol – the inventor of the Secure Shell protocol have developed several thoughtful and purpose-built solutions that address the unique complex security and compliance requirements of SSH to compliment your existing security investments.  To learn more, or to schedule an SSH security risk assessment please feel free to contact me by filling out the contact form within this website.

In late February, California’s attorney general Kamala Harris released a breach report that you can find here.  The report requires companies conducting business in the state of California to use “reasonable security procedures and practices…to protect personal information from unauthorized, access, destruction, use, modification, or disclosure.”

Essentially, the reasonable security protocol’s she’s referring to are essentially the SANS top 20 security controls.  However, Ms. Harris expanded on the 20 security controls and emphasized that consumers should have the option to employ Multi-Factor authentication for system access, and use strong encryption of all customer data.  In the event that there is a data breach, she went on to say that the business that had been breached should provide fraud alert services to affected parties.

Even if you don’t conduct any business in the state of California, I believe that it’s just a matter of time before other states follow California’s example and establish similar requirements – so your business should really start planning for that accordingly.  I know, I know – add it to the list.  If you were looking for a irrefutable reason to justify additional security-related project funding, this is report is heaven sent.  However, if your budget can’t grow, re-prioritizing security initiatives will likely be hell.

What a nice surprise (what a nice surprise).  Bring your alibis…

Q. What does the Microwave, 3D Printing and Splunk all have in common?  

A. They are all technologies that have introduced a fundamental paradigm shift from the conventional ways of doing things. Before the invention of the microwave oven, if I told you that I could place food in a box, turn it on, and cook food in a fraction of the time that it normally takes without making the box hot you would have looked at me like I was crazy. Prior to the microwave, your reference point would have been either a gas or electric range which incorporated a heating element (fire or heated coils) that would heat your oven.  You place your food into a pre-heated oven, and the ambient heat would in turn heat your food.

If you happen to be old enough to remember the mind blowing experience of witnessing the a microwave in use for the first time – you may have thought that it was some magic trick.  Personally, it took me a little to wrap my head around the technology.  No pan, no pre-heating, no metal – just place the food on a plate, place the plate in the microwave, set the time, hit run and pow – out comes hot food. Most shockingly, when you opened the door to retrieve your food, the inside of the microwave (minus the plate with your food) was cool to the touch – remarkable!  The need to heat food has existed forever, but this new approach to heating and defrosting food was fast, efficient, and radically different.

3D Printing is equally remarkable. Until the invention of the 3D printer, creating a product prototype or one of mechanical part was a manual, time consuming, and often-expensive process. Prior to 3D printing, if you needed to create or recreate something you would have to hand craft a model or prototype, create a mold and have the part fabricated in a special facility. The introduction of the 3D printer changed all that.  Now anyone outfitted with a CAD Cam program and a 3D printer can spin up mechanical designs in just a few hours, resulting in enormous savings of manpower and time.

Splunk is like a microwave and a 3D printer in that introduces a whole new way of accessing and leveraging machine and human generated data in ways that have heretofore have been impossible to achieve. Human generated data is simple enough to understand, that’s all the data we create from filling in information manually.  But just is machine data? Here’s the short answer – any electronic device that has some intelligence built into it generates machine data.  That would include everything from your automobile that you drive and the elevators your ride, to the laptop you type on, and the cell phone you talk on – in short, most everything creates machine data.

For the most part, this machine is often unused and often discarded, which is a huge mistake, here is why.  Imagine your automobile engine is running erratically.  You bring it into mechanic, he/she takes it for a drive, listens for the sound, and simply guesses what it might be, replaces several parts, and sends you on your way – on your drive back from the mechanic, you discover that engine is still operating erratically.  You are out hundreds of dollars, spent hours of you time bringing the car in and the problem still isn’t fixed.

Using the same example, you bring your car into the mechanic, the technician connects a handheld computer to the automobiles on-board interface, and reads the machine data (error codes) from the engine.  The handheld computer interprets these codes and alerts the technician to the malfunctioning part – the repair is made, and you drive home with the problem resolved.  No guesswork, no unnecessary repairs, and the problem is quickly repaired properly the first time.  That’s the power of leveraging machine data.

Just imagine that you could collect this machine information from all over your company, from every device (servers, applications, databases, hardware devices, etc.) and like the automobile example, you could quickly make sense of this data in real-time, how many hours of wasted activity chasing down technical problems could be eliminated?  Better yet, imagine you could break down informational silos and ask questions of this amassed data to help you manage your business more efficiently. Just imagine that you could easily organize and visualize all of this information in meaningful ways, with information updating these visualizations in real-time. Just imagine that you could set alerts, so that when conditions that you’ve outlined are met notifications are sent or programs are triggered to take immediate corrective action. Now imagine a world where finding information no longer involved taking days, weeks or months, but instead only took seconds or minutes. Actually, you can stop imagining, just like the Microwave Oven and 3D Printers, Splunk actually exists.

There are inherent limitations to relying upon traditional Security Information & Event Management Systems or SIEMS, which are often overlooked that every organization must be made aware of. These limitations are: 1) SIEM’s fixed focal point and 2) Dependencies upon structured data sources

Maintaining a fixed focal point (or monitoring just a subset of data) only encourages nefarious opportunists to find vulnerabilities outside of this narrow field of vision. Any experienced security professional will say that all data is security relevant. However, traditional SIEM’s limit their field of vision to just a fixed focal point of data. To understand why this matters, let’s look at an example outside of information technology that’s perhaps easier to follow. Imagine for a moment that three are a string of home break-ins happening in your neighborhood.  To safeguard your property you decide to take precautionary measures. You consult a security professional and they make several recommendations – Place deadbolts on the front and back doors, reinforce locks on the first floor windows, set camera’s and alarm systems above the front and back doors and windows. With all this complete, you rest easier feeling far more secure.   This is what a traditional SIEM does. It takes known vulnerability points and monitors them.

Building upon this example, let’s imagine that a bad person comes along and is intent on breaking into your home.  She cases the house, spots the camera’s, and decides that the windows and doors on the first floor pose too much of a risk of detection. After studying the house for a while, she finds and exploits a blind spot in your defenses. Using a coat hanger, she quickly gains access to the home in just six seconds through the garage without any alarm being tripped. How can this be?  Well, your security professional didn’t view a closed garage door as one of your vulnerability points, so no cameras or security measures were installed there.  As a result, your home has been breached, and no alarms have been triggered since the breach occurred outside your monitored field of vision.  This scenario illustrates the inherent limitation of defining a problem based upon anticipated vulnerabilities.  Determined inventive criminals will figure out ways to defeat known defenses that haven’t been considered. That too is the inherent problem of traditional SIEM’s; they are designed to only look at known threats and vulnerabilities, as a result – they do little to no good alerting you to unanticipated threats or vulnerabilities.

Also, the dependence upon structured data sources also creates another serious security limitation. Traditional SIEMS store information in a relational database. The limitation of this approach is that in order to get information from different sources into a database, users first need to define a structure for this information, then force ably make the data adhere to this defined structure. Oftentimes, imposing this structure leads to relevant security information being left out in this process.

To illustrate why this is an issue, let’s imagine that detectives are trained to only look for finger prints when analyzing a crime scene. Their investigations totally ignore any information that isn’t a finger print – they search for finger prints, partial prints, and if they are really advanced, maybe they’ll include hand and foot prints. However, in the course of their investigation they completely ignore collecting blood, hair, saliva or other DNA related evidence. Now, just how effective would a detective be in solving this case if the criminal wore gloves and shoes? I think everyone would agree that the answer to that question is that wouldn’t be a very effective investigator. Well, that’s exactly what happens by limiting the types of data captured by force fit different data types into a standard database schema – running through a schema format process effectively removes lots of relevant information that can be of great help in an investigation.

Instead, since all data is security relevant, to be truly effective, security professionals must have the ability to collect information from all sources of data in its full fidelity. Since traditional SIEM’s strips out this ability, then it follows that no business should solely rely upon a traditional SIEM for security – make sense?

Instead, what is needed is more of a fluid approach to security, one that captures information from multiple sources, evaluates all known exploits, and allows you to correlate different information to uncover new potential exploits before a report-able data breach occurs. Splunk’s real-time machine data platform is extremely well suited to that task.

The differences between Operational Intelligence (OI) and Business Intelligence (BI) can be confusing. Just the name, Business Intelligence sounds like Nirvana. Show of hands, who doesn’t want their business to be intelligent? No, the names are fairly ambiguous so let’s turn to Google define to shed some light on their meaning;

Business intelligence, or BI, is an umbrella term that refers to a variety of software applications used to analyze an organization’s raw data. BI as a discipline is made up of several related activities, including data mining, online analytical processing, querying and reporting.

Operational intelligence (OI) is a category of real-time dynamic, business analytics that delivers visibility and insight into data, streaming events and business operations.

These definitions are helpful, but I think the picture above really illustrates the differences quite clearly.  Business Intelligence comes after the fact which is illustrated by looking in the rear view mirror of a car. Therefore, it’s helpful to think about BI as a reference to where you’ve been or what’s happened in the past.  Yes, you can store information in a data mart or data warehouse, and you can “mine that data”, but that doesn’t fundamentally change the fact that the information you are looking at or analyzing occurred sometime in the past.

On the other hand, operational intelligence is represented in the above photograph as the front windshield of a car depicting what’s happening right now in real-time. If you spot a large pothole in the distance, OI will alert you to that fact, and enable you to make a course correction to avoid ruining your alignment;  whereas, BI will only let you know that you had driven through a pothole as your car is wobbling down the road from all the damage.

Most businesses have the potential to leverage Operational Intelligence for competitive gain, but many are still stuck in the past with traditional BI tools. If you want to really crank up your business, I say it’s time to get real-time and discover what a paradigm shift of moving to OI can do for your business.