Search This Blog

Tuesday, 12 September 2017

Cloud Access Security Broker (CASB) - The purpose of a forward proxy

First of several short articles on the feature sets of a typical Cloud Access Security Broker (CASB)

The Forward Proxy:

In a Cloud Access Security Broker (CASB)forward proxy is an in-line real time protection gateway service configured to handle network requests for a group of known clients (users and devices) to any external website and/or cloud service.  These users and devices can be connecting from anywhere, either on the corporate network, or across the Internet.  The destination services are typically cloud based.

The CASB forward proxy is primarily a policy control, and in it's most basic un-authenticated form, would simply apply policy enforcement to allow or deny access to specific sites and services on the internet.  This form of the service could be used to police the corporate "Code of Conduct"  ie:  "No corporate device is allowed to browse Pornography, Violence/Hate, Drugs, Gambling, etc... "  or to block access to Cloud Storage sites to reduce risk of Data Loss.

This however, is a very limited use case, and easily subverted.  

Typically, you would configure the Forward proxy to authenticate the endpoint (Either User, or Device, or both) to your corporate directory.  This can be done through Microsoft's ADFS (Active Directory Federation Service) or better through a Cloud Identity Provider such as Okta, Ping, OneLogin, or Centrify.

For sites that are Corporately Sanctioned,  you can manage/report/alert on the context of Who visited the website or service, from where, on what device, and at what time.  Any or all of these attributes can be used to modify access. IE:  If going to a specific service from an unknown device over public WIFI, you may want to enforce Two Factor Authentication, and restrict file transfer. 

For sites and services that are unknown or not Corporately Sanctioned (Shadow IT), you may want to validate the type of service through URL/Content filtering, and then allow access, while logging verbosely.  

Scenario:   With authenticated forward proxy, you can say: 

  • This user is from accounting - these are the apps they should potentially be able to access.
  • This user is on a corporate laptop from within the corporate network, allow full access.
  • This user is on a corporate laptop on a public network. (Starbucks or Hotel)
    • Enforce two factor auth to these apps, and deny access to these apps.
  • This user is on a personal device on a public network. 
    • Enforce two factor auth to these apps, and deny access to these apps
    • Deny file transfer. 
  • etc...

And of course the Cloud Identity Provider would manage credentials on the end service, therefore direct connection would be prohibited. 

Typical Forward Proxy use cases:

  1. Inspect content between Endpoint device (user) and Website/Service for Malicious Activity.
  2. Inspect content between Endpoint device (user) and Website/Service for Data Leakage.
  3. Enforce Corporate "Code of Conduct" via URL filtering.
  4. Provide granular access control based on "context" of user's source device/network/time.
  5. Provide list of "un-sanctioned apps" for security review.
  6. Encrypt Field level/table level data on the fly. 
  7. Tokenize Field level/table level data on the fly. 

As an inline implementation, the forward proxy requires a method to direct/enforce traffic from the endpoint device through the proxy, to the destination service.  For legacy on-premise proxy, we had a few options for redirecting traffic to the proxy:

  • Typically, PAC  (Proxy Auto Config) files would be used. This was an intrusive configuration of the endpoint, that could be easily bypassed by the user.  
  • DNS "URL redirect" was also a good choice for redirecting "sanctioned applications" through the proxy to control/monitor that traffic.
  • Finally, an endpoint agent on the device could be used to control/redirect traffic.  (Do not do this!  Please!) 

Most CASB providers today rely on the Single Sign On Identity Provider (IdP) that authenticated the end user to provide a SAML redirect to the CASB forward proxy service.  This also allows the Identity provider to add "context" to the interaction.  "Michael is authenticating after standard work hours with his corporate credentials, on a valid certificated corporate device, from what appears to be a home network".

Next up: Cloud Access Security Broker (CASB)  -  The purpose of a reverse proxy 


Thursday, 24 August 2017

Can our Managed SIEM providers please get their heads out of the 90's?

rant mode on   

(I had tried standard <> tags, and the CMS tried to process them!  LOL)
I've been a customer of SIEM (Security Incident and Event Monitoring) for about 30 years (cough), and have never had a "good" customer experience.  

SIEM are complex (and expensive) systems that closely integrate with every server/appliance/network device on the floor, and try to make sense of the data flowing through to identify security concerns.   This data is typically formatted  proprietary to the vendor of the source product.

When a vendor wants to implement SIEM in your infrastructure, for each server they enroll, the vendor asks about "use cases", or the set of rules that define what types of security events you should care about. 
"Mr Customer, how many failed login attempts to you want to capture before we alert you?"

As a customer, how the hell should I know?  What's the industry norm?  You're the SIEM expert, tell me what your other customers are doing!  This approach has stiffled progress/uptake in the industry.  SIEM is typically implemented grudgingly as an audit checkbox.  
"Ok, yes, we have SIEM, and things are reporting to it... CHECK... Next..."
 This is a very expensive and time consuming effort to acquire a check box, but this is also how the vendors are selling it.  Compliance sells products.

There is so much more that SIEM can and should do, like correlating firewall sessions with EndPoint Protection alerts.  Identifying patterns (anomalies) in VPN users activities, alerting on movement of data between rogue cloud applications (shadow IT)...  but those tasks take planning and scripting skills. Time and budget that an average Information Security team does not have.  So the tools get put in to fill the checkbox, and all of the capabilities they have sits idle.   (I hear you out there... prove me wrong, tell me YOUR good news story!)

Another typical issue with implementing SIEM is scaling/sizing of the SIEM infrastructure itself.  The vendors usually define the size of your SIEM based on incoming "events per second".  There are many calculators out there to help you determine size, but they don't tell you that a) this is a best case scenario, or b) EPS depends entirely on what you CHOSE TO LOG!

It's a rare event that you buy too much SIEM for your requirements.  SIEM is expensive, and most of us will err on the side of budget.... and then find out we spec'ed  3-4 times smaller than required.

rant mode off

So let me tell you a little story now of my most recent experience that turned all this on it's head:

There's a little "Managed Detection and Response" company, eSentire out of Cambridge Ontario, that I had seen at several trade shows. Fatigued by vendors proclaiming that their product/service was better than the next coming of Christ, I had watched them warily.  But heard good news from all sources.

I had an opportunity at one of my clients to replace an very non-functional implementation of Arcsight that one of Toronto's finest  managed security providers had failed to deliver appropriately. (I'll just leave that there)

We looked at possible opportunities for bringing SIEM back in-house, as well as talked to about a dozen Managed Security Service Providers, and the daunting conversation of use cases kept coming up time after time.  Vendor would ask us what we wanted to monitor, how many, how long, what's the alerting criteria, blah blah blah...  (insert Charlie Brown adults talking here)

In the mix, we had eSentire come in and present.  I had prepared my VP of IT and director of Security Operations as to the types of questions we would encounter, and typical responses regarding EPS per logging device, and use cases based upon product.

eSentire took the conversation in a completely new direction:

Us:  "Ok, tell us what we need to provide for use cases, and possibly some guidance on what makes sense...."

eSentire:   "We looked at your company, it's size, and market space.  We have dozens of similar customers as you.  Do you think your use cases might differ much from theirs?"

Us: "Ummm... no... probably not."

eSentire:  "Good, we can start there as a baseline, and monitor,  next?"

Us:  "Ok, what about Events Per Second, and storage?" 

eSentire:  "Based on existing customers, and the list of systems you want to integrate, we'll put a log collector in your infrastructure and monitor and manage it's capacity. "

That was nine months ago.  We signed up almost immediately, and the full implementation was a few weeks (not the typical 12-18 months I'm used to with those other systems).  We were getting reports daily, weekly, monthly, that made sense, and had executive presentations that I could actually take to my management.

We've also signed up for and are very happy with their Network Interceptor (Managed Intrusion Prevention) and Continuous Vulnerability Assessment services.


Gartner: SIEM Use Cases

Alienvault: What kind of logs do you need for an effective SIEM?

Gartner: Managed Detection and Response Companies
eSentire: Managed Detection and Response

SANS: Benchmarking SIEM
Why and How to calulate Events per Second
Solarwinds: Estimating Log Generation
Qradar: Sizing, Determining Events Per Second
A good EPS sizing chart and writeup from Buzzcircuit

Arcsight: Enterprise Security Manager

Thursday, 29 June 2017

Canada 150, and Canadian Innovation.

Canada has a long legacy of innovation and prosperity. We have blazed technology trails in every aspect of life, from agriculture to medicine and health care, communications to manufacturing, transportation to space travel, finance to renewable energy.

I started my career as an electronics technician under the Industrial Research Assistance Program at the Canadian National ResearchCouncil.   My role was to go in to young startup companies, and provide technical assistance getting their technology dreams built, tested, and ready for market.
Today, this program actively helps Canadian entrepreneurs innovate through grants, advisory services, networking, youth employment, staff augmentation, while providing technical assistance in various fields.

Looking backwards to see forward, Canada has great opportunity remain a global leader in innovation and technology. There is a wealth of diverse companies, both entrenched and new, taking on the challenge of automating, managing, and accommodating all aspects of our lives.  I’ll outline just a few of those technologies here.

The Canadian Healthcare System is respected worldwide, both for its ability to efficiently and effectively care for individuals as well as its history of innovations.  Leveraging the rapid advances in “Internet of Things (IoT)” technology and infrastructure, Canadian health research facilities have become world leaders in the innovation of wearable devices to help track and monitor patient outcomes.  With these devices monitoring vital aspects of a patient’s health and recovery, a physician can both be better informed upon arrival of the patient, reducing wait and visitation times, as well as analyzing appropriate remediation strategies.  Canadian made wearable devices will become a normal part of our standard healthcare regime.   

As well as the wearable monitoring devices, IoT technology has spurred a number of Canadian Innovators to launch “assistive device” products.  These range from smart technology for wheelchairs, to adaptive prosthetics, to GPS tracking and guidance for the blind.  The Canadian imagination is boundless, and as our population ages, these devices will become more prevalent.

Blockchain Technology may be new to most of us, but is revolutionizing the way the banking industry works.  In fact ANY industry that relies on transactional integrity could find benefit in Blockchain’s ledger based technology.  Many of us are familiar with, or at least have heard of “bitcoin”, which is the grandfather of blockchain currencies. Ethereum is another blockchain up-and-coming currency taking international interest.  Recently, the Enterprise Ethereum Alliance included the National Bank of Canada as one of 86 new members that will work together to develop business applications on the Ethereum blockchain.

Renewable Energy:
There are more than a thousand Canadian companies currently innovating in the Clean or Renewable Energy Market, employing more than 50,000 people across the country.  From the staples of Solar and Wind, to deep water stores of compressed air, geothermal heating and electricity, and the manufacture of Lithium Ion batteries, we are making our mark on the global stage.  Much of this is thanks to “Sustainable Technology Development Canada” , which is the largest single clean-tech fund in the world. It has seeded more than 200 clean-tech projects through grant funding of more than $600-million. Renewable Energy is a cultural shift that is well under way within Canadian homes and businesses, and we are going to continue to be at the forefront for decades to come.

Over the past two decades, Canada has taken a strong lead in Modernizing and Automating Agriculture. With the prevalence and low cost of Industrial sensors for things like moisture level, sunlight, ph level, soil nutrients, etc.. Canadian researchers have been able to greatly increase crop yields across the industry. This technology has been transferred down to the hands of local farmers who are able to automate aspects of their farm such that they not only increase yield, but can direct and reduce water consumption and cost.  Crops are able to be grown in areas previously unmanageable through monitoring and automation.  Canada is also setting examples of how to use industrial sensors to monitor and manage Livestock health and food consumption. This is an area in which we will continue to be world leaders.

Smart Cities:
Continuing on the Industrial Internet of Things theme, Canada is also a leader in Innovation in monitoring and managing all aspects of transportation and buildings in today’s Smart Cities. Cities across Canada are collaborating on means to provide cleaner more efficient home and work spaces for their inhabitants.  We are researching ways to use Industrial sensors to monitor and more efficiently manage heating and cooling within residential and commercial buildings.  We are also developing ways to monitor and reduce emissions from these buildings.

Through the use of sensors under the pavement, on lamp posts, and cameras at intersections, we are researching ways to better identify traffic patterns across the city, and adjust intersection lights for more efficient travel times and greater safety for both vehicles and pedestrians. 
There are also Canadian innovations being developed in street lighting to greatly reduce power consumption, and reduce environmental impact on wildlife.

Space Exploration:
We are all too familiar with the Canada Arm that had assisted the NASA space shuttle program for two decades, and now currently works diligently on the International Space Station. Did you know that Canada has a burgeoning Space program too?  In 2016, the Canadian Government committed to extend Canada’s participation in the ISS program, and provide opportunities to develop leading-edge space technologies. Up to $379 million will be earmarked for this program over the next eight years.
Six Canadian Astronauts have served eight missions aboard the International Space Station, and in 2018, David Saint-Jacques will become the next Canadian astronaut to take part in a long-duration mission aboard the ISS.

The University of Guelph’s Mike Dixon and his team are working on “biological life support” systems. Research that will help sustain long-term human exploration to distant planets by finding ways to grow plants inside greenhouses with techniques that could one day allow us to grow crops on the moon or Mars.

Canada had long partnered with the US on development of Satellite Communications technology.  Our first Canadian Satellite, Alouette 1,  was launched by Nasa on September 29 1962. Companies such as DeHavilland, Spar Aerospace, and Telesat Canada spurred on the innovation across the past several decades. Now, the torch has been picked up by several Canadian startups that are developing very small format satellites for such purposes as monitoring forestation and environmental changes, or providing imaging services for commercial planning.

We Canadians are a country of dreamers, and we dream big. The future of Canadian Innovation will not dull.