Published: 22 September 2016
By Tom Guyatt
So here we are at another security conference, this time listening to end-user presentations. These presentations are often so much more interesting than the enthusiatically hyped sales patter that's common fare.
Today we're hearing about the aftermath of an attack. What strikes me is how much technology doesn't work when you hoped it would. In the messy real world all those SIEMs and pixie dust analytics needed to be configured right and have the data in the first place. System logs need to be in more that one place, and it's impossible to undelete the finest delete commands.
In this case the Hacker covered their tracks but not completely. The main message here is uncertainty and moreover, the cost of uncertainty. If you can't see everything the attacker did you end up drawing the conclusion that they could have done anything and would have had access everywhere. Everywhere includes the outsourced and 'Shadow IT'.
So this is where the cost comes in. If you assume everything has been compromised, everything has to change. The upheaval that causes is very painful to business, but by all accounts here, it's way more painful to the IT teams working almost around the clock to get systems secure and back online. It's so obvious that this must be the lowest place an IT department ever goes. With Shadow IT it's never clear when you've completed a clean up - another example of the cost of uncertainty.
There must be a very short term effect in listening to the pain of others. We can see the other delegates wincing at the thoughts of sleepless nights. I'm thinking that the team that survived this would be great candidates to employ.
Car, Ships and Buildings are designed in cells, we understand this, where the compromise of one cell does not affect the integrity of all cells. We can reason that if one cell is damaged in an accident the surrounding cells may be deformed. We can see what needs to be replaced. Consider a compromise of an organisations global Active Directory service. The organisation would have to assume that an attacker could operate every account and system.
With our Osirium hat on, we're thinking 'It's Obvious, It's all about Privileged Access Management'. To a fair extent we're on the right course. But in the messy world of incomplete and legacy IT projects it's only part of the story. We all need to start building cells and taking a Continuous Improvement approach to our security.
In case you were wondering, Osirium is built in a cell like manner, where there are different operating contexts for functional parts. For example, complete compromise of a SysAdmin's workstation would not allow access to an Osirium Database. Osirium is designed never to create a network bridge between devices and we believe it's better to wrap up operations in tasks so that Privileged Accounts are not needed in the first place.
But here's a thing to remember, once Osirium has started to Life Cycle Manage a set of credentials, the're safe, there is no cost of uncertainty.