The How vs the Who: An Argument Against Attribution & Hack Back

A lot of organizations focus their efforts on identifying external actors, distinguishing between different groups that may be attempting malicious activity. At some organizations, this is relevant due to the defender’s sophistication, capabilities, and relationships. However, they are the 1%-ers and have many of the same difficulties that we are about to explore.

For the 99%, there is an unhealthy fascination around actors, attribution, and the “who done it?” The 99% believe that this information is both accurate and actionable. This belief has been propagated by cloud data security vendors; Hollywood’s portrayal of hacking and defense; and the fourth estate’s fascination with spy thriller storylines like the DNC breach and its role in the US presidential election.

Read more “The How vs the Who: An Argument Against Attribution & Hack Back”

It All Started With a Wager About System Upgrades

It all started with a wager of the usual amount over beers with @brianhatfield. When running workloads in Cloud environments, do organizations routinely and blindly upgrade their systems? The actual means of triggering the upgrade were not questioned – chef run, hourly cron job, etc. One side took 10% or less, the other 90% or greater. While it’s not important who claimed the moral victory of coming closest, it’s important to remember that no one got paid (read: I lost). Read more “It All Started With a Wager About System Upgrades”

Scale it to Billions — What They Don’t Tell you in the Cassandra README

At Threat Stack our engineering and operations teams have embraced the concept of the polyglot data platform, recognizing that no one solution can provide for all of our needs. Those needs include rapid scaling, ideally linearly, to support growing customer demand and the elastic workloads of our new economy customers. We also require different forms of analysis to support stream analysis for our IDS feature set, efficient lookup tables and prematerialized views for our ETDR feature set, and offline analysis for analysis and research.

A core component of our data platform for several years has been Cassandra, which we upgraded to Datastax Enterprise (DSE) through their start up program last year. Originally we were expecting to use it as our single source of truth for all of our time series data, but this turned out to be an anti pattern. Instead we have found it very useful for look up tables and pre-materialized views (more on this later).

Read more “Scale it to Billions — What They Don’t Tell you in the Cassandra README”

How to Manage the Ex-Employee Insider Threat

A developer or operator leaving your company is always a harrowing event. More than likely they had access to your production environment, so you engage your standardized process for revoking their access. But how can you be sure everything is truly cleaned up, regardless of whether you suspect they would be malicious or not?

Read more “How to Manage the Ex-Employee Insider Threat”

Reinforcing Your Hardened Server’s Soft Spots

If you have either deployed or are planning to deploy a workload to the Cloud, perhaps using AWS, you are looking to run your operations efficiently without compromising security. In a recent post we discussed the AWS Shared Responsibility Model in which you are responsible for the security of your own data, platform, applications, and networks in the Cloud, while AWS is responsible for the security of the Cloud itself. Being security conscious, you understand this model and may have followed the AWS Security Best Practices in an effort to harden your EC2 instances.

Read more “Reinforcing Your Hardened Server’s Soft Spots”

What All DevOps Teams Should Know About The AWS Shared Responsibility Model

Keeping your cloud workloads secure, compliant, and protected while moving at the speed of DevOps is no easy task. Our team at Threat Stack knows this truth very well. There are many different viewpoints on the best approach to take to keep your customer data and systems protected in the cloud, and it all starts with understanding where your cloud provider’s responsibility for security ends and where yours begins. Let’s use AWS as an example throughout this post as they have a Shared Responsibility Model that demonstrates this well.
Read more “What All DevOps Teams Should Know About The AWS Shared Responsibility Model”

3 Reasons Why The Host Rules Cloud IDS

To truly appreciate why companies like Threat Stack point to the Cloud as a watershed event in their corner of the software industry, one must push past the hype and worn platitudes about “the Cloud with a capital C.” The reality is that it is the side effects that have caused such a large impact, like cost of operation as a function of scaled purchasing power and the forcing of software-only solutions.

This has certainly been felt in intrusion detection systems (IDS). They have traditionally been deployed as network hardware devices enabled by access to the network infrastructure, but are struggling to find relevance in a world where the traditional network boundary no longer exists.

Read more “3 Reasons Why The Host Rules Cloud IDS”