by Christian Karwatske


What I Learned


2018 kicks off a new year and marks the perfect time to take a look at the events of the last 12 months, take stock of what we have learned, and apply these lessons going forward. The preceding year was both busy and interesting, to say the least, and one of the big lessons that I came away with was that

“Old” problems don’t go away – they simply get worse until we take the time and energy to address them properly. 

Many of the significant events of 2017 reflect this. Looking back stock of some of the major items my clients and I faced, I saw this lesson played out several times over and with significant impacts counted along the way, I noticed a few recurring themes:


Out With the Old: Legacy Systems Remain Active and In Critical Use


This is a HUGE issue that still plagues many organizations today and I spent a significant amount of time working with several clients that continue to rely on these outdated systems, in some cases numbering in the several hundred to several thousand.  What is even more troubling is their close association with business critical, and/or customer-critical functions, and the degree of mainstreaming these devices still appear to maintain in some organizations.   Windows 2003 is now 2-and-a-half years past its final end of extended support and by extension past the end of its last regular security patch.

This platform remains in use today across many organizations, often underpinning hyper-vital applications and services.  It also becomes more exposed and vulnerable with each successive exploit disclosure that could apply to that platform or its dependencies.  This actually becomes worse due to a couple of key factors that are more of an issue today than when the Operating System first went end of life namely:

  • Microsoft does not include Windows 2003 when listing Operating systems which are or are not vulnerable to a disclosed exploit. This does NOT mean the operating is not vulnerable, it means that its state of vulnerability is no longer being actively disclosed and included when the write-ups are released
  • Common runtime and framework layer elements found within the application ecosystem are themselves starting to deprecate and fall behind supportability, and therefore are themselves drifting toward a state where they cannot be patched. Continued use of Windows 2003 is leading to a situation where the administrators need to not only worry about the inability to patch Windows itself, but also need to consider the extent to which they are able to patch components like Java, Adobe, WordPress, and dotnet.  As these (and similar) elements drift into the state of being behind the patching curve, it further increases the platform’s exposure footprint, AND increases the demand associated with applying a compensating security measure to the system to offset these exposures.  This will continue to get progressively worse as time moves forward, and holds the potential to yield painful consequences for the organizations still relying on these platforms.
  • Common Security measures (like AntiVirus) are increasingly moving forward with capabilities and platform support, and leaving this system behind, forcing administrators to have to increasingly rely on older (and far less effective) AntiVirus and endpoint security measures, or turn to more specialized security solutions (like Symantec’s Data Center Security: Advanced), or go without additional protections.

The dangers of this situation were underscored emphatically with the EternalBlue disclosure and subsequent WannaCry widespread ransomware attack, where I recall responding to several urgent inquiries from several clients regarding whether or not the DCS solution could be configured to provide sufficient protection (It could, and did!) against this attack.

In many cases these clients were asking out of the recognition that the DCS solution, at the time, represented the sole means by which they could potentially secure against this attack since no patch relief was expected or forthcoming and no patch would ordinarily be expected from Microsoft for a retired platform. (Microsoft did eventually deem it prudent and necessary to release a patch for the unsupported systems, in an effort to halt the spread of this malware).

For me, each subsequent vulnerability disclosure that has been logged since, while generally not as prominent, is a reminder to for my customers utilizing these systems that they continue to do so at their organizations’ peril.  While I have been forced to recognize that in many cases these systems are unfortunately NOT going away anytime soon (I still have some clients with windows 2000 out there!). I continue to advocate for and challenge for decommissioning of these assets wherever it makes sense to do so, as unfortunately, the cost and effort to continue to protect them sufficiently is only increasing.  2017 tells us that the time to retire our legacies is long past.


In With the New – New Technology Evolutions and Priorities Going Forward


I also witnessed several helpful evolutions within the security solution ecosystem which I am very excited about. I will be championing many of these solutions going forward with my clients in an effort to enable them to leverage these capabilities (particularly where they are already employing elements of the associated technology) as doing so will leave them at an advantage versus the attack community. Highlights include:

Continued Enhancement in Anti-Malware Capabilities:

Traditional Anti-Malware continues to evolve, and 2017 saw some huge advancements in this space. Companies like Symantec in particular continues develop and refine evolved capabilities that support and even supplant traditional signature-based detection capabilities with a range of capabilities.  The Symantec Endpoint Protection 14.1 cloud-based offering in particular stands as one of the most significant expansions in capability of this platform in recent years, and provides a range of tantalizing new capability, allow which are available to current SEP customers.

These include things like:

  • Whitelist, and Blacklist based custom Malware detection augmentations
  • In-Memory protections
  • Machine Profile (learning) based algorithms
  • Detection of attacks by Exploit pattern, rather than file hash
  • Behavior based profiling and malware detonation based heuristics

Continued Development and Enhancement in System and Application Integrity Solutions:

2017 has been a good year for Symantec’s Data Center Security suite as they continuing to refine their usability and management frameworks and extend their capabilities into realms that have suffered a paucity of available security measures to date.  I am seeing adoption rates of the new management framework increase and its use has begun to integrate into standard operating procedures. Also Cloud Web Protection, a new element of the Symantec DCS Suite, was rolled out this year, and extends the security and protection model out into an organizations Amazon EC2, and/or Microsoft Azure cloud ecosystems (with many more to follow soon!!). With the ability to secure these environments by instance and container, in addition to protections within the guest environments as well, I am very much looking forward to extending this capability to several of my clients this year!

Evolution and Growth in Discovery and Visibility-Oriented Solutions:

Visibility is a key factor in succeeding with your security initiatives and I, along with my customers, continue to leverage tools like SOLVE as a matter of practice. In fact, the adoption of visibility-enhancing technologies alongside SEP and DCS solutions in particular is becoming so vital, that this technology becomes a de-facto foundation in any new implementation we undertake.

My customers continue to leverage these tools, usually SOLVE or Northstar (but occasionally they have their own they favor), and many of them are exploring additional ways to expand the use of these platforms beyond the security suites they had originally implemented them in support of.

Visibility is king and many of my customers readily recognize and want more of it! 

In addition to traditional visibility interests, a lot of new interest has been arising around cloud application visibility, particularly centered around the concept of “Shadow IT”- basically application ecosystems which are unknowingly allowed to develop and flourish without the awareness of the IT and Security staff. Discovery of these elements of the organization is the first and most vital step in bringing them under management and into the security model.  I have more customers starting to ask questions about what can be done to address this concern, as in many cases my customers recognize they don’t accurately know the scale of the issue within their organization.

Symantec has made excellent strides in refining their CloudSOC Audit platform, which through integration with an organization’s existing security framework, enables rapid discovery and mapping of an organizations Shadow IT ecosystem. Concurrent with NorthStar, which is successfully tackling the issue of discovery and profiling an organization’s owned and implemented assets, and is proving instrumental in identifying those assets which have fallen outside one or more traditional management frameworks, we are seeing growth in technologies which I believe will prove to be invaluable additions to organizations facing visibility challenges.

For those wondering if their organization is potentially facing such a challenge, as the old adage goes, “If you have to ask…”


New Year’s Resolution – Follow Healthy Practices


When I take a step back and look at the “bigger picture,” 2017 marked a year of widespread increase in data breaches and successful Ransomware attacks with overall incidents in this realm showing a 20% increase from the previous year.  Industry verticals such as Healthcare particularly suffered from Ransomware incidents and several high-profile events resulted in Healthcare organizations opting to pay off the attackers in order to restore access to their critical systems.  This attributes a direct correlation between incident and monetary impact and also speaks to the dangers of reputation impact. When paired with the inability to resolve the incidents through technical means, several organizations were steered toward paying the attackers in order to achieve relief setting a bad precedent, as the organizations who opted to pay y established themselves to the attacker community as both vulnerable AND lucrative.  This has the effect of only ENCOURAGING further attacks, targeting both these sectors AND these organizations more specifically in the anticipation of further payouts.

This series of events, while ordinarily significant enough to headline the year in review, is overshadowed by some of the largest data breaches and exfiltrations to date – namely the successful breaches of Equifax and of the Republican National Committee. (Disclosure: Neither are clients of mine or Conventus). While understandably, in many of these cases specific details regarding the attack channels are not disclosed in detail, the information that is known points to breakdown and failure to adhere to well-established and known best practices, including:

  • Institute and adhere to least privilege, for both users and application accounts
  • Refrain from using default passwords for system and application configurations
  • Eliminate legacy systems that can no longer be adequately secured
  • Issue System and Application patches in a prompt and rigorous manner

Supporting these approaches often entails adopting the following supporting measures:

  • Institute comprehensive and consistent log and event review and investigate any events of interest or changes to known system baselines. This means implementing effective monitoring and configuration enforcement solutions (like Symantec’s DCS) AND regularly reviewing and acting upon the data these solutions generate.
  • Ensure all active and connected systems are discovered, identified, and managed in accordance with their desired state. Discovery gaps leading to un-managed systems represents a significant point of entry and exposure.  Solutions like Northstar aid significantly in quickly identifying an organizations system’s and can clearly identify which ones are drifting from management frameworks and which therefore pose a risk of exposure.  Leveraging this capability is a vital aspect of finding and closing your gaps, before the attack community find and exploits them.

Failures and gaps regarding these practices are increasingly being found, and brutally punished by the attack community; these practices are and remain essential to maintaining security within the organization, and failure to rigorously follow them is provably resulting in high-profile, costly and disastrous consequences for the associated organizations, where strong adherence would have greatly reduced, if not eliminated the incidents entirely.  The new year is a perfect time to resolve to follow healthy security practices, and if you are one of my clients, you can expect to hear me advocate for this wherever it is appropriate!


Looking Forward: 2018 – New Year, New You


2017 was a year of challenges, milestones and a year of evolution (both good and bad) and  2018 promises more of the same.  As the attack community continues to evolve and refine methods and more aggressively attacks vulnerable targets in pursuit of payoff (either through direct monetization, or indirect capitalization of their results), the security community has responded with ever-increasing and evolving capabilities to address them.  The key linking element is the organizations and their security teams, who must be even more diligent and aggressive in employing the capabilities available to them and in following the best practices required of them to ensure their organizations do not fall victim to the attack community.

Collectively, we can expect attack activity to follow the money and I will be paying attention to the following points of hostile interest:

  • Ransomware: This proved lucrative in 2017 for several groups, and can be expected to continue to evolve and present as a threat for as long as it remains so.
  • System rooting and ownership: Simple, direct compromise and ownership of a victim system (or several million of them) remains a potential concern. Historically, large networks of compromised systems have served criminal organizations and states in a variety of ways, ranging from malware distribution, to theft, to targeted attacks and extortion.  Due to current market conditions, this type of network now serves another purpose.  With the value hovering at around $14,000.00 per coin at the time of this writing, bitcoin mining (or theft) is a potentially lucrative activity that can potentially appeal to many rogue organizations and states.  This proposition becomes even more appealing if it is being done utilizing systems (and power sources) that belong to someone else.  I would not be surprised to see efforts undertaken to conduct mass exploitation and network building with the express purpose of converting the victim into bitcoin miners to the benefit of the attackers.
  • Data harvesting and mining: Data has value and continues to do so. Monetizing data for an unscrupulous third party represents a potentially lower risk of monetization versus extortion or ransom (where an attack can succeed, but there is not guarantee of converting that success to cash); stealing a valuable data set for sale to interested third parties remains a viable source of revenue in the coming year.  It will be interesting to see what the attack community undertakes as the US mid-term elections near.

We can also expect security measures to continue to evolve, although it is absolutely VITAL that system admins take the steps and practices necessary to properly leverage the capabilities at their disposal in order to adequately secure their organizations.  2018 represents a year of new resolutions:

  • We can resolve that this year marks the extinction of our legacy systems
  • We can resolve that our visibility improvement efforts will extend to cover the entire organization
  • We can resolve to adopt and follow health security practices
  • We can resolve to capitalize on the best capabilities available to us in our continued pursuit of protection


In 2018, we resolve to ensure our customers are a success and not a statistic. Happy New Year to all!