Here’s another idea I’ve been playing with.
As I spend more time playing with various cloud and infrastructure APIs, I’m starting to come around to the idea of Stateless Security. Here’s what I mean:
Right now, a reasonable number of our security tools rely on their own internal databases for tracking state. Now for something like IPS this isn’t a problem, but there are a lot of other functions that have to rely on potentially stale data since there are only so many times we can run security checks before pissing off the rest of the infrastructure. Take configuration and vulnerability management — we tend to lack even an accurate idea of our assets and have to scan the heck out of our environment to keep track of things.
But as both security tools and infrastructure expose APIs, we can use Software Defined Security to pull data, in real time, from the most canonical source, rather than relying on synchronization or external scanning.
Take the example I wrote up in my SecuritySquirrel proof of concept. We pull a real time snapshot of running instances directly from the cloud, then correlate it with a real time feed from our configuration management tool in order to quickly identify any unmanaged servers. I originally looked at building a simple database to track everything, but quickly realized I could handle it more quickly and accurately in memory resident code. Even 100,000 servers could easily be managed like this with the memory in your laptop (well, depending on the responsiveness of the API calls).
The more I think about it, the more I can see a lot of other use cases. We could pull data from various security tools and the infrastructure itself, performing real time assessments instead of replicating databases. Now it won’t work everywhere, and maybe not even in the majority of cases, but especially as we add more API enabled infrastructure and applications it seems to open a lot of doors. Using a software defined network? Need to know the real-time route to a particular server and correlate with firewall rules based on a known vulnerability? With stateless security this is potentially a few dozen lines of code (or less) that could trigger automatically anytime a new vulnerability is either detected or an advisory released (just add your threat intelligence feed).
The core concept is, wherever possible, pull state in real time from the most canonical source available.
I’m curious what other people think about this idea.
Reader interactions
3 Replies to “Research Scratchpad: Stateless Security”
I think we’re working our way in that direction, though not as explicitly as you define it. But while we’re still running security analytics against a set of data resources, were beginning to run those analytics against the data in real time, allowing us to keep the results rather than the data. So as in your example for server management, we can keep a years of user activity as a profile rather than ten million discrete events, and alert on an outlier when it happens.
In the future it will be more stored analysis and less stored events, until we can ultimately see everything and store nothing.
Or something…
Michael
Great concept Rich!
I am big believer in the concept of Software Defined aspect of security. There are multiple reasons to do this-
1. first time I encountered it was when folks were hitting the security ACL wall to bring up VMs and clouds. everythingUp until Firewall can be potentially software defined by all the great tools out there already.
2 with APTs, when a customer get a call from FBI that they are under threat, what actions can they take? how do I stop leakage into the the Internet?
For this you need control points or valves that control the flow sort of.. One obvious one is your Firewall and another interesting one happens to be DNS as its fundamental in identifying the internet destinations. Those are two control points that Infoblox helps control. I wont say much other than I really appreciate the concept and its high time customers and specially security admins realize that life can be made easier.. Its OK to not suffer! 🙂
Great concept Rich!
I am big believer in the concept of Software Defined aspect of security. There are multiple reasons to do this-
1. first time I encountered it was when folks were hitting the security ACL wall to bring up VMs and clouds. Up until Firewall can be potentially software defined by all the great tools out there already.
2 with APTs, when a customer get a call from FBI that they are under threat, what actions can they take? how do I stop leakage into the the Internet?
For this you need control points or valves that control the flow sort of.. One obvious one is your Firewall and another interesting one happens to be DNS as its fundamental in identifying the internet destinations. Those are two control points that Infoblox helps control. I wont say much other than I really appreciate the concept and its high time customers and specially security admins realize that life can be made easier.. Its OK to not suffer! 🙂