About a year ago, we created a security roadmap for the Assimilation Project. It’s time to update it and see how we’ve progressed since then – hence our Assimilation 2016 Security Roadmap.
The Assimilation Security software concentrates on low-noise automated security tools. We expect to enhance our capabilities in best practice analyses, checksum integrity analyses, patch tracking and management and SIEM integration. This post talks about what we’ve accomplished in the last year, and lays out our plans in more detail.
Current Security Capabilities
Here are a few things we added since our last security roadmap in 2015.
Best Practice Analyses
We have implemented 70 of about 250 rules from the IT Best Practices project. Each of these rules is classified with low, medium or high priority. Each failed rule generates events and syslog messages. Both the events and the system log messages point to the detailed explanations on the IT Best Practices web site.
IT Best Practices web site
We have created the IT Best Practices web site giving the details of each rule in the IT Best Practices web site.
Security Scoring and Triage
As part of our best practice analyses, we compute a risk score based on the status and importance of failed security rules. Currently low priority rules count for 1, medium for 2, and high for 3. These scores are supported by queries which compute the overall site score, the score for specific areas to attack, and the score for individual servers – creating tools which support managing security hardening over time, and finding the most effective ways to improve overall security.
2016 Security Roadmap
The 2016 Assimilation roadmap includes the things we plan on doing to make our security capabilities even better in the future.
Best Practice Analyses
We will implement more of the IT Best Practices security rules in the future. Our goal is to implement all the IT Best Practices rules.
2016 Security Roadmap: File Integrity Analyses
Continuous monitoring of the integrity of sensitive files is an essential tool for any IT organization to have in its tool bag. It’s a part of everyone’s list of best practices and for many organizations is a regulatory mandate. In spite of being well-understood to be essential to detecting intruders, it is not implemented by many organizations. One of the causes for this is that many tools have to be told what files are important, yet they should not make a lot of noise about what’s not important. When attackers compromise systems, they most commonly install a new network application (which we detect as a new listening application), or modify an existing network application.
With Assimilation’s deep-dive discovery, we automatically detect which files are essential to network applications – even custom applications. Sensitive files are automatically monitored without human intervention or configuration. Because the files being monitored are directly related to network applications – they’re exactly the kind of sensitive file whose integrity must be ensured – eliminating noise in the results. Assimilation currently monitors file integrity, but does not create any alerts. This feature will create events for anomalous file contents. Three different approaches are being considered for this capability:
- Whitelisting – provide lists of file checksums for most standard vendor files.
- Blacklisting – provide lists of files with known security issues
- Minority Reports – provide reports of files which have a small number of copies – candidates for future whitelisting or blacklisting.
Regardless of which of these approaches are implemented, it goes without saying that these file integrity issues will integrate into the risk scoring algorithms.
2016 Security Roadmap: Patch Tracking and Management
Because of the comprehensive nature of our discovery, Assimilation Security knows the version of every package installed on every machine in its domain. This feature will be to provide a service which our clients can connect to which provides a consolidated feed of security patches information from multiple vendors. Events will be generated indicating that the vulnerability was patched. This will also integrate into our risk scoring algorithms. The result of this is that risk scores of affected machines will go up when vulnerabilities are discovered, and go back down as they are patched.
2016 Security Roadmap: SIEM Integration
For some security organizations, for Assimilation to be useful to them in their existing processes, what they need most is rich integration with their chosen Security Information and Event Management (SIEM) tool. SIEMs aspire to give their users a “single pane of glass” view of their enterprise security. The SIEM products we’re currently considering for this role are QRadar (IBM), Arc Sight (HP), Splunk and LogRhythm. This feature will enable our customers to get instant visibility of all the security issues uncovered by the Assimilation Suite in a drama-free fashion – before auditors or attackers find the issues.