Wednesday, March 6, 2019

NSA open sourced a powerful software reverse engineering tool, Ghidra

WIRED: The NSA Makes Ghidra, a Powerful Cybersecurity Tool, Open Source. https://www.wired.com/story/nsa-ghidra-open-source-tool

Tuesday, March 5, 2019

How do you start on the path of Digital Transformation?

What is Digital Transformation?

Most of the definitions I've found are grandiose, vague and elusive at best. From an implementation perspective, the definition is, IMO, very simple:

Find better ways to use available technology.

I realize that's still pretty vague, but I have some concrete details and examples to show you how you can start addressing this challenge.

How do I start?

The best way we've found to help companies start down the path of Digital Transformation is to create a list of questions that need to be answered. Specifically, we've expanded the definition above to:

Find better ways to use available technology to provide answers to our daily/weekly/monthly questions.

Once we have at least one question that we want to answer, we can identify information or technology gaps in our current environment. For example, an extremely common question among companies is:

How many servers do we own and what is the status of each?

We've found that this seemingly simple question can cause fistfights to break out in a meeting. That's because multiple different departments have different answers, and the true answer has been an elusive quest for a number of years. The goal is to identify the data required to answer the question and the location(s) of that data if available. For example, you may have the beginning of an answer that looks like this:

For the development servers, Jim R. has a manually updated spreadsheet at location XXXX on Sharepoint. 
For the engineering servers, Nancy P. has a homegrown database that only she has access to.
For the website, we think Ashok V. has a spreadsheet that may or may not be up-to-date.

Notice that we don't actually have an answer at all, but we're identifying areas of interest that may get us the information we need. This exercise shows areas where improvement is needed. In this case, it should be apparent that some type of asset discovery and management system is needed to enable us to get a valid answer to the question. What we normally find is that the customer actually owns one (or several) tools that can provide the required function, but no one in the meeting knows about these tools. This usually leads to another question similar to:

What software do we currently own and what are the capabilities of each title?

And you have to go through the same process as above with this question. I guarantee that it will be frustrating for everyone involved, but this is the process that is absolutely required. 

Further along in the process, as new systems are introduced, the owners of those systems need to be aware of the questions that the system will need to provide answers for so that they can be architected appropriately. For example, any new online system needs to be able to provide data that can answer the following questions:

How many users are actively using the system?
How many failed transactions have occurred in the past (hour/day/week) and which users were affected?
Is the system working properly at this moment and is it accessible to all of my users?

There are literally thousands of other questions that you may have, and part of Digital Transformation is identifying those questions so that the answers can be obtained quickly. And this is where another version of my original definition comes in handy:

Find better ways to use available technology to save time.

You can come up with tons of different reasons to use technology more wisely, and they are all perfectly valid reasons for you to continuously work on your Digital Transformation.

Customizing bash command line completion

What am I talking about?

In the bash shell on Linux, you can type a character or two then hit the TAB key to get a list of the commands that start with those characters. You can do the same to complete the name of a file you're trying to edit or directory you're trying to change to. It turns out that you can customize this command line completion behavior by installing the "bash-completion" package. This package is often installed by default and has been available for several years.

What can you do with bash-completion?

You can have the TAB key complete command arguments for you. For example, the 'curl' command has tons of arguments. You can customize bash to auto-complete the parameters for you. You just need to create a specifically coded file named 'curl' in the /etc/bash_completion.d folder. Here's a great tutorial on creating these command completion scripts:


Even more helpful, here is a ton of them that have already been created:


If you've got a command with tons of options, you can use this to make it easier for you or your users to successfully create a working command.

Tuesday, February 26, 2019

You Probably Don't Need Blockchain

Here's a great article detailing some popular blockchain use cases and how they can be subverted:

https://blog.smartdec.net/you-do-not-need-blockchain-eight-popular-use-cases-and-why-they-do-not-work-f2ecc6cc2129

While reading it, note that there are often other (simpler, cheaper, more mature, more widely known) technologies out there that can solve the problems you're trying to solve.

One big example is the combination of digital signatures with an immutable data store . This captures the identities of the participants, the information provided by the participants and the timestamps of all entries.

Blockchain does have some valid use cases (e.g. cryptocurrency management), but it certainly shouldn't be seen as the best way to solve existing problems.

Tuesday, February 5, 2019

A great video on deploying and operating Kubernetes at scale

Here's a video from Chick-Fil-A's IT team describing exactly how they use Kubernetes clusters at the edge (in each restaurant). The problems and their solutions are really intriguing.

https://www.youtube.com/watch?v=8edDcy3oeUo


Wednesday, January 16, 2019

Improving the QRadar to ServiceNow integration by adding QRadar event payloads to ServiceNow incident

Using the standard configuration for the QRadar/ServiceNow integration gives you some great capabilities, but some of our customers have asked for more information in the generated ServiceNow incidents. Specifically, they've asked to have the payloads from the events associated with the offense to be added to the Description of the incident in ServiceNow. This provides extensive details about the events that triggered the offense in one pane of glass so the SOC engineer doesn't have to separately open QRadar to get this information.

This can be accomplished my making some configuration changes in both QRadar and ServiceNow. I'll provide the overview here. If you would like more details, please contact me.

1. Add the offense start time to the incident description in the mapping within QRadar.
2. Create a ServiceNow business rule to parse the offense id and start time from the description whenever a new incident is created from QRadar.
3. In that same business rule, use the offense id, start time and a stop time (equal to start time +1) to submit an Ariel query to QRadar via REST to have the query run.
4. In that same business rule, parse the results of the previous REST call to get the results id, then make a second REST call to obtain the actual results, which will be the payloads of the events that caused the offense (and resulting incident) to be created.

The solution doesn't tax either system very much at all and makes life easier for the security engineer researching the issue.