Frequently asked questions
What are some of the common cyber threats faced by today’s enterprises?
We think Chief Security Officers are staying up all night thinking about the following:
- Brand-reputation. Prevent the company name appear in the news for a data-breach (PII, etc..)
- DDoS - Distributed Denial-of-service attack. If our online services are compromised, and our customers cannot use our services, the company is losing money every minute while a DDoS is on.
- Ransomware. If my network is lockdown by ransomware, my employee cannot do their daily job
- Intellectual Property protection “IP”. I don’t want my competitors to get access to my IP
- Internal Threat. All my systems should be lockdown, un-authorized employee should not have access to un-authorized server/services (e.g: HR, Payroll)
Where do most of the threats come from?
Malware can come from many sources but ultimately they come through a vulnerability in one of the softwares running on the local machine (browser, email client, custom software & etc.) It is therefore imperative that an enterprise judiciously and timely install patches for known vulnerabilities.
How do most companies currently find and patch vulnerabilities given that a company may have hundreds of software running on thousands of machines?
Most companies currently run vulnerability scanner tools on their networks about once or twice a month. The scanner may find vulnerabilities but does little to help in terms of pinpointing the exact version or software updates needed to neutralize the threat.
The scan itself is expensive in terms of time and resources. Once the scan result is received, a vulnerability CVE is associated to an IP address - important to note that if you re-run the scan the same machine can have a different IP address (highly common for desktop) - so you end-up with the same vulnerabilities in 2 different machines that you need to remediate - lot of energy and effort are lost due to duplicate IP. Today most of the security team are under-water due to the number of vulnerabilities that they receive, and the lack of prioritization.
Once a vulnerability is identified, they need to understand what product or configuration is the root cause of the issue, the same CVE can be cause by 10-100 different software or versions, this is a manual research since the security tools don’t provide the exact software & version that cause the vulnerability. Once done, they pass the list of machine/software to patch to the system administrator, which will work on packaging & deploying the latest patch/configuration for the vulnerable software.
Two to four weeks later when the next scan is performed, the security team will review and verify if the previous vulnerability were correctly patched. Very often there is no definitive determination of the vulnerability between the 2 scans.
In addition to the above, security teams receive in their daily/weekly mailbox the list of hundred/thousands new vulnerabilities that they need to assess to understand if they have to worry/take action about it.
So how does FatStacks help?
FatStacks developed a cloud based software called sTRMS (Secured Real Time Matching Services). sTRMS utilizes existing database of installed software (Microsoft SCCM, ServiceNow Discovery, Splunk, Amazon SSM,…) and cross reference the national software vulnerability database (NVD). The advantage of sTRMS is that it can be run on a daily (or even continuous) basis. It can quickly generate a heatmap based on the severity of the vulnerability involved, covering over 90% of the software assets involved. IT personnel can then prioritize their time and use the information provided by sTRMS (including patch version number) and neutralize the most risky vulnerabilities.
So instead of waiting for 2 to 4 weeks between scans, using sTRMS provides almost instantaneous visibility on over 90% of the vulnerabilities.
How critical is “just a few days”?
The WannaCry ransomware was a 3 months old well known issue with available patch. The problem came from operations that didn’t patch Windows systems on-time. There is often a disconnect in the enterprise world between the list of known issues, the available patches, and the urgency of the vulnerabilities. In addition, for Microsoft most of the patches are deployed once a month “Patch Tuesday” in a semi-automatically way, once the patch is approved, it’s automatically applied using tools like “SCCM”. However, very often in enterprises today the team doing the actual patch application is not a security team and therefore may not understand the critical nature of the work at hand. Often there are lists of patches to deploy, and if one specific patch is not deployed for X reasons (not approved) or out of time, they will do it in the following months. Very often these staff members have no way to control or understand the risk/urgency of patch 1 vs patches 2. Usually the control is done by the security team during the next scan windows (happens in average once a month, or twice a month - depending of the company). Running a scan tool is usually expensive in term of time and resources.
On the other hand, if FatStacks software were used, a vulnerability assessment can be run every day, allowing the CISO to see the severity of the threat as well as what versions to update, and to what machine.
What is vulnerability in the cloud? How does FatStacks handle container based software?
Vulnerability in the cloud become even more problematic than on-premise vulnerabilities. For on-premise facilities, at least the customer are able to control the physical facility, and the connection with the outside world are managed at the Firewall appliance level. In case of emergency, all systems can be disconnected from the outside world in minutes. In the Cloud, the customers are responsible to manage and protect all the communications at the application, Guest OS, and network layer, this includes vulnerabilities and patch management. The protection of the Host OS, and physical facility is the responsibility of the cloud provider. As seen in the recent data breach, any cloud vulnerability can lead to an expensive and unfortunate series of event, since the device are widely accessible by everyone when such event occurs.
Regarding container based software, it all depends of the used technology (Docker, Pivotal, etc…), but as for traditional computing systems FatStacks doesn’t directly interact with the system but instead rely on information generated or collected by 3rd party tools. So as long as information about the running software are available FatStacks is able to identify their vulnerabilities.
Exactly how does FatStacks do this quickly?
FatStacks is built using the latest open source big data technologies. Using microservices and containers to scale horizontally, it doesn’t matter if you have 1,000 or 1,000,000 devices, the speed of identification will be similar, since in the back-end a number of containers will be spun up and down driven by demand.
In comparison, existing systems built with traditional stack (single RDBMS) that can only scale vertically. 50,000,000 records in traditional systems seems a lot, but it’s not at all a difficult task for big data.
How does a company install sTRMS from FatStacks? Where does it run?
FatStacks is a Cloud solution running on top of Microsoft Azure. For Cloud Discovery tools such as Splunk, Amazon SSM, ServiceNow Discovery, the customer only needs to provide API access to FatSTacks, and the Vulnerability will be identified as soon as the the first byte of information is received from one of this system.
For legacy on-premise discovery systems such as Microsoft SCCM, a small Connect.exe is installed behind the customer firewall. Connect.exe will require a read-only access to the discovery source database, and the data will be automatically stream to FatStacks.
What other security software is FatStacks working on?
We are working with Healthcare providers to extend our solution to Medical Devices. The interesting aspect of Medical Devices security is that scanner tools do not work well, because these devices do not interact with other software for safety reason. Agent software is also not installed on those devices because once a device is approved by FDA, nothing else can be added to it. The only option is to use data generated by either the device itself or their network traffic, which is a perfect fit for FatStacks software.
In addition, beyond cyber security, another area where FatStacks software is applied to is around Software Asset Management where our solution provide a catalog of installed software.