Monitoring and security; more than a technology, a philosophy

Confidentiality, integrity and availability are the three basic laws of security. Availability is a kind of wayward son who becomes prodigal when he likes to, even if it is just to write eulogies with it when the systems go down, although the truth is that it is the most neglected out of the three of them and perhaps that is why monitoring has become more approached for what it may come from outside than what it is inside.

The same thing happens, but the other way around in monitoring, where availability receives all the attention from any system, indisputable key element, owner of the universe of color data. You just have to see a screen of any monitoring system, as universal as the color code of the traffic lights of any country, it does not matter whether you drive on the left or right. Red, green and yellow. Graphics that can be read from left to right and a myriad of concepts that, saving distances, unite all manufacturers.

Monitoring and security often live together in the same home, sometimes even sharing a room, but rarely sharing objectives. Sometimes they are even combined into impossibly complex artifacts, like a tower of Babel. The emergencies are different and monitoring deep inside is always bordering minutes, you need to be able to have information almost in real time and more now that everyone is talking about AIops. As if in security they haven’t been trying for years to get Bigdata and AI to magically correlate those events. It is not easy, it is not easy because real attacks circumvent the logic that is manufactured with rules and data, in fact the attacks that do the most damage always look for an unexpected and innovative factor, difficult to predict and impossible to predict with previous data, because of course, it has never been done in the same way before.

The security market is much more dynamic than the monitoring market and much more exciting. When writing a headline, it is always more interesting to talk about hackers than about systems that fail, because they simply die of old age or due to genetic defects. That’s why when both worlds collide it’s more spectacular, as it happened this week with Solarwinds, one of the world’s best-known monitoring products. It suffered an attack, one of those difficult to foresee, so difficult that for more than a year it has been inside, at the heart of its software, inserted in its code and distributed to thousands of clients silently. It has had such an impact that the US government itself has issued a federal order of an almost unprecedented type so that all public companies that use Solarwinds immediately disconnect their systems from the grid.

Solarwinds is used by the majority of US public companies and educational, state, federal and municipal agencies, as it has an extremely aggressive government pricing strategy.

The impact on the industry of such a story will take time to come, as its implications are far-reaching. A sophisticated attack can paralyze any organization globally for weeks until it returns to a certain normality. It involves a great time-trial effort by personnel dedicated exclusively to shutting down, checking and reinstalling hundreds of thousands of computers currently in production. The cost of this security incident is millionaire. Without forgetting the blow that this entails in terms of corporate reputation, in these times, the media and social networks echo the news instantly and the plummeting of the brand value is another extremely important damage, the latter is of those who arrive faster.

Many organizations will begin to think seriously about the importance of monitoring and to appreciate the fact that monitoring extends its tentacles across all assets in an organization. The perfect time to explain why initially Pandora FMS image was an octopus.

A monitoring platform must take security very seriously, taking into account the great responsibility that this entails, since it is implemented at all levels.

A safe design is a must for serious monitoring platforms from the ground up, and the entire architecture should take it. As Pandora FMS author, I am aware of this, because Pandora FMS was born from my experience working in one of the largest banks in Spain. For years I realized the difficulty of implementing all-encompassing monitoring, due to the bank’s correct seal policies, where by design, communication between certain areas was impossible, so my brain started creating a way for the elements of that architecture, while accessible, to be safe by design.

In our communication architecture the agent is inaccessible from the outside, and once correctly configured can it be secured in read mode, so that it is impossible to access it. We have had reported vulnerabilities and I am sure they will not be the last, it is something inevitable but one that we have always managed effectively and without repercussions for our clients.

I have to say that if a foreign organization wanted to attack our code repositories it would succeed, after all we are not a publicly traded company and our resources compared to Solarwinds are smaller, but maybe because of that, and just maybe, if someone puts other people’s code in our repository, we would notice, because I would look up from my monitor and ask, Ramón, who the hell has put a back door on the server?

It is true that in recent history there are more cases of back doors, but not in software that has privileged access to all corners of an organization by design.

What lesson should we learn from the Solarwinds case?

That large organizations take longer to respond, that sometimes, big does not mean better and that security should be a factor to be taken into account from now on in certain types of solutions that are massively implemented in the organization.

Security is not a technology, it is a way of thinking and acting.

Sometimes we think that by buying products we will be more secure, but no, it is about doing things differently. Pandora FMS has always been aware of this, and it can be seen in our security architecture guide our guide to GDPR compliance which is also valid for regulations such as PCI/DSS and of course, because as a company we are ISO 27001 certified.

We don’t boast about it, but we are also one of the few commercial software vendors with a public vulnerability communication program.

We live in an uncertain world and monitoring should try to make sure that whatever happens we will always be informed, therefore security for monitoring is the basis of everything.