HPE ArcSight code analyzed by Russia
What revelations does this bring and what you should do about it.
ALBUQUERQUE, NM. – October 3, 2017 – Yesterday
Reuters published a special report titled “HP Enterprise let Russia
scrutinize cyberdefense system used by the Pentagon.” The synopsis is
that for a software company to sell products to the Russian government,
it must be certified by the Federal Services for Technical and Export
Control (FSTEC of Russia) and HPE had an “independent” third-party firm,
Echelon, with known ties to the Russian Government, evaluate ArcSight
source code for vulnerabilities to insure the code was safe for Russian
Over the last 24 hours we have received a lot of inquiries from clients as to what this means to their implementation of their SIEM and what measures if any they should take because of this information.
I want to start by stating that
this is absolutely normal within the software industry. Governments
around the globe typically require an independent third-party validation
to insure no backdoors or other vulnerabilities exist within software
that the government is considering purchasing and implementing. In fact,
when I looked at the list of certified products for the FSTEC of
Russia, I saw more than 990 products from manufacturers like Cisco,
Juniper, IBM (Including QRadar), Microsoft, SAP, Safenet, Checkpoint,
Citrix, Fortinet, ESET, Kaspersky, Oracle, Blue Coat, Huawei and Safenet
Humans are flawed beings and coders make flawed code (or in some cases purposely flawed code). That said, there are several measures that you should take to insure the Commercial off the shelf (COTS) applications you purchase and deploy are not as vulnerable as they could be otherwise.
1. Change the default password to the application. Seems obvious but even in today’s world, the number of default passwords that exist is mind boggling.
2. Evaluate the ports and protocols in use. If the port/protocol is not necessary to function, then don’t leave it enabled. If you don’t have a choice what ports are enabled or in-use, then try to block/allow/restrict them at a host based or network level.
3. Harden the operating system supporting the application. Make sure it is patched quickly and configured to your specific requirements for security efficacy.
4. Run the application with the minimum privileges necessary. In other words, don’t run the application as root unless absolutely necessary.
5. Monitor those applications/users as you would your network traffic and servers. Check for unusual behavior, patterns or activity.
6. Apply application patches as quickly as possible. Again, humans make mistakes and patches are needed to insure security vulnerabilities are not exploited.
7. Think like your adversary. Understand what data a system contains and who might find value in it and how it could be exploited. Once you think that way, put countermeasures/defensive measures in place to thwart that attack vector.
In the medieval times, we had castles and moats. Today, we have iPhones and cloud applications. The attack surface is larger and the opportunity to exploit these systems is greater than ever. The above simple activities can go a long way to making your systems and applications more resilient.
While the media can get caught up in the drama of international politics, this has been normal industry behavior for as long as I can remember.
If you have any questions on what activities you can take to improve your SIEM infrastructure, please don’t hesitate to reach out to us. We would be happy to help.
About ThetaPoint, Inc.
ThetaPoint is a leading provider of strategic consulting and managed security services. We help clients plan, build and run successful SIEM and Log Management platforms and work with the leading technology providers to properly align capabilities to clients needs. Recognized for our unique technical experience, in addition to our ability to quickly and rapidly solve complex customer challenges, ThetaPoint partners with some of the largest and most demanding clients in the commercial and public sector. For more information, visit www.theta-point.com or follow us on Twitter or Linked-In.