A community driven security stack

In the 90’, when I began rambling around in the world of Information Security, everything was community driven and open source software was the default options when looking for a tool to resolve a security problem. Then the big bucks came, and with them many commercial solutions, which quickly took over the scene. Slowly but mercilessly, Cyber Security became one of the fastest growing sectors in IT. Funnily enough, as the Cyber Security ecosystem evolved, solutions became more expensive and more vertica, all while larger and larger companies keep getting breached.

Nowadays, a decent security posture requires well versed end-point protection, next generation firewalls, sandboxing, all integrated with threat intelligence feeds.

While companies keep spending like crazy on whatever and rush completing checklists and following standards not backed by any theoretical foundations or empiric evidence, only few of them really take care of fundamental issues, such as defining why and how somebody should attack you, what is the actual objective of your information security program, both strategic and tactical, and most important, how the cyber security problem relates to your business.

In an attempt to contribute to the community to lead again in the threat prevention area, we started The Security Stack project: as a first step of this journey we started developing a “point and click” tool to policy network traffic, integrated with a sandbox solution to inspect executables and capable of looking into SSL traffic. Since malware is quickly adopting SSL for its communication, a method is needed for intercepting the SSL traffic that originates within the protected network. This has been achieved by embedding the famous and battle-tested Squid Proxy software in the Stack, letting the user add a custom SSL certificate. This has the disadvantage of forcing any client to trust this certificate, but greatly increases the detection rates and trust in the obtained data, especially since some empirical testing has shown that many application now refuse to talk to their cloud servers or API without a valid SSL connection.

In order to understand what is happening on the network and what kind of traffic and events can be considered harmful or malicious and take appropriate action any solution must provide a strong logging facility. The Stack features configurable logging that stores all block/allow actions for any suspicious url or file that transits across the target network. This is required in the short term for threat and attack detection and in the long term for post-mortem or forensic examination of an eventual security breach. Future development of the tool will include remote logging and configurable event types to log, while encrypted log storage is being considered, mainly for compliance reasons.

Many attack vectors rely on malicious URLs injecting JavaScript or other code in the user browser, but executable files masquerading as legit ones are still being manually downloaded by the users from their webmail. In order to provide some degree of protection on this front the Stack features an integration with a famous security sandbox, that intercepts, executes in a secure environment and analyses any suspicious file that is requested in the target network, allowing the administrator to define action policies: only logging the suspicious URL of file or blocking the request altogether.

The Security Stack endeavours to provide a free-as-in-freedom solution for all those realities that cannot or do not want to spend the time, resources and trust required to test and evaluate common proprietary solutions, that not necessarily deliver a cost-effective, customizable and completely inspectable solution. The Security Stack is far from being feature-complete or fully stable, but it wishes to be an interesting step in a different direction.

Check out The Security Stack main page.