DEM in 20 – Are non-compliant devices dangerous?

Transcript

Alex:
Hey again for DEM IN 20, Episode 6, are non-compliant devices dangerous? I'm joined with my co-host, Michael. How are you doing?

Michael:
Hey, I'm doing well. I know two weeks just flies by so looking forward to jumping into another one of these episodes and thank you attendees, viewers, wherever you're watching this, on demand, we really appreciate you keeping up. And as you may not be aware at the top of this page, you can subscribe so you can always know when the next one is dropping. So really glad we're here, and looking forward to talking about this with our guest today.

Alex:
So our guest today is Rob Key. How are you doing, Rob?

Rob Key:
Hey guys. Thanks for having me back. Rob Key, I'm an SE here at 1E and glad to chat with you guys.

Alex:
Good to have you. So non-compliant devices, are they dangerous? I know that just talking on this topic from perhaps not a security point of view, I know that having my device being up-to-date is pretty important in the home for updates and features. But I know as a user, I don't really care about patches and security issues. I don't think my network is that important. So when IT are bothering me about getting my laptop updated, sometimes it can feel like a bit of a hassle, "Come on, I'm working. What's going on?" What do you guys think? What's your experience with device compliancy?

Rob Key:
Device compliance is always a big thing. Compliance stretches so many different things and you mentioned patching and things like that. And that's something the user usually knows is coming, "Hey, I'm going to get prompted a time or two a month, that they're going to ask me for that information," and so on. But the compliance can go so much further. Maybe it's very specific to that organization. They could be looking at making sure certain software titles are not on there, making sure certain settings are set and so on, so it can get really in depth.

Michael:
So you're actually talking about maybe enforcing specific rules for applications. Because like Alex, I was probably thinking more along the lines of a compliant device is just a device that is up to date or current, but it can be so much more than that when it comes to how a device is used and what can be used as well.

Rob Key:
Definitely. I think maybe think of it as this is how we want our devices to be. And going back to that previous DEM IN 20 that I jumped on with you guys and looking at some of that change in control compliance, making sure things stay the same. This is looking at more prevention or ensuring things like maybe if we're talking about virus definitions, maybe we're talking about those patches you're talking about, or a zero day vulnerability. So lots of things could come across this compliance type of scenario.

Alex:
I know Rob you have something interesting to show us, but before we do that, should we break down some concepts for our viewers? Should we define what we define as a non-compliant device and what is dangerous?

Rob Key:
Sure. So non-compliant device, again goes back to, "This is how as an organization, we want our devices to be." If they're non-compliant that means that maybe they're out of that spec. We see more and more, a lot of my customers have BYOD plans, so bring your own device scenarios. And with those, in most of those they have scenarios where they allow a client or something like that to be on the machine. So when we're talking about 1E, if we're talking about Tachyon on those devices, that allows us to have visibility onto those devices right away. Ensure that a person who's using their computer at home, maybe their kids on Netflix or whatever other application, doesn't get something on that machine that pushes it out of compliance. So as soon as they come back to the office or they were logged in remotely, we can do this quick series of checks and make sure that that device is how we want it to be.

Alex:
Yeah, great definition. I think that definitely clears up from a non-compliancy issue. And I think danger is definitely it's from the perspective of whoever is managing it. From the user's point of view, like we introduced maybe not such a big deal. Maybe my laptop doesn't need to update for a couple of hours because it was dangerous. But from an IT perspective, I mean talk to any IT admin and they'll talk about the nightmares of BYOD without software to help you manage it, right?

Rob Key:
Definitely.

Alex:
Okay, cool. How much time have we got left Michael? Because the clock is running, Rob. That part of the show you're familiar with.

Michael:
About 15 minutes.

Rob Key:
Always on the clock. Let me share my screen for you guys real quick. And we'll just show you a few things. How about that? All right guys so we're talking about different compliance scenarios and one of those was around vulnerable software. So that's something that we can do with the Tachyon Explorer, which I'm showing on my screen right now. We can query those devices, gather data right away. So if I wanted to go out and look at list installed software, so I'm just going to grab this from all my machines. So if I'm an engineer I'm looking for how is this affecting the broad environment? One thing that comes up a lot of times with our customers is Mozilla Firefox. So if I wanted to just say, "Let's look for Mozilla only," we could sort that down very fast.

Rob Key:
So just like that I've grabbed all of my machines, query those devices for a certain software title, gathered that information. Now it's fantastic finding information in the environment, but let's take an action on that. And that's where a lot of other products in the environment have a challenge, whether it's from actually taking action in the same system or this next step, which I'm going to look at actually quarantining this device. I'm going to go to PCO3 and I'm going to do a follow-up action. So because it has this, maybe I push this out with the configuration manager, I didn't get all of my machines because of a issue with a CM client, that kind of thing. So now we need to close that gap. We've still got that vulnerability out there whether it's 10%, 5%, what have you, we can actually grab all of that data and then we can quarantine those devices and request to fix those devices.

Rob Key:
So I'm going to quarantine based on compliance requirements. This is more of a reactive scenario, right? So we know what we're looking for. We found it in the environment and now we're going to go out, we're going to quarantine these devices. We can even plug in that fix into this instruction. So if we wanted to say, "Hey, we're going to quarantine it. We're going to prompt the user that device is quarantined and then we're going to remove or give them an option to remove Firefox from the machine and maybe let them know why." Maybe this is not an approved browser, that kind of scenario. Does that make sense Michael?

Michael:
It does because I was just trying to think of an instance of where you would need to quarantine and why. So the fact that you can do that and be able to show that, because most users don't really even know that they have to have their device be quarantined for whatever reason. So if we've got the ability to A, engineer's side search for that and then provide a remedial action, there's then a way that of course the user will be informed that their device has been quarantined, correct? Is that-

Rob Key:
Right. And we can do that here. Yeah, so there's other products out there that sort of look for this scenario and you can see right now I can get to the internet, move around on this device. I could get to other device, other shares, things like that. So I just wanted to show that we actually have a connection right this minute. But if I go back to here, comparing what we're getting ready to do to others in the market, you either have that query and find information. You have that possibility of even maybe going a step further of looking for a certain non-compliance, but then they leave the user to figure out what's going on, or maybe wait for a service desk scenario, which we could do that as well. But we also want to give options where possible to say, "Hey, you're out of compliance, let's fix that and then get you back into compliance."

Rob Key:
So I've got this instruction. I'm just going to quarantine based on those compliance requirements that maybe my organization has set. So if I go and put my password in, because it is an action and I can do an approval on here if I prefer to do so. Now we'll see right away I have no internet access. If I go over here, try to do this webpage again, it's going to say no internet. So we've been quarantined and we've got an option to prompt the user here, where it says your device is not compliant and we can put whatever description in there so it's very versatile as far as how we make this look. Now we can reset critical services and release. We can log a service desk ticket. Maybe they're not really sure even with the description what to do. So I'm just going to reset these critical services. I'm going to hit submit....

Alex:
Sorry to interrupt. I love from a user's perspective that rather than just showing them an error message and kind of leaving them to connect the dots that there's an actionable a button press that you can go on and decide what you want to do from that. I think that's really cool.

Rob Key:
Yeah, definitely a great feature. And again, you can change that and you saw the automatic refresh there. On the screen you see a removed from the quarantine prompt as well. So we can go pretty far with this. That was again the reactive type of thought. Would you guys like to see how we could even do that proactively or at least just grab and show you what a policy would look like to do this as the machine reboots to look for certain things?

Alex:
That sounds great.

Rob Key:
Perfect. So if we go over and look at what we call Guaranteed State here at 1E, we're looking for certain scenarios to determine whether a device is how we want it in this case. So I've got policies, they are filled with different rules. And I just made some various forms that I thought pertain to things we wanted to prompt the user for. So you can see my device for clients. It's a user notification. I've got a description here of what that does, then we're going to quarantine it, prompt the user and so on. And then a few things, and this is not exclusive to these.

Rob Key:
These are things that I've thought in my experience and my peers determined, hey these are things that you might prompt the user for. So BitLocker, or if there's any kind of reboot compliance, that kind of thing, maybe even Defender updates. So we want to make sure that Defender is up to date or whatever virus protection you're using that kind of thing. And we can scope that in on any type of virus product. So if we wanted to take that a step further, so there are things here, the question might be what if we don't want to prompt the user? We could definitely do that as well, right?

Rob Key:
So we have a lot of customers that are looking for certain services on different things like that, that really we don't see any need to engage the user, but this will actually look at anytime certain things change on the device at the restart, at a screen unlock, it's going to check all of these things very, very fast. And if there is a noncompliant it'll pop up, of course we're not going to put things in there that are going to frequently be non compliant because we don't want to quarantine our users constantly in that scenario. Does that make sense with regards to how we could do that?

Michael:
Yeah, it does. In fact, I was thinking you mentioned about how fast this can be done. And you talked about how fast we can gather this information, pull it from end points and a colleague of ours, Jason was sharing a webinar recently when he thinks of speed and how fast this is in hummingbird flaps. So he's watching Discovery Channel or something, and one hummingbird flap, not even a rotation, just one movement of down and up is 12 milliseconds. But apparently Tachyon is able to pull that request and insert an end point and grab this information in a fourth of that time. So three to four milliseconds, we're able to get this information and whether that's remediate, apply that fix or of course quarantine, and then apply the fix after the screens been off.

Rob Key:
Definitely. I can give you a little bit of an example. This is a bit of those rules that we were looking at. So if I wanted to do that check part, so let me open up the check portion of what we call a fragment, as you see on my screen there, but it's more or less small bits of code. And these are things that you can write as a customer. These are things that we frequently assist our customers with. And then we have a team that is specific to just writing requests and things that we see in the market that you guys did the DEM ON 20 on print nightmare. So that's one that I believe we just released a policy around looking for those certain attributes and making sure that devices were compliant from that perspective.

Rob Key:
So I've got this one here. It's just looking for if certain software is installed, if there's a reboot pending. Just to talk about speed, I'm going to just ask the device if it has that. So if I run that you see right away it took 391 milliseconds. And I believe that's even a fraction of that. So 356 bytes that it pulled that information that's able to tell us, "Hey this passed and this did not." Now, you wouldn't see this as a engineer, unless you're in here building these, but you do the check. And then right away, we can turn around and do the fix to where you can run the same thing. This is going to look and do the fix, and you see that it threw our machine into quarantine. Now I can add on a prompt to this as well. So there's lots of areas we could go with this type of scenario, but that was just you were talking about speed. So I wanted to make sure to just show you how fast we could check for something or kick it into quarantine.

Alex:
So obviously this is a limited demo for the viewers. I want you to know, we're talking speed. Does this speed scale because let's say I'm IBM, I've got 600,000 devices and I need 10,000 quarantined right now. How does that impact the speed?

Rob Key:
Yeah, 100%. So we're direct to the endpoint. So we're not doing any kind of peer to peer in this scenario. So we're going directly to the endpoint and directly back. When we're talking about milliseconds, we can even stagger that if it's slightly bigger, if we have a payload or something like that. But we can send that query or instruction to an endpoint and it brings it right back. So we're doing that. If we're talking about 600,000, it's hard to give you a guesstimate on time, but we're still talking about seconds or into low minutes for reviewing all of those devices and bringing all that back. Probably still in the seconds from the review perspective and then quarantine just a slight bit longer. So the speed and the fraction of speed that it takes to do this compared to traditional methods is just amazing. It amazes our customers every time I talk to them. If they need data right away and they need to take action, like this quarantine process, it's something we can do with no issue.

Alex:
Yeah, that's pretty mind-blowing. So I obviously, both of you know this, but I'm a product manager in the patch world and to get anything in seconds or minutes, it's pretty insane. And the fact that it scales also really incredible. Michael, how are we doing for time?

Michael:
Yeah, we're doing well. Just a few more minutes. And Rob, I'm going to throw you a bit of a curve ball here. The Colonial Pipeline hack that happened in the U.S. They got control of a password and used that password to get into the different network infrastructure systems, just to put the pipeline on hold while all the systems were corrupted. Quarantine, could that could be used in this example? Would they flag that this password has been validated, not validated, but has become vulnerable? And then would you then use that to identify devices that use the certain admin permissions? Or is that not applicable at all in this example?

Rob Key:
No, I think it definitely could be right. So we'd have to work through that process and determine what's identifying that. Or like I said as a reactive possibility, we know this, we can maybe determine that from Explorer to determine what we have on what devices, that scenario. And then we quarantine all of those devices for security sake, right? We quarantine, then we have that connection. The great thing about 1E's quarantine is we have a connection from Tachyon server to those end points. So if that means that we have to make a certain change to the end point, we can make that change and then unquarantine.

Rob Key:
I mean I remember my days back at, I actually worked for one of our customers many years ago, that when the device had any kind of malware whatsoever, any kind of vulnerability, we went and grabbed that machine off the desk. And I really made some people mad. So this is a much better scenario, right? So where you can quarantine that, address it right away, have access from an engineer level or even from a security administrator level, you could get to those endpoints, make changes, verify that those vulnerabilities were taken care of and then unquarantine the device.

Michael:
Thanks for that.

Alex:
It's the best of both worlds that we were talking from the beginning, right? From my perspective as a user, I want to know what's going on. I want to get back to work as quickly as possible. And from a compliance point of view, I want to make sure my devices are secure. That software that isn't allowed to be running isn't running. So usually you have to sort of pick one and it sounds like there's no picking necessary here.

Michael:
Yeah, I agree. As a user, I think it almost establishes a sense of confidence in using your machine in the sense that maybe you can download something because sometimes you don't know if it's really sketchy or not. Whenever you look to download a file and then three different URLs pop up and it's like which one do I download? It's nice to know that if you do download something that you shouldn't have maybe because there's something underneath it, there is something that maybe refreshes or runs as soon as you unlock my computer and turn it back on, it's going to catch that all being well if those policies have been put in place.

Alex:
Reminds me of DEM IN 20 Episode one download more ram. Is that safe? Is that not?

Michael:
Yeah for those slow computers, right?

Alex:
Yeah, that right.

Michael:
Rob really appreciate you coming back and joining us for another round on DEM IN 20. It's been really insightful and we hope that we can see you again next season, which would probably be 2022 for yourself as we have a rota of volunteers to get through. So we really appreciate you being here with us today.

Rob Key:
Sounds good. Yeah, it's always a pleasure guys. Appreciate you having me and it's always a joy to speak with you.

Alex:
And I know the audience really loved it as well so thank you so much. Episode seven, make sure you join us guys. We're on demand now, so you can catch us on DEM IN 20, Episode seven with Jason Scichilone. It's been a pleasure. I'm Alex, this has been Michael and Rob. DEM ON 20, catch you next time.