A Rogue Device Sandwich

Writers: Stanislav (Stas) Siganevich, Retail Sector Manager and Snir Zarin, Solution Architect, Centerity.

I just wanted to have lunch but instead I’ve spotted a security breach. Does it make sense that a CISO needs to be physically present in a retail store to know about those threats?

Highlights

  • It appears there are physical threats which are not covered by the standard security tools.
  • Only by arriving locally to one of our retail stores, I could identify a huge potential unknown security breach.
  • How easy is it to use a malicious device to penetrate our organization defenses? Quite simple to be honest.

Found it by chance

I’m hungry, I thought to myself as I was finishing with the last of the FW rules and distributing them to all of the stores. The daily dilemma of “where to get my calories today” was irrelevant today because yesterday the retailer I worked with to opened a brand-new store with a deli nearby that looks very promising.

As I was marching to the elevator, I remembered that I didn’t distribute the latest patches to the new equipment in that very store I was going to get my lunch from, but… it can wait an hour, I guess. When I entered the store the smell of the fresh baked bread and smoked meat fills my lungs and I joined the long line on my quest to fulfill my gastronomic desires.

The line was moving slowly, so I decided to try to catch up with all of the emails, though it’s not really possible. The reception in the store was not that good so connecting to a corporate WIFI sounded like the quickest solution (the bonus of being an information security officer), but when I was searching for a desired network in the list something caught my eye – an unknown network clearly transmitting from within the store with a really strong signal.

Red alert, red alert, all warning signs went off. I pulled my Laptop from the briefcase and left the line – my smoked beef sandwich will have to wait for me.

I started looking around to see if I can spot something or someone unusual. Everyone was pretty much busy with their food, god I’m hungry, except for one young lady that was sitting with a laptop, but without even a coffee cup in sight, right next to her there was a slightly displaced digital billboard that we had just recently installed. When I started walking towards her to see what she’s doing she must have noticed my corporate badge and quickly close the lid of the computer and started to go towards the exit. I checked my phone and… the network was still transmitting. I got a bit closer, just close enough to see a small black device sticking out of the network sockets that were in use by the billboard. When I pulled that sucker out, the unidentified network went down. Another one under the belt. A few moments later I was again in the line for that divine sandwich, feeling like a hero, wondering, why can’t I clone myself, though the thought of “why my NAC solution did not stop this” had me a bit (a megabit to be frank) worried.

“45!” the teller shouted. That’s me!!!! Oh joy!! “One Brisket with pickles and Coke please”, I approved the payment with my watch and the guy turned away to prepare my meal. In the meantime, I had nothing to do but to explore the POS in front of me, one of those I have to distribute with the latest patches once I get back to the office. Big screen, wireless payment terminal, the new Verifone model is prettier than the previous one I thought to myself, but wait, what is that I see? 3 shining USB ports just staring at me, without any barrier, just 20 centimeters from my hand, unsupervised, unprotected, exposed to the whole world for abusing. Sometimes I just wish I could unsee things, but this is not the case. In case you do not see an issue with this situation, let me draw a picture for you: Anyone, yes, anyone, a customer, a supplier, an employee, can connect a rogue device to this USB, oh, sorry, first lets say a few words about “Rogue Device”:

By definition, Rogue devices are malicious by nature. They are devices that have intentionally been compromised to carry out cyberattacks including data breaches, malware and ransomware attacks. Manipulating a peripheral device with a small computer, such as the Beagle Bone Board, allows bad actors to remotely gain access to an organization’s network by creating an out of band connection to bypass an air-gapped network. From here, data can be extracted, or malware/ransomware can be installed without the end-user knowing it, causing organizations to be vulnerable to both exfiltration and injection. Often, rogue devices help attackers perform man in the middle (MiTM) attacks, whereby the device intercepts the message from the victim to the entity. The consequences are impactful, and these attacks can even allow attackers to bypass biometric authentication.

Again, I pick up the phone, and realized our existing MDM and NAC systems can’t recognize those kind of devices, as they appear legit to the operating system. I guess I need to find a solution which can track those malicious hardware foes instantly, without visiting our entire retail store network on a daily basis. Dam, do you remember that I have not eaten yet??

My sandwich is packed and I’m all set to go. I start walking toward the exit when I pass the new digital billboard that is being installed and… oh my eyes!!!! Corporate network socket is just waiting there for anyone to connect to, but I’m hungry, so we will pick it up in the next episode.

Conclusions

As existing security tools are not covering the new era types of Rogue devices, we need to find a resolution to close this vulnerability and fast. Rogue devices are cheap and available to all, especially to bad guys with bad intentions. Any open hardware slot is similar to any open port. We can compare it to a closed but unlocked door which can be opened simply by turning the door knob, open it and get full access.

What can you do? A lot. Centerity’s Cyber AIOps Module for Rogue Device Mitigation can prevent those malicious hardware devices from penetrating your network. We will be more than happy to show you how simply you can avoid those kinds of attacks and keep your organization safe.

Remote IT Operations is the New Norm

IT in Times of Crisis

IT operations pros worldwide are instantly part of wartime environments.  They are supporting a massive number of people transitioning to remote work, shifting work models, and in most cases, extended hours.  While the COVID-19 virus is putting a severe strain on corporate networks, servers, and security policies, it may also be causing major traffic jams on customer-facing websites.  This is especially true for consumer-facing businesses in retail, healthcare and financial services.  Above all, the new IT reality is testing each organization’s ability to deal with the unexpected and unplanned1.

According to Accenture2, the transition that many leading companies have been pursuing towards digital businesses must continue and even accelerate during times of crisis.  Some of the critical business areas impacted are Operations, Commerce, User Experience, Supply Chain, Leadership, and the Workplace.  Each one of these areas is essential to business requiring a holistic approach to digital transformation.

While we hope there will not be another event of this magnitude, changes that became necessary during these last few months will persist – the IT evolution will need to adapt to this new reality.  Agility and adaptability are not buzz words anymore and have become an essential part of modern IT managements’ DNA.  IT systems must adapt to a new, ever-changing, ever-evolving reality, implying that many assumptions companies had regarding their information technology ecosystems are no longer valid.

The Unexpected Demand Scenario

What happens when operations support systems such as remote access or VPN systems suddenly expand from serving 25% of the company to 100%, becoming business-critical?  As workloads shift and secondary systems become business-critical, performance management becomes the only way to cope with the lack of resources in an on-premise or hybrid operating model.

Capacity planning is usually completed in advance according to trends with relatively constant consumption dynamics.  In on-premise and hybrid architectures, new purchases may take months to provision.  The only answer to cope with existing systems constraints and maintain regular operations is to have automation through an AIOps platform that can: (1) detect and even predict these new demands on systems; (2) detect performance problems proactively; and (3) execute remediation measures automatically to keep the systems performing optimally.

Deal with the New Reality

In the new reality, the transition from traditional, static, rules-based monitoring to dynamic AIOps is essential.  Modern IT management teams can no longer wait for trends to become obvious as future operating behaviors will become more dynamic, more frequent and less predictable.  Traditional monitoring and event management systems are based on static thresholds that primarily rely on assumptions derived from past experiences.  As operating scenarios change rapidly in the new paradigm, dynamic behavioral analysis becomes the new doctrine for modern IT Operations.  The manual adjusting of alert thresholds, the lack of correlation across interdependent domains, and reactive alarms are no longer acceptable when an average company may have more than 2,500 performance metrics per unique business service.

Driverless, IT Operations

Proactive analytics and automated responses are the new norm and ensure optimal system performance. Functionality like these will allow modern IT management teams to rapidly adapt to these new, unexpected realities without serious disruptions to current operations.

Centerity offers a modern AIOps platform married with Cyber AIOps capabilities that automatically learns the behavior of critical applications and business processes by using machine learning on a Big Data, Time-Series platform that can adapt dynamically without the need for human intervention.

As a result, IT management is empowered to adapt to new, unexpected realities in a matter of days without disrupting current operations.

  1. https://blog.opsramp.com/coronavirus-it-operations-reading-list?utm_campaign=FY20%20Q1%20-%20Spring%202020%20Newsletter&utm_source=hs_email&utm_medium=email&utm_content=85497904&_hsenc=p2ANqtz-8e4Hu79oscIEjeueRk3vIvEAaSJ7MlGL7vG3PDGQOiT7JJfdzlVsxoaHX3C8Gr_1VIJMFz9k-5Qc6zfoe3Bjr7AnRkMQ&_hsmi=85497904
  2. https://www.accenture.com/us-en/about/company/coronavirus-business-economic-impact

Centerity Brings Business Value To APM

The Centerity AIOps Platform

Centerity is an AIOps Platform that Delivers Dynamic Service Views and Business Service Level Analytics for Digitalization and Digital Transformation Initiatives to the business constituents responsible for these services. Each Dynamic Service View calculates the performance and availability of a critical business service as shown below.

Centerity Complements APM Solutions

APM solutions like AppDynamics, Dynatrace, Instana, and New Relic trace the execution of business transaction through the custom code that implements these transactions. Metrics like response time, calls per second and error rate are collected for each transaction, tier and application monitored by the APM tool. Centerity complements APM tools in the following respects:

  • APM tools cannot cover the entire IT stack down into virtualized and physical hosts, networking and storage – Centerity can
  • APM tools cannot roll up the performance and availability of the entire stack into Dynamic Service Views for business constituents – Centerity does this and incorporates the transaction and application metrics from the APM tools into the DSV’s.

The manner in which Centerity complements the APM tools is shown in the image below. The transaction, tier and application metrics for an application is which part of a business service monitored by Centerity are the top three layers in the Dynamic Service View. Centerity itself monitors the entire virtual and physical infrastructure that supports the applications including the VMware environment, the virtual and physical network and the storage.

Centerity is therefore uniquely able to translate IT infrastructure metrics, and application level metrics from APM tools into value for the business constituents who rely upon the entire IT stack to work correctly in order for the business service to deliver revenue or other business results to the business.

The Layers of a Centerity Dynamic Service View

Centerity is able to build the Dynamic Service Views out of the layers that comprise each business service by having a comprehensive platform that collects events, logs, and relationships from across the entire stack. The platform then builds the relationships in real-time over time and applies AI to automate anomaly detection.

The Centerity AIOps Platform

Centerity Functional Overview

Summary

APM tools are excellent at helping the teams that develop and support custom applications in production ensure that their code is working and performing as it should be, and in pointing to issues in the code when there are problems.

Centerity integrates in with the APM tools, to combine APM metrics with infrastructure metrics into valuable Dynamic Service Views for business constituents.

 

Why Digital Transformation Needs AIOps

What is Digital Transformation? Digital Transformation means taking advantage of the fact the software based processes can be evolved and enhanced more frequently to dramatically drive up the business agility of the company, and to gain market share and revenue as a result. This is sometimes stated as “Compete online or die”, but it does not always have to involve people using browsers and mobile devices to access web services. The Imperative to Digitalize Core Business Processes The leading initiative for nearly every CIO (especially the ones who have rebranded themselves as Chief Digital Officers) is digitalization. Digitalization means that the key business processes of the company get implemented in software. This creates the following imperatives:

  • Drive online business results – revenue, customer acquisition, customer service, customer satisfaction, market share, and reputation
  • Time to Market – Implement key businesses in software more quickly than both current and emerging competitors
  • Rapid and Continuous Improvement – Rapidly improve those digitized processes in order to compete and gain market share
  • Great Customer Experience – Web and mobile experiences must be available all of the time, and offer excellent performance (responsiveness to user actions).
  • Fast Resolution of Problems – Every online system has issues, but they need to be prevented as often as possible and solved as quickly as possible.
  • Scale in Response to Demand – If the system is subject to spikes in demand (like online retail), then it needs to be able to response to dramatic increases in load without suffering from reliability and performance problems.
  • Be Cost Effective – Modern application teams need to be efficient with their time and need to avoid overspending on legacy and expensive toolsets.

In summary, every enterprise must now run like a highly agile, responsive and forward thinking SaaS software product company. The infographic below shows the important Digital Transformation trends for 2019.

Industry Changes caused by Digitalization Digitalization is creating unprecedented demand for the resources (primarily the people) who know how to implement business processes in software (software developers and architects) and the people who know how to operate complex application systems in production with high reliability and performance (cloud and applications operations). The most important architectural change is the shift to a microservices architecture which allows each microservice to be independently enhanced – leading to dramatically shorter application development cycle times, dramatically increased technical and business agility and dramatically increased online competitiveness. The demand to implement business processes in software exceeds the supply of knowledgeable people, which is fueling a set of innovations designed to speed the delivery of software into production, and ease the process by which highly complex, dynamic, and scaled out applications are supported in production. Complex Multi-Cloud Architectures Today the question is not whether to do cloud, but which clouds and how many different ones will be deployed. For most enterprises an on premise private or hybrid cloud based upon VMware vSphere is a reality. For these enterprises going to the public cloud often means adding the public cloud to their environment instead of replacing their on premise or collocated environment. This means that for cloud operations teams, the cloud is a source of increased complexity, not a source of simplification.

Innovation and Dynamic Behavior across the Stack The imperative to digitalize core business processes, and the resulting shortage of people who can do the work is fueling as set of process and technology innovations designed to speed business functionality implemented in software into production. These process innovations (DevOps and CI/CD) and technology innovations (containers, and the dynamic infrastructure upon which they run) are being brought to bear to help development teams be more agile and effective to help support teams deliver better reliability and performance results to the business. These layers of innovation are shown in the diagram below.

The above architectural (microservices), and process (CI/DC) innovations, combined with the diversity in the stack, and the dynamic behavior across the stack create an unprecedented monitoring and management challenge for modern online enterprises. This challenge is compounded by a high rate of innovation which constantly increases the complexity and diversity of the environment. The Problem with Legacy Monitoring Approaches Digital Transformation produces new critical business services which must be monitored and managed holistically. However, ever since the death of the monitoring frameworks from IBM, BMC, CA and HP, monitoring has devolved into a best of breed approach leaving enterprises with between 20 and 200 different tools, none of which give the business the visibility into the reliability and performance of these new critical business services. The Franken-Monitor

Monitoring Challenges with Modern Applications, Stacks and Processes The modern application, development process, and technical stack, combined with dynamic behavior across the stack, create the following new and unprecedented challenges for monitoring solutions:

  • Modern apps are highly scaled out (many things to monitor – hundreds and thousands of microservices in production)
  • Modern apps are highly dynamic (high rate of change in scale and new versions – multiple releases of new software into production every day)
  • Modern apps are very diverse (many different languages and stacks – with the need for developer productivity driving ever more diversity)
  • Business services are often comprised of not just the modern applications, but previously developed N-Tier application, monolithic applications and purchased applications.
  • As stated above, the environment spanning the on premise private cloud and the new public clouds is more complex than ever and more dynamic than ever.
  • Due to the above factors modern apps are very complex and addressing issues consumes time and expensive resources. In fact Gartner predicts that, By 2020, 75% of enterprises will experience visible business disruptions due to infrastructure and operations (I&O) skills gaps, which is an increase from less than 20% in 2016.

Making Sure It All Works All of the Time The applications and business services that result from Digital Transformation initiatives must work all of the time, and must provide an excellent user experience all of the time in order for these new services to meet their business objectives. The technical challenges associated with managing these applications in production mean that a new approach must be taken to monitoring them in production. The following requirements must be met:

  • The entire stack must now be monitored in real time (1 Min – 1 Sec) to be able to detect service quality issues in time
  • Flows, relationships and dependencies across the stack must be determined in real time
  • AI (AIOps) must be deployed to cope with the deluge of incoming monitoring data and automatically understand normal vs. abnormal
  • AIOps and relationships must be leveraged for automated root cause and ultimately automated remediation.
  • The results of monitoring must be made relevant to business constituents

The Need for Business Visibility Since these new software based business services are so critical to the business, business constituents like product managers and business executives responsible for the results of these services need consolidated visibility and manageability across the entire stack of technologies that comprise each service. Centerity’s Dynamic Service Views provide this visibility. Centerity’s Dynamic Service Views Centerity’s Dynamic Service Views consolidate the availability, performance, throughput, and error rate of the entire software and hardware stack that supports each critical business service into a service level gauge that allows business constituents to easily understand how the business services supported by these stacks are actually working.

The Centerity AIOps Platform Centerity delivers these Dynamic Service Views through a comprehensive AIOps platform that works with the existing monitoring tools, virtualization platforms and cloud platforms in use at the customer. Metrics, events and logs are collected across the entire stack, and evaluated by an AIOps engine for anomalies. Degradations in service levels are the surfaced in Dynamic Service Views and forwarded to alert and service management systems.

Centerity Functional Overview

Summary Modern business services are composed of new applications, existing applications, custom developed applications and purchased applications. The software and hardware infrastructure for these new business services is updated frequently and operates in a dynamic manner. This creates a new imperative to be able to monitor the resulting business services in a continuous and full-stack manner.

 

AIOps and AIOps Platforms

AIOps in IT Operations, Application Performance, and Event Management

Gartner invented the term AIOps to refer broadly to how AI (Artificial Intelligence) and ML (Machine Learning) will be infused into every aspect of how modern IT Operations, software and hardware infrastructure, applications, transactions, microservices, and business services will be managed. AIOps will also play a crucial role in helping enterprises manage all of the new software driven services that are coming from their Digitalization and Digital Transformation initiatives. This leads to AIOps playing a role in the following areas:

  • Application Performance Management (APM) – APM tools have streams of metrics about the performance of the microservices, transactions, and applications that they monitor that measure the performance (response time), throughput (amount of work done per unit of time), and error rate of these microservices, transactions and applications. APM vendors are incorporating AIOps into their products in order for the AI to learn what is the normal state of each metric for each monitoring object, and then to automate the process of detecting anomalies in these metrics. Their job is to then automate to the greatest extent possible the process of determining where in the monitored code the cause of the problem lies.
  • Infrastructure Monitoring or IT Operations Management – With the death of the ITOM suites from IBM, BMC, HP and CA, the emergence of open source tools for infrastructure monitoring, the breakup of infrastructure monitoring into many point tools, and the emergence of virtualization (VMware) and cloud platforms (Amazon AWS, Microsoft Azure, and the Google Cloud Platform), managing the availability and performance of the software and hardware infrastructure has become significantly more difficult and complicated. AIOps is expected to help these tools cope with the deluge of metrics that come from the hardware and software infrastructure layer and help operators of the environment automatically find anomalies and prioritize them.
  • Event Management – Event Management refers to software that consumes all of the events and alarms in the environment, deduplicates them, prioritizes them and then facilitates the resolution of the event by the appropriate teams. Legacy event management systems like IBM NetCool were rule based and fell into disfavor because in a rapidly changing environment, it was impossible to keep the rules up to date. Modern Event Management systems use AIOps to automate the process of sorting and prioritizing the events.
  • Digitalization and Digital Transformation – Digitization and Digital Transformation mean that many new software based business services are being put in production, and that each of them are now being evolved (changed) more frequently than legacy online applications. These new applications tend to be built around microservice based architectures which means that there are many more things to monitor. The rate of change in these new microservices means that they must be monitored more frequently. The combination of the explosion in the number of things to be monitored with the increased frequency creates a real time big data problem that AIOps is uniquely positioned to handle.
  • AIOps Platforms – In addition to AIOps being infused into every existing category of monitoring and management solution, Gartner is projecting that a new category of monitoring and management solution will emerge – the AIOps platform. The AIOps platform will consume log, metrics, events, alarms and relationships from all of the existing platforms and tools and then apply the benefits of AIOps across this consolidated and related set of data.

Why is an AIOps Platform Needed?

For most enterprises the modern software and hardware infrastructure environment has never been more complex nor as dynamic. Today the question is not whether to do cloud, but how many and which clouds (Amazon AWS, Microsoft Azure, and Google GCP) are to be added to the existing on-premise private cloud which is usually based upon VMware vSphere.

Complex Multi-Cloud Environments

Multi_Cloud_Architecture (1)

The complexity of just the hardware and software infrastructure in most environments defies monitoring by a single vendor. This is a primary driver of the need for an AIOps platform.

The second driver of the need for an AIOps platform is the pace of innovation in the software stack supporting all of the new business services that are being put into production and the resulting diversity in this stack.

In response to the need for business and technical agility, applications are being architected around a microservices model, the process to deliver code into production is being streamlined around CI/CD a very diverse set of languages, middleware components and database components are being used to facilitate developer productivity and time to market.

The rate of change and the rate of dynamic behavior in the resulting hardware and software stack is the second major driver of the need for an AIOps platform.

Innovation and Diversity at Every Layer of the Stack

Innovation_and_Dynamic_Behavior_in_Digitalization (1)

Introduction to the AIOps Platform

The most important part of an AIOps platform is that its value is not just to the teams whose tools and platforms feed metrics, events and relationships to the AIOps platform. Its value is to all of these teams, and the business constituents whose business results rely upon the operation, availability and performance of digitally enabled business services. The image below provides Gartner’s overview of how and AIOps platform fits with the existing categories of tools.

AIOps_Overview

The role of the AIOps Platform consuming and creating value out of the different types of data (logs, events, metrics and relationships), and the opportunity for the AIOps platform to create new value for enterprises that the component tools and platforms cannot create on their own is highlighted in the image below.

AIOps_Platform

Business Benefits of an AIOps Platform

If you are a typical enterprise you already have between 20 and 200 different monitoring and management tools. Why do you need another one (an AIOps Platform) on top of what you already have? The AIOps Platform will offer you the following unique benefits that are not available from the point monitoring tools and platforms that feed it:

  • An AIOps Platform combines multiple applications and their supporting software and hardware stacks into Business Services that support the operations of business constituents who are responsible for the revenue, market share, and customer satisfaction of these critical online services.
  • An AIOps Platform organizes the hardware and software components that support digitalization and digital transformation initiatives into business service views that are relevant to the business owners and Product Managers of these digital initiatives.
  • An AIOps Platform creates and manages the service levels of each of these critical business services
  • An AIOps Platform applies AIOps (AI and ML) across all of the metrics, logs and events across the entire stack of software and hardware that supports each critical business service
  • The AI in the AIOps Platform automatically learns the normal state of each critical business service and the normal underlying behavior of the support hardware and software services, and automatically flags anomalies.
  • The AIOps Platform has a real-time understanding of how each business service is composed which dramatically facilitates root cause analysis when issues occur.

Summary

Modern business services are composed of new applications, existing applications, custom developed applications and purchased applications. The software and hardware infrastructure for these new business services is updated frequently and operates in a dynamic manner. This creates a new imperative to be able to monitor the resulting business services in a continuous and full-stack manner across the entire stack. The AIOps platform is uniquely suited to meet this new need.