In the late 1970’s, there was no better computing lab than at Xerox. Yes, dear Millennials, I do mean that Xerox. Sadly, despite a great flagship product, a company name that became a verb, and stupendous research (they invented the mouse), Xerox gradually slid from #39 to #291 on the Fortune 500 list between 1978 and 2018. (By the way, it’s interesting that Google is also a single-product company with great research and a verbed name.)
Anyway, if you were at Xerox’s Palo Alto Research Center (PARC) in 1978, then you would have been celebrating the landmark paper by PARC's Roger Needham and Michael Schroeder. Their symmetric key authentication protocol later inspired an MIT to implement a system called Kerberos. And here we are, four decades later, and most enterprise teams still use Kerberos as the basis for establishing persistent authentication and single sign-on.
One great challenge, however, is that few modern security teams pay sufficient attention to what’s going on in their Kerberos infrastructure – often citing its protocol complexity, as well as its operational ownership by the evil IT team. (See this video for my explanation of Kerberos.) The result is that despite the variety of telemetry being collected to your SIEM, you might be missing juicy stuff inherent in Kerberos-related activity.
This concept was central to a discussion I had last week with Jason Crabtree who runs Reston-based QOMPLX (formerly Fractal Industries). We’d been introduced by industry luminary Dan Geer (who is an advisor to the company) at a security metrics conference at Stevens Tech. After a brief chat, we agreed to get together for an overview of his platform and a discussion of why they started the company to secure Kerberos. Here is what I learned from Jason:
“We’ve built an advanced decision platform for applications such as cyber security,” explained Crabtree. “The platform addresses hard data-related problems via collection, ingestion, schematization, semantification, analytics, and reporting. We differentiate via streaming capabilities and specialty data stores such as time series and graph databases, with algorithms that include machine learning and can handle petabyte-scale analysis.”
The Advanced Cyber Decision Platform (ACDP), which benefits from the DoD backgrounds of its founders, is QOMPLX's engine for advanced cyber risk analytics and monitoring use-cases for security. It can store security-related data, manage that data, support simulation and planning, enable orchestration of data through context, allow visualization of data, and ultimately support cyber decision making and response.
Crabtree added this important point: “The fundamental data engineering and heterogeneous data fusion issues are of central importance to enterprise security teams wishing to improve the quality of the data," he explained, “and they also help enterprise teams ultimately move towards more security automation with greater confidence.”
What’s unique in the QOMPLX approach is that they’ve tailored an entry point to the platform as a solution for Kerberos and other Active Directory security issues. I asked Crabtree about this and he pointed to common blind spots in SIEM installations and network sensors. “We know that Kerberos is the most common enterprise authentication protocol,” he explained, “and yet, identity and authentication analytics and protocol validation are not being done.”
ACDP Identity Assurance provides context for Kerberos telemetry to be interpreted. QOMPLX goes beyond ticket times and encryption type heuristics by adding external state to Kerberos and granularity context for event interpretation. The ACDP approach to instrumentation and analytics addresses Golden Tickets, Silver Tickets, Kerberoasting, DC Sync, and DC Shadow. The goal is to improve the SIEM, UEBA, and related security analytics to include all authentication-related events in the enterprise.
Crabtree took me through use-case examples in banking and other large-scale environments (being careful to preserve the privacy of these companies). In each case, the QOMPLX engine either enhanced the processing capability, or actually supplanted the existing environment. Given the power and generality of the underlying engine, starting with Kerberos and transitioning towards the ultimate SIEM-replacement use-case did not surprise me.
After my time with Crabtree, I tried to reflect on the key takeaways – and I have three: First, the QOMPLX platform looks like a sensible choice for enterprise teams using Kerberos. Identity analytics, especially if they are supported by advanced AI-based methods, will create new visibility and context, and will drive much better decision making in the enterprise. I can’t think of any reason why this would not be a priority.
A second takeaway, however, is that QOMPLX will have to address the inevitable organizational seam between the IT folks who own AD and authentication, and the security team that owns the SIEM and UEBA. This complicates sales processes, as well as ACDP ownership after installation. Crabtree did note that QOMPLX offers analytics such as AD privilege graph monitoring to help IT users in addition to security operations personnel.
My third takeaway is that the underlying generality of the QOMPLX platform obviously allows for more than just Kerberos. The company already does, for example, apply its technology to the insurance and financial trading decision-making processes. So, one would expect that the QOMPLX technology suite could assist with context for network monitoring, UEBA, DLP, and other aspects of the enterprise security architecture.
I’d recommend that you pick a day when you’ve eaten your Wheaties to call QOMPLX. They have great technology that can be super-powerful in adding context and increased visibility to your existing security processing systems. But as I’ve said – eat your Wheaties, because Crabtree’s team is smart, he knows his stuff, and he doesn’t slow down for dummies (like me). As always, let us know what you’ve learned after your meeting.