Let’s say your company is a place where no one works day-to-day logged in as an admin on their Mac. Everybody in this environment is also a computer expert, and therefore aren’t as prone to tomfoolery such as letting family members use their login to play Chrome games, and of course they don’t go to ahem riskier parts of the internet while using the computer their employer provided for them. Workflows for where to store data are well-defined, all generic (non-private) actions are logged and collected, and data that requires local storage is backed up efficiently. Computer management, from patches to configurations, is curated by their loyal sysadmin who follows the same practices as they expect their customers to use. Management is applied efficiently, over secure channels, and logical compromises allow flexibility when the computers leave known-good networks. (And no network is ever required to be trusted for safe operation – of course.)
Wake up! Your fever dreams are way too specific and geeky, by the way. Welcome to a series of posts about Mac SysAdminery, security-styled, for the rest of us without magic wands, self-driving Tesla’s, and excellent hair. Here on earth in 2016, you are outnumbered by those looking for casual profit… if you’re lucky and aren’t also an attractive target for espionage. Barring science fiction-like abilities, you can’t anticipate what exploits and attacks will look like tomorrow. Luckily, plenty of companies will gladly take your money for their brittle* kexts and resource-sucking, crowd-sourced advanced intelligence engines that use machine learning and algorithms to detect threats in real time, without the need for definition files, and can send voice commands to the user via UEFI. Over the next few posts we’ll provide summaries about what we consider the bare minimum that hopefully answers the question, “What security-focused product(s) should I use on Macs?”
What the Non-Experts Say
Especially when you hear the soundbites of certain politicians these days, there seems to be a general mistrust of… experts. Which should seem non-sensical on its face, but sometimes FEELINGS outweigh… reality? Anyway, a study performed by actual researchers, publicized by Google, found that non-experts have largely different priorities when it comes to their security practices than people who actually clean up after computer-related theft and espionage.
How do we be more like the people on the right? You weren’t expecting Patch Management at #1, were you? Going against this advice, have you been disabling autoupdaters because stability for your exact environment is more important, and you have metrics to track how fast patches go out? Then you probably are already on top of the situation and this particular advice isn’t as necessary to be influenced by. The rest of the common advice mostly focuses around managing secrets.
Does your institution have a way to store and transmit credentials securely, responsibly providing appropriate and logged access? PGP (before they were swallowed by Symantec) promoted a feature for managing ‘removable storage’ encryption, meaning flash drives or zip archives. You live in the real world, where people send passwords over Yahoo instant messenger (/meme what year is it). People, those soft things that bruise easily like fruit, they are the weakest link. Access control, logging of that access, and using encrypted channels of communication are all mostly solved problems once a base level of effort is expended, but it is far from intuitive or easy to validate for even technology professionals. THAT is one reason why you should at least listen to the subject matter experts and apply what you can.
Going back to the topic of managing software, the JAMF Software Server product can now treat software versions as first-class data types for evaluation, and Munki has long provided a customer-facing way to ensure software is applied in a timely manner. But that’s not the whole picture, obviously: monitoring relevant parts of the operating system that software accesses, and watching as new processes are launched, in as-close-to-real-time-as-possible, is vital. That doesn’t necessarily just mean aggregating logs, but the end goal should be sifting through what can be a firehose for actionable data, and watching these metrics over time for trends. And most importantly of all, after pushing notifications to responsible personnel in a timely fashion, having a process of remediation (preferably SEPARATE from detection).
Two open source tools that are the gold standard in striking a balance between privacy, ease of maintenance, and performance are Facebook’s osquery and Google MacOps’s Santa. There are BYOD environments using osquery to great effect to uncover indications of compromise, and thousands of machines are in Santa’s “lockdown” mode, where no applications from unknown developers can run without going through a user-accessible and scalable approval process. In upcoming posts we’ll go over some details about each, and hopefully prove the extent to which they are infinitely more proactive than most of the currently shipping commercial security products.
- By ‘brittle’ we mean those NOT using kauth/KPI’s and therefore playing in territory Apple may break at any time.