Kaspersky and the Department of Homeland Security Binding Operational Directive: Supply Chain Out of Your Control – Technically, Legally, Existentially

Fellow Security Architect
Gigamon

Having worked in network defense for the better part of 20 years, I’ve seen good and I’ve seen bad. I’ve come through many battles with my teams – and not always unscathed. We remember the troublesome incidents. We remember the complicated ones that were only solved through cooperation. We remember both friends and foes.

In my experience, antivirus vendor Kaspersky Lab has always been a friend to network defenders. The company’s research on certain malware strains has been second to none. With their wide footprint, I have always viewed them as a trusted resource and have used their guidance to better respond to serious breaches and protect my systems from compromise. Moreover, when I’ve run their products in large global deployments on proxies, they’ve always delivered.

So, is Kaspersky now a bad guy?

New Directive from the Department of Homeland Security

The supply chain has always been something that’s a bit out of a company’s control. One day, it’s working; the next, you’re told you can’t use it anymore. That’s what’s happening with the Kaspersky.

Last month, due to concerns over ties between certain Kaspersky officials and Russian intelligence and other government agencies, the U.S. Department of Homeland Security (DHS) issued a Binding Operational Directive (BOD) 17-01 that calls for all Federal Executive Branch departments and agencies to identify and remove any Kaspersky products from their information systems.

In one way, of course I get it. Kaspersky antivirus software doesn’t run in a sandbox; it runs in system privileges. If it goes bad, it’s game over. However, in the understaffed, overburdened world of information security (InfoSec), the process of identifying and removing it is extremely disruptive – not only because folks can no longer use something that they’re accustomed to using daily, but because every person who’s been reassigned to remove Kaspersky should be working on other projects.

What’s more, it’s important to remember that the problem is more embedded than just software running on systems. The problem also includes the fact that software gets updated.

For example, as reported by Andy Greenberg of WIRED, “Cisco’s Talos division have both published detailed analyses of how hackers penetrated the network of the small Ukrainian software firm MeDoc, which sells a piece of accounting software that’s used by roughly 80 percent of Ukrainian businesses. By injecting a tweaked version of a file into updates of the software, they were able to start spreading backdoored versions of MeDoc software as early as April of this year that were then used in late June to inject the ransomware known Petya (or NotPetya or Nyetya) that spread through victims’ networks from that initial MeDoc entrypoint.”

Detecting Traffic to Kaspersky with the GigaSECURE Security Delivery Platform

As Gigamon Principal Engineer Jack Hamm and Luta Security CEO Katie Moussouris said during a talk at Black Hat 2017, it’s difficult to secure the supply chain – especially as problems like NotPetya originate in the supply chain and any supply chain compromise can affect the security of customers, users and devices.

The historic issue with endpoints has been that if you don’t know they are there, you can’t really manage what’s running on them. Heck, even if you do know they are there, management can still be difficult.

Today, however, there’s a new option – that starts with pervasive visibility. If you’re using the Gigamon GigaSECURE® Security Delivery Platform and metadata generation with Splunk Enterprise, you’ll have three ways to identify Kaspersky running on your network as outlined in the blog “How the GigaSECURE Security Delivery Platform Can Detect Kaspersky Products in Your Network.” Or, you can use Application Session Filtering (ASF) as outlined in the blog “Finding Kaspersky Traffic with GigaSMART Application Session Filtering.”

When Friends Become Foes

So, back to my original question: Is Kaspersky a bad guy? I can remember when the U.S. government declared a certain Chinese router company’s technology unsafe – nay, a national security risk – to use. By all accounts, the scrutiny was merited and the guidance turned out to be right on. We simply can’t risk having sensitive or classified information compromised, especially when the result could be online attacks on critical infrastructure.

In the case of Kaspersky, I feel as though we’ve lost an ally in the war of network defense. I could be wrong, but if this new BOD causes the company to lose business, chances are it will need to shrink its staff and be unable to provide as in-depth and valuable research as before.

To learn more, don’t miss our webinar “SOC Talk: Phantom Automation for Faster Response Time.” You’ll find out how pervasive visibility can help you defend your organization when a good guy suddenly becomes a bad guy. We will walk you through how to use the GigaSECURE Security Delivery Platform to determine if, for example, Kaspersky has been removed and show how the Phantom Platform can automate the identification and removal process.

SHARE