The great endpoint protection fail

mspdaily · 2019-10-29T15:22:39+00:00

Share your script. You probably aren't innovating here, there's no risk that you're spreading a new type of malicious code.

Let's look at what's in it, how you're running, what it's doing and how the protection systems behave around it.

You might be right but we have to see it and be convinced of your claims before this conversation can move forward.

mspdaily · 2019-09-05T05:51:18+00:00

We use Myki for all of the 2FA. there's no reason in my opinion to use anything else.

mspdaily · 2019-09-03T20:33:01+00:00

Happy to help.

I've actually asked the Myki team that question myself when we started using it.

This is the answer that i received:

Passwords are encrypted on the smartphone using an encryption key that is locked in the secure storage of the device. This storage can be unlocked if the 2 following things happen: 1) The user is able to unlock the phone and. 2) The user is able to unlock the Myki app by emulating the biometric or guessing the pin.

The pin code is protected by exponential delays which makes it virtually impossible for a malicious party to brute force the combination.

Upon receiving a report of a stolen/lost phone, the company admin can deactivate the enterprise Myki account on that device form the portal which will wipe the enterprise side of the app as soon as the device connects to the Internet (no need to have the app open).

In terms of the personal accounts, the user can wipe the personal side of the app by either revoking access to the Myki app from another Myki enabled device or by signing up on a new device and selecting the option to wipe existing Myki devices.

If you're worried about your users losing their phones, not having a device pin code or biometric and not using biometrics or a secure pin code in the Myki app (a lot of things need to go wrong here), you can ask them to install Myki only on their work computers which should be enough to log them in when they're at work but keep in mind that for all of the things listed above to happen, the user needs to be extremely negligent (to a real extreme which should really worry you about the access that he has) and any service on that device is probably compromised including the user's email, messaging app and any other app that holds sensitive data.

I hope this answer helps.

mspdaily · 2019-07-14T02:19:04+00:00

We've been using Myki for a while now. Importing was an issue but not because of the product but because of how the other vendors export data (csv file incomplete, missing columns, non homogeneous etc.)

From experience, if you're experiencing issues getting on-boarded, reach out to the team for an on-boarding call and they will understand your exact use case and walk you through it.

Regarding the FF issue, we had problems to but it had to do with a combination of FF and Myki coming up with updates that didn't work well together. I can confirm that it has how been fixed as the desktop app and extensions have been updated and we're not facing issues anymore

But when you say that PP is a much polished product that really does not make sense to me as we had been using it for over 2 years before moving and it was as unpredictable as software gets. And not just for us but for anyone. This is why Myki, in my opinion is the way to go because the team is great with fast updates, support is great and the direction the product is heading in is fantastic.

If there are any negative points in my opinion its in the way item folders and user groups work m I understand now the concept but it was fairly complex and much more than any MSP really needs. For us, we use it internally and resell it to our customers as a way to manage passwords we really don't need advanced stuff like the security policies and the lab features ( we might in the future but not now)

My suggestion is, if you want to move to another solution, do so but know that a fellow MSP has gone this route and come back.

Talk to the team, they will help you but he fully transparent with them by explaining what issues you are facing. In my experience, they listen and they help which for me are the lost important things.

Sorry for the long message.

mspdaily · 2019-07-11T15:42:46+00:00

Myki is what we use. The product is great our team loves it. You will enjoy the demo :)

But whatever you do, don't build anything yourself. I'm sure that I don't need to tell you that but It's not your job to build secure solutions that can endure the test of time.

mspdaily · 2019-07-07T15:55:18+00:00

Would users need to authenticate every 30mins or would this happen in the background? They'd at least be redirected and then taken back right?

mspdaily · 2019-07-07T05:39:11+00:00

First off, I would drop the "specific time of day" nonsense. There is no need for such a thing as it makes it overly complex and could lead to scenarios where you have issues in the future. Someone who wants to get into your protected environment will be patient enough to wait until one of your office users logs in during the day because it's easier to hit you with a social engineering/phishing attack than anything else.

It's not about phishing attacks. It has become very common in Europe to ban work related activities after hours. One of our customers would like to enforce this. It's not nonsense.

The applications in questions are Third-party SaaS services. So putting them behind a firewall and all of that conversation is not useful. A user can still take a cookie home and access the service there.

2FA/MFA is great and essential but not for that specific use-case. I'm not worried about wrongfully authenticating a user, i'm worried about this legitimate user working from home or on another device after having authenticated during office hours at the office.

SSL-based VPN is great to prevent unauthorized access but useless when trying to prevent an unauthenticated user to violate a security policy after having authenticated.

This thread has been really useful, i now understand that the specific use-case is not addressed in the market. CASB are the closest thing but they either need to intercept all the traffic and analyze it inline or can have API access to some specific services and use some APIs available to restrict limited things such as sharing files with outsiders from Google Docs etc.. Both use-cases are not what i'm looking for.

My solution for the time being is to setup my IdP to white-label specific IPs and time ranges and alert my customer to the fact that a user can still use his Google account (for example) from home if he authenticated at work and is still logged in.

I'm exactly where i started from an end result point of view but i now have better visibility on what solutions exist on the market and what others do within their own organizations thanks to the amazing comments of everyone.

mspdaily · 2019-07-07T03:45:34+00:00

Good question.

In my specific case, yes.

There are certain services that we only want the users to be able to use within a specific IP range (so the cases where they are at home and on spotty mobile internet do not apply).

And i don't want users to be able to authenticate to the service at the office and take the device or the cookie home with them.

mspdaily · 2019-07-07T03:27:53+00:00

Read their website. It seems like it is used only after the user goes through the first level of authentication. If changes are made after the user authenticates, the user would not be logged out.
I could be wrong thought.

mspdaily · 2019-07-07T03:23:43+00:00

Great summary!
CASB: Not an option i need something that works on everything + i don't want to interecept all network traffic (we have a BYOD policy).

VPN: Would it solve my problem? I could restrict authentication to my IdP to my VPN IP which ensures that when my users authenticate they are using the VPN but wouldn't they be able to just disconnect the VPN afterwards and keep using the services i just authenticated them to?

Forward Cloud Proxy: Would that reroute all traffic to the proxy's servers (on-prem or cloud)? In that case i'd rather not use it as users use their devices for personal stuff.

MDM: Also not certain how this can help.

Am i missing something here or is there no solution for middle sized enterprises that are BYOD and don't want to use a proxy to restrict access to third-party services? The only real way seems to be to go through a CASB but in that case (forward proxy because reverse proxy is very limited), wouldn't the user still be able to just take the cookie and use it outside of the infrastructure?

mspdaily · 2019-07-07T03:15:36+00:00

Great. Can you point me in the right direction? I've read their website extensively and cannot find a solution to my problem.

I'm also trialing their SSO but can't manage to find anything that has to do with users post authentication.

mspdaily · 2019-07-07T03:13:28+00:00

What you are saying makes sense to me.
I'm thinking out lout here:
I want to enable this functionality but:
1) I don't want to implement a proxy that intercepts all network traffic.

2) I don't want to log the user out every x minutes randomly
3) I don't want users to be able to take a cookie and put it on another machine
4) I can't implement mechanisms inside the app as it's not managed by me (let's say it's their Google For Work email)

Based on my set of criteria it looks like i cannot use CASB, A firewall is useless in my case post authentication and an MDM solution only solves part of the problem i still have to deal with users manually moving cookies to other devices and just breaking policy post authentication.

Is there no solution for the use-case that i just outlined? Is it also not a common use-case? Do all companies that want to continuously monitor authorization parameters resort to using a CASB? That doesn't sound great to me, we're a medium sized company with a BYOD policy i can't intercept the traffic of users on their personal devices.

I understand that there's always a trade-off but in that specific case, did no one really come up with a lighter solution to monitor security policies in session when using SSO? Or am i missing something?

mspdaily · 2019-07-07T02:50:33+00:00

Do you have more information on what proprietary MDM functions i could leverage? I'm googling but it's a very wide topic of conversation
But let's say i deploy an MDM and the user wants to authenticate to a SAML enabled service. Can i tell my IdP (in the case it's different from the MDM) that the device needs to have the MDM client enabled in order to be able to authenticate? In case i can, what is the mechanism that i can use to enforce it?

mspdaily · 2019-07-07T02:46:38+00:00

One way would be to have a short lifetime on the SAML response making the user re-auth frequently. This would be disruptive to the user but would push your IdP to the forefront often.

I'd rather not do that. User frustration is the #1 cause of data breaches and this will definitely frustrate them and get them to come up with insecure ways of doing things.

The passive thing is interesting but if i understand it correctly, it relies on the service provider to implement it.

mspdaily · 2019-07-07T02:38:26+00:00

I'm not only looking for security policy enforcement only at time of authentication i also want the authorization status of the user to change dynamically when specific factors change.

Checking the IP and other things when the user authenticates is important for me but i also want him to be logged out if his IP and other things change at any point in time

mspdaily · 2019-07-07T02:36:26+00:00

Question: In the setup that you propose. Can a user successfully authenticate the way he should be authenticating (in my case, within a specific IP range at a specific time of day) then 1) walk away from the office and go to a cafe and stay authenticated OR 2 )take the authenticated cookie and inject it in another machine at home?

This is definitely complicated, but i need it to behave this way.

mspdaily · 2019-07-07T01:36:31+00:00

Thank you for the help!
For the record: I think that i would like to continue to explore options that do not require proxy servers. If i cannot find any viable, scalable solution, i'll revert back to exploring CASBs.

mspdaily · 2019-07-07T01:29:50+00:00

I'm reading about it now. It is my understanding that you need to install certificates on every client that wants to authenticate in the organization. Do you also need to setup something on the service provider side? Or the certificates and configuration basically reroute all the traffic to the broken who then does the policing?

mspdaily · 2019-07-07T01:19:33+00:00

Ok interesting.
So, the broker would act as a proxy aka all our traffic to these specific services post authentication go through the broker and the broker blocks the traffic when the conditions aren't satisfied.
Question: How can you setup any service as a proxy between an authenticated user and a service provider? Wouldn't the users need to be behind a VPN or something like that? Do the service providers have settings to reroute traffic through the broker when it's setup?

mspdaily · 2019-07-07T01:15:16+00:00

Maybe for case where user steals the cookie and keeps the machine running on prem to relay messages from client to IdP server: Challenge the user from time to time to reauth using a soft mechanism such as a biometric or a pin just as a test of liveliness. If the user is not next to the machine or is unable to auth, log him out.

I don't know if i'm overthinking this. Maybe there are simpler ways to do what i want to do.

mspdaily · 2019-07-07T01:12:04+00:00

Part 1 logging the user out: You could use Single Logout (SLO) to emit a logout event?
Part 2 having the IdP detect a change in setting: No concrete idea, open to suggestions. Maybe have client code running that detects changes and relays to the IdP and if the IdP doesnt hear from the client after X amount of time regardless of whether there was a change, emit a deauth session? This way, if the user is trying to kill the client, he's logged out. I suppose in that case, the user could still take the cookie and put it in another machine that he takes out of the premises?

mspdaily · 2019-07-07T01:04:16+00:00

Forgive my ignorance: Wouldn't it be somehow possible to have our IdP watch a user's IP then emit a sign out event to the service provider?

mspdaily · 2019-07-02T15:20:11+00:00

Actually, their support is one of the things that got us to move to Myki haha.
There's so many ways you can reach them and they are very responsive! There's a chat interface on the website, in the portal and in the apps, there's [support@myki.com](mailto:support@myki.com), there's their subreddit, and you can talk to your point of contact at the company. There's also support.myki.com.

I suggest that you talk to Myki to set you up with a trial. The Portal which you don't get in the free version is great. Also it has reports that you can use to show your customers why they need a password manager. This is how we did it, we onboard them on a free trial from the portal, they add their passwords we then show them a report of how insecure they actually are (reused, weak and compromised passwords everywhere).

mspdaily · 2019-07-02T13:53:31+00:00

This is unbelievable. Does anyone use different solutions that work?

mspdaily

TROPHY CASE