At first, the title of this blog sounds like an excuse. It’s that sentence that almost every company uses ‘after’ they got hacked. (Don’t worry, we didn’t!). According to me it’s a bad excuse if you present it after everything has fallen apart and only then start working on it. You need to work on it every day.
In this series of 3 blog posts we’d like to share a bit of the Serious work we’re doing at TOPdesk to Secure our customers’ data. We’re doing this not just to keep the data safe, but also because Security is an amazingly interesting and fun topic to work on.
In part 1 and part 2 we talked about making all our colleagues aware of the risks, and how we help Developers write Secure code. In this part we’d like to tell you how we’re continuously monitoring our software for suspicious behavior and how we can respond if something needs our attention.
Monitoring and Incident Response
Once we have deployed our software, we need to make sure that there’s no abuse. We have outsourced a lot of the monitoring for this to Cloudflare. All traffic to our servers is going through their proxies, so they can analyze everything that goes in and block any potential attacks. Because doing security configuration can be tricky, they make it very easy for us, so that we don’t have to think about it too much. This way, we can give our customers the most secure experience.
One of their strong points is their WAF. A web application firewall with thousands of rules to recognize and block suspicious requests. In part 2 we talked about pentests being executed by customers. Through this WAF we can recognize exactly when and how they are testing our environment. At the moment they start hitting our servers, we see a big spike in suspicious behavior on that particular domain.
Apart from the monitoring by Cloudflare, Fox-IT also helps us out in fending off attacks. We make use of their managed Intrusion Detection Service (IDS). Cloudflare is mostly looking at individual packets that need to be blocked. Fox-IT analyzes the traffic for bigger attack patterns and threats. We are actively informed and advised on remedative actions when malicious attempts are observed.
We ourselves also keep an eye on what comes in and what goes out. E.g. we have logs of CSP violation reports in which we can see if hackers are trying to execute scripting attacks, or otherwise trying to alter our webpages. Report-uri is helping us to get an overview of all these violations.
All of this monitoring and alerting wouldn’t help a lot if no one were looking at it, or deciding on what action to take. Our Operations department is available 24/7 to respond to incidents. Whenever Fox-IT recognizes an attack, it’s may not immediately be clear how to respond: should we contact the customer? Perhaps they’re performing a pentest which they forgot to announce? Perhaps they have a disgruntled employee? Someone ‘trying out’ a tool without realizing what they’re doing? Or perhaps it’s a real attack after all? Fox-IT has a lot of experience in distinguishing between situations, so they advise us on how to follow up. And with our regular feedback they can further improve their advice and response next time.
Sometimes it happens that customers or other external people accidentally find vulnerabilities that they would like to share with us. Apart from calling us or registering an incident directly, we have a dedicated email address available for responsible disclosure: firstname.lastname@example.org. This mail address is monitored at all times, and usually gets a response within 24 hours.
Our Operations people are also the ones who are most involved in guaranteeing our SOC 2 compliance. SOC 2 is an auditing procedure that ensures we manage customer data securely, and that we’re taking care of Security, Confidentiality and Privacy. Apart from this certification, our hosting partners also have many certifications, which helps us cover another important part of the service chain. By having our SaaS hosting procedures audited on a yearly basis, customers know that TOPdesk keeps their promises regarding data security and privacy. SOC ensures that no important topics are forgotten in the audit.
If ever a hacker manages to get through, or if customers just have questions about Security, we have a Support department with very talented people. Together with our Security Guild members they are ready to respond to any (Security) question. As we told in part 1, our Supporters get trained in Security regularly. They need to recognize when Security may be at stake, even if the customer just calls about what they think is just an innocent bug. Security questions immediately get escalated to a sub-group of people who are most experiencied in ensuring the Security incident gets a proper and timely response.
When a customer calls with a specific Security question, we always aim to respond within a day. The more important the situation, the quicker we’ll be. Even if we get a long pentest report with many remarks, we try to have a response ready in 1 or at most 2 days. I’m happy to say that it rarely happens that they find any high risk vulnerabilities.
Often in software development, a formal process is used to deal with Security: the Secure Software Development Lifecycle, e.g. Microsoft’s Security Development Lifecycle (or SDL). Although at this moment we’re not explicitly using the SDL, from the past three blogs, you can see that we could easily tick most boxes for these practices. SDL can give you a lot of inspiration if you want to do more about Security in your company. Perhaps in the future we’ll make this more formal for our Software Development.
All of this preventing, teaching, helping, testing, scanning, monitoring, responding and improving allows us to deliver the most Secure software. Does that mean that there’s nothing we can (or should) do to improve? Of course not, but I’ll leave the specifics of that for another blog post. There are still more techniques that we can (and will) use. We need to keep up with the bad-guys. I hope this gives you a bit of an idea of our Serious approach to Security.