Today Cyber Security plays a paramount role in global security. On this blog, the CEO of Paramount Defenses shares rare insights on issues related to Cyber Security, including Privileged Access, Organizational Cyber Security, Foundational Security, Windows Security, Active Directory Security, Insider Threats and other topics.

March 6, 2014

Updated a Potentially $ Trillion Cyber Security Algorithm Last Week


My sincere apologies for the unintended lapse in sharing thoughts via this blog, which has primarily been on account of us having received a "seemingly" simple request late last year, the fulfillment of which required my involvement and time.
We Need to Know, NOW

A few days after I penned my last blog entry, we received a request from a rather prominent U.S Government agency (i.e. one with a 3-letter acronym ending in A) that happens to have a rather large and complex Active Directory environment.

Administrative/Privileged Access Holders

The request was seemingly simple – we were requested to try and do our best to enhance the performance of Gold Finger’s unique administrative access assessment/audit capabilities, so that Gold Finger could help them “swiftly” identify exactly who had what administrative powers (aka the “keys to the kingdom”) in their environment.
By “swiftly” I mean, within a matter of minutes.

Gold Finger could already identify and reveal paramount administrative access/entitlement insight like Who can effectively reset the password of any user in the organization to instantly login as him/her, within minutes in most deployments. It was in complicated environments that it could sometimes take an hour or more. An hour's not that bad at all, considering the sole alternative, which is to try and do the same manually (using basic tools), which could easily take months, if not years. 
But I suppose they needed Gold Finger to be able to do the same in their "complex" AD deployment, within minutes.
Why they needed this is not ours to question. (We don’t question - we only deliver.) But if I had to guess, I'd say its probably because they understood the risk associated with an insider being able to identify and exploit unauthorized access grants in their Active Directory to gain access to and subsequently tamper, divulge or destroy virtually any IT resource he/she wanted to, at will, and may have thus felt the need to attain and maintain least-privileged access (LPA) in their foundational Active Directory at all times, given that access provisioned in AD is always changing, even if by a little.

Anyway, this was, as I said a "seemingly" simple ask.

I say "seemingly" simple because as the architect of Gold Finger, I'll be the first to tell you that the only thing harder than making something as sophisticated as Gold Finger, is trying to make it much faster. Here’s why -

When you press the Gold Finger button, almost half a million lines of code go to work in a magical black box, and within minutes, they reveal completely accurate, instantly actionable and mission-critical effective access insight in plain English.
For instance, when you select a report like Who can reset user account passwords across a domain of say 50,000 users, Gold Finger literally determines effective permissions on 50,000 user accounts in a single shot. That's no easy task. To begin with, it involves retrieving almost 5 million ACEs, doing the relatively easy stuff (resolving 1000s of SIDs, expanding 1000s of direct/nested/circular group memberships, etc. etc.) and then the difficult stuff (assessing millions of access grants taking into account over a dozen factors), to ultimately identify and reveal exactly who can reset whose passwords. There’s also a lot that can go wrong at any point so you have to be able to deal with virtually every potential unknown.

In essence, there are over a 100 different inter-dependent logical functions that operate in unison to do at a touch of a button, what is generally considered almost impossible to do. In other words, there’s just so much complexity involved that trying to make the smallest change, let alone trying to accomplish even a 10% performance gain, can be quite difficult.

So, although this seemed like a simple ask, what was required to deliver on it was in fact a combination of deep subject matter expertise, utmost discipline, world-class software-engineering, and of course comprehensive testing.

After months of highly disciplined work (some of which was already in progress), our Engineering teams ultimately achieved what was no easy feat - making Gold Finger faster. Not just a little faster, but up to 5 times faster.


Gold Finger 6.0

Gold Finger 6.0 embodies our patented cumulative access entitlement technology and is the culmination of over half a decade of innovative cyber security research and development. It is not only the world's fastest cyber security solution that can accurately identify and reveal the identities of all individuals who effectively possess (any level of) administrative / privileged access in Microsoft Windows Server based IT infrastructures powered by Active Directory, it may possibly be the world's ONLY cyber security solution that can do so.
A Potentially Trillion $ Algorithm 

As you may know, in most organizations worldwide today, the compromise of a single administrative / privileged account could be sufficient to inflict colossal and often irreversible damage to the organization, so the need to know exactly who has what administrative access in Active Directory (which stores and protects the keys to virtually every lock in the kingdom) is paramount. 
For those, to whom this seems overstated or far fetched, there’s just one name to mention – Edward Snowden.

In our efforts to fulfill this request, not only were we able to help one of the world’s most important government agencies, we have also been able to (now) empower virtually every organization worldwide to finally be able to know within minutes with complete accuracy, exactly who has the proverbial keys to their kingdoms.

With over 85% of all government and business organizations worldwide running on Active Directory, including virtually the entire Fortune 1000, even we’re not sure how to value an algorithm that can uniquely and instantly help determine exactly who’s got the keys to the(se) kingdom(s).
All we know, and care deeply about, is helping organizations worldwide attain and maintain least-privileged access (LPA) in their Active Directory deployments, because we believe nothing is more important than “defending the keys to the kingdom”.
Alright, back to work.

Best wishes,

PS: Sadly, it takes just ONE malicious or coerced insider with admin/privileged access to inflict colossal damage.