Dr David Chismon, Security Consultant
3 mins read
F-Secure Consulting uses Slack for some internal messaging. When onboarding the logs we noted that they give good user agent information, including specific versions of browsers and mobile devices. One challenge that some organizations have found is that iOS updates require users to be on WiFi and with a certain battery level for the update to go through. This means that user involvement is often required. As a result, the logs confirmed our suspicions that there were a number of outdated devices in F-Secure Consulting’s mobile fleet. While we suspected there may be a few, we were surprised by the number, around 20%.
Investigation of a few cases found a mix of reasons why automatic updates might not be working. For iOS, the requirements for WiFi and a certain battery level meant that as many employees never used WiFi, the updates were never triggered. Another common cause for lackadaisical patching was that a number of our consultants run Linux with Chrome (or Chromium); Chromium lags behind Chrome in patches, and several Linux distributions then take time to update their repositories.
The concept of "ChatOps" is gaining traction. This refers to using bots integrated into messaging systems such as Slack, Microsoft Teams, or Symphony to confirm actions, remind users, or otherwise benefit security. Jacques Louw, our Technical Director for F-Secure Consulting in South Africa, wrote a Slack Bot that integrates with our monitoring to ask users to update and produced internal stats showing which offices were better and worse.
We ran this for a few weeks and occasionally encouraged offices that were lagging behind until one Friday:
Jacques' Bot only took a couple of days to write and then a few weeks to get us to our goal. As such, we're now looking at other ways we can use SaaS logs and ChatOps for preventative security. There will be a balance eventually where we do not want to bug users with so many ChatOps messages that they become habituated to the alerts and start to ignore them. However, if that can be avoided, the potential for scaling a security team's efforts is huge.