Groundhog Day

The Movie

I love Groundhog Day.  Not because it tells me anything useful about how much longer of a winter we have but because it inspired one of my all time favorite movies of the same name, Groundhog Day.  If you haven’t seen it, go see it now and forget about this article.  But if you haven’t seen it, spoiler alert, I’m gonna talk about what happens in the move.

It goes something like this: The universe has decided to teach a lesson to a spoiled, selfish, self centered (but hilariously funny) Phil Connors, played by Bill Murray, by forcing him to live the same day over and again.  Every morning he wakes up to Sonny and Cher singing “I’ve got you babe” on the local radio station.  Every morning everything is the same as it was yesterday morning and the only person aware of it is Phil.  I don’t think we every really learn how many times he re-lives that day but the impression is that it is hundreds, if not thousands.  Does he ever learn that lesson?  Well, you should see for yourself because that is not the point of this post.

Groundhog Day your assets

If we think of the universe as an endpoint, and Phil Connors brain as NVRAM, we have a nice analogy for another layer of protection of our systems: Reset them every day (except for the stuff that changes that you care about).  Most users make a very small footprint of changes on a system on a daily basis.  If we can isolate their sandbox from the rest of the system, then snap it back to groundhog day every morning when they depart or arrive, anything that should not have happened will have effectively unhappened when we snap back.  

The point of this post is that there is a paradigm going on here that we should be taking advantage of in some realms of cyber security.  It is this: Why, when the vast majority of the information on a system doesn’t not need to change, do we ever allow it to change?  Yes, systems will move slightly from day to day, in small but unimportant ways but most of those changes can be ignored and reset to the golden image every day at an appropriate time a user departs or during a nightly maintenance window.  NVRAM is whatever is appropriate to that user or server (a source code repository, a database,  a file system snapshot, etc.).   This concept can, perhaps even more easily, be applied to servers.  

No, it doesn’t solve every problem but it could provide another layer of security.  And, in the end, it is layers of security that solve our security problems.

Immediately Locate Your Java Assets 

Late last year I wrote Log4jFinder, a shell script that demonstrates one way to locate your java asset. Read below to understand how to use this tool in conjunction with Splunk to instantly locate all instances of a java jar file in your enterprise.