Checking your endpoints with Stethoscope
Health Screen
While researching online recently, clicking from one security blog to another, I stumbled across a tool developed by Netflix called Stethoscope. Stethoscope is a sophisticated open-source security tool discussed in their blog [1] that is designed to assist with securing user devices.
The premise of Stethoscope is to keep corporate organizations safe by helping to mitigate the risk of security breaches. For businesses, successfully attacking users is the "…primary mechanism leading to security incidents and data breaches." Those devices that speak back to other devices present on an infrastructure are usually called "endpoints." Examples of endpoints include laptops, thin clients, smartphones, tablets, and Internet of Things (IoT) devices, but a server could also qualify as an endpoint. Securing endpoint devices usually requires significant forethought regarding policies and compliance.
Stethoscope is a web-based application. It's raison d'Ítre is to capture lots of interesting information about a device and then report back in a clear and concise manner. The hope is that, by giving users the information they need to make informed decisions about changes to their devices, it will improve the security posture across several infrastructure layers. And, by educating users, the organization will benefit as a whole as the users adopt safer practices and bear increased responsibility. Mitigating the most popular attacks, such as phishing attacks, is the key concern.
In this article, I'll get the Stethoscope application up and running and show you how to ingest data from lots of devices. I will then look at some sample data to see what you could expect when you've connected different types of devices. Stethoscope can pull endpoint data from a number of different device information and management systems, including Jamf [2], LANDESK [3], Google's G Suite Mobile Management [4], and bitFit [5].
Herd Immunity
One of the most impressive aspects of Netflix's Stethoscope is that, when it displays its findings, it generously provides detailed recommendations about how to remediate any discovered issues. This effort to raise the general level of expertise for end users leads to a kind of herd immunity. Clearly there's no single solution that will protect all Internet-facing devices. Table 1 shows some of the important security considerations that receive attention from Stethoscope.
Table 1
Stethoscope Security Checks
Category | Description |
---|---|
Disk Encryption | If the device is lost or stolen, does it need an encryption key to open up its storage? |
Firewalling | How does the ingress and egress network traffic get filtered? Is there protection in place? |
Automated Patching | Does a user have to manually update the software for applications and the Operating System? Hopefully not in most cases. |
Operating System Patching | Is vendor patching being performed in a timely manner? |
Idle Screen Locking | Children, cats, and colleagues shouldn't be able to use your device if you walk away from it briefly. |
Test Rooted Devices | Has the vendor operating system been replaced? Does that mean the inherent protections are no longer being used effectively? |
Installed Security Tooling | Is there anti-malware/anti-virus software running? Is a firewall running correctly? |
Checkup
The Stethoscope front end uses React to display the output from a Python back end. The lightweight champion of web servers, NGINX, is then responsible for serving static content and also connecting into the back end when needed.
In this example, I'll use Docker Compose [6] to fire up the clever Stethoscope. On my Linux Mint (Tara) laptop, which sits atop Ubuntu Linux 18.04, I already have Docker CE installed (instructions for installing Docker CE are online [7]). I'll use Apt and take the package manager route, as shown in this command, to install Docker Compose:
$ apt install docker-compose
Now, I'll clone the repository from GitHub [8] and then enter the directory.
$ cd stethoscope
Next, run Docker Compose and ask it to use the configuration in the provided config file. Be warned that this command begins a process that will take a few minutes to complete:
$ docker-compose up
After some Docker-esque output, where container images are downloaded layer after layer and then extracted, you'll see lots of output. At the end of the process, there's also node-builder output offering some instructions of what you can try next. Listing 1 shows the heavily abbreviated output with the optional next steps.
Listing 1
Node-Builder Output
01 node-builder_1 | Creating an optimized production build... 02 node-builder_1 | Compiled successfully. 03 node-builder_1 | 04 node-builder_1 | File sizes after gzip: 05 node-builder_1 | 06 node-builder_1 | 87.66 KB build/static/js/main.00139d52.js 07 node-builder_1 | 4.13 KB build/static/css/main.f7935686.css 08 node-builder_1 | 09 node-builder_1 | The project was built assuming it is hosted at the server root. 10 node-builder_1 | To override this, specify the homepage in your package.json. 11 node-builder_1 | For example, add this to build it for GitHub Pages: 12 node-builder_1 | 13 node-builder_1 | "homepage": "http://myname.github.io/myapp", 14 node-builder_1 | 15 node-builder_1 | The build folder is ready to be deployed. 16 node-builder_1 | You may also serve it locally with a static server: 17 node-builder_1 | 18 node-builder_1 | npm install -g pushstate-server 19 node-builder_1 | pushstate-server build 20 node-builder_1 | open http://localhost:9000 21 node-builder_1 | 22 node-builder_1 | npm info lifecycle stethoscope-react@0.1.0~postbuildonly: stethoscope-react@0.1.0 23 node-builder_1 | npm info ok 24 stethoscope_node-builder_1 exited with code 0
The docs say that if you get stuck at the Docker Compose stage, you'll probably have to use a version that's higher than version 1.10. You'll need to purge the current version before you install a new version:
$ apt purge docker-compose
Once you have successfully installed NGINX and Stethoscope, visit the URL http://localhost:5000 to see if everything is working (Figure 1).
A Sample
If you hook the surgically-precise Stethoscope up with a device-management solution, such as Jamf for Apple devices, you will see a display similar to Figure 2.
The display includes a healthy mix of devices, proving that Stethoscope is indeed close to being vendor-agnostic. Figure 2 shows entries for Apple tablets, Apple phones, and an Android device.
When I click on the Android device, I see the output in Figure 3.
Figure 4 shows more information, this time from a MacBook, and you also gain a little more insight into how Netflix's endpoints are protected against malware.
Jamf and LANDESK are just two of the ways to integrate many devices at once with Stethoscope. Netflix also provides an app to test Apple and Windows devices directly [9].
Buy this article as PDF
(incl. VAT)