MIG: Investigate 1,000 endpoints in 10s
Description
Investigate 1,000 endpoints in 10s with MIG
Mozilla operates thousands of servers that support Firefox and Firefox OS, and provide functionalities to more than 300 millions users. Systems are often heterogenous, are catered to the needs of particular services, and are hosted in various locations around the world. A few years ago, the number of systems Mozilla operates outgrew the capabilities of existing forensics and endpoints security tools. Being able to inspect an entire infrastructure in real-time is the the dream of any security investigator, and we simply could not achieve that with our tooling. The MIG project was started to provide better visibility across the organization, and to remodel the traditional approach to forensics (manually retrieving and analyzing data from systems) that had become impractical in Mozilla’s heterogenous environments.
MIG is a distributed platform composed of agents deployed across Mozilla’s servers. The agents provide investigators with remote access to the file system, network and memory of endpoints. MIG is massively parallelized. It can run targeted searches on thousands of endpoints in as short as ten seconds, while allowing for larger scans that take hours to complete. The architecture of MIG is cross-platform and modular. Entirely written in Go, agents can run on Windows, MacOS and Linux. Capabilities can be added via modules that are compiled and shipped with the agents. During the talk, we will discuss how the use of Go simplifies the architecture of MIG, and helps build security tools with minimal cpu and memory footprint.
MIG belongs to the growing field of distributed digital forensics, akin to Google’s Rapid Response, Akamai’s Query and Facebook’s osquery. MIG takes an approach to investigation that does not rely on retrieving and storing large amounts of data from endpoints, but instead focuses on interrogating endpoints locally via distributed agents. By limiting the amount of data retrieving from endpoints, we reduce MIG’s operating cost, have a stronger respect for data confidentiality, and ensure that a platform breach would not expose terabytes of confidential forensics data to the world. Security is a first-class citizen in MIG. We guarantee access control by requiring investigators to sign all actions with their PGP keys. Agents verify signatures prior to running actions locally. MIG is built to withstand a takeover of its platform without compromising the security of Mozilla’s servers.
This talk will introduce MIG, the problems it solves, its design goals, capabilities, and security model. We will present its use on thousands of servers at Mozilla. The audience will learn how indicators of compromise can be searched across thousands of systems within seconds. During the talk, attendees will be given elements to install and operate MIG in their own environments. If permitted, the talk will include a live demo on Mozilla’s infrastructure.
Website | Github
Julien Vehent
Julien manages the CloudSec team and is responsible for the security of Firefox’s backend services (Firefox accounts, Sync, addons.mozilla.org, Push, Hello, …). Mozilla CloudSec consults with developers and operations teams on risks and security, and builds security tools for the infrastructure. Julien is the author of the Mozilla Server Side TLS guidelines, Cipherscan, Mozilla InvestiGator (MIG), SOPS and many smaller tools to help DevOps integrate security in the organization.
