She’s a Keeper! Keeper Security presents at Security Field Day 7.

I never thought I’d leave you, 1Password…

Password Managers aren’t a new technology. Arguably the Excel 97 spreadsheet in your corporate file share labelled DefinitelyNotPasswords.xls was an early form of Password Manager (but only if it was password-protected). The architecture behind them hasn’t really evolved much over the years, they’ve just moved away from being flat files of all your most coveted secrets, protected by yet another code word/phrase, into nicely presented applications, or cloud solutions that simply scramble your bucket of passwords with some fancy encryption algorithm.

There are different storage models, each with their own pros and cons. Storing the passwords locally means they aren’t sitting in the cloud on someone else’s infrastructure, but that also means if your device is compromised, those passwords could be compromised as well. Store the passwords in the cloud, and well, they’re in the cloud, on hardware you don’t own or manage, and what happens when you lose communication to that infrastructure? You might not be able to update your vault. What happens in case of a breach? Has all of your data been exposed? There are certainly examples of this happening, as well as vulnerabilities in local versions of various password managers.

Ultimately there is no silver bullet, no perfect solution that is going to be completely impervious to a code vulnerability, a hack, or poor infrastructure security. But still, having a properly organized password manager, regardless of which model you choose, is still better than not having one at all.

This week at Security Field Day 7, I was introduced to Keeper. I’d heard of them before but hadn’t really dug into their product very much as I had chosen and settled into a password manager quite a few years ago, and truthfully had no complaints, and no reason to look elsewhere. I’ve been a 1Password user for several years, and even brought 1Password to my employer where we’ve adopted the enterprise version.

What stood out the most for me with the presentation from Keeper was that it seemed to be the first password manager that was purpose built from the ground up to be an enterprise-grade security tool. Many of today’s popular subscription-based password managers, 1Password included, evolved from a free product, aimed at consumers. That doesn’t mean they’re not secure, but that features were developed with the consumer in mind first, not the enterprise. Some of the more enterprise-y features they might have now may seem to have been tacked on as an afterthought, or to simply check off a box that might get the product adopted into enterprise.

Zero-Knowledge and Zero-Trust

Keeper has taken security of customer data very seriously, as they should, however their discussion around encryption and their methods used to protect and store password and secret data was next level. Keeper has absolutely no knowledge of a user’s master password, or stored passwords/secrets, as the keys to encrypt and decrypt this data are only stored on the user’s device. The data in your vault isn’t protected with a single key pair either, every single record in the vault is encrypted with its own keys. Those keys are then wrapped in another key if contained in a shared folder.

Their credentials are solid, and they are the only FIPS 140-2 validated password manager that I am aware of.

If you’re really into the nerdy side of encryption, check out all the details here.

“Keeper is the most secure, certified, tested and audited password security platform in the world. We are the only SOC2 and ISO27001 certified password management solution in the industry and Privacy Shield Compliant with the U.S. Department of Commerce’s EU-U.S. Privacy Shield program, meeting the European Commission’s Directive on Data Protection.”

Authentication and 2FA

The list of features they support is exhaustive, from SSO support via SAML 2.0 with any identity provider you can think of, to biometric support that includes Windows Hello, TouchID, FaceID, and Android. Aall of these options feature their Zero Knowledge model that completely protects your information in flight during the authentication process.

Two-Factor Authentication enforcement is available, along with Role-Based Access Control. Keeper supports all popular 2FA methods with your authenticator of choice, including Google Authenticator, Microsoft Authenticator, Duo, RSA, or FIDO2 keys like Yubikey. They even have their own integration with wearable technology like Apple Watch and Android Wear devices through KeeperDNA.

Even better, you can just use Keeper for all your 2FA codes and stop having to use 3-4 different apps for your TOTP/OTP supported logins.

Unfortunately, they also support SMS for 2FA, which I’d personally like to see more products completely remove as an option. This is likely my only complaint about Keeper but I understand it’s an option some people insist on using.


With credential stuffing and spraying attacks on the rise, it is vital that passwords can be checked against known breached passwords. Keeper offers a feature called BreachWatch for checking vault information against known breached information on the Dark Web. You will be alerted to change a known breached password if there is a match.

Hard to Switch, but…

The list of features Keeper offers goes on. If you can think of it, they likely already have it, and if not, they’re working on it.

If you take your credential security seriously, you’re using a password manager, and 2FA wherever you can. Once you’ve gotten yourself into a particular product like this, it can be a daunting task to switch to a new one. I myself have over 1200 items in my 1Password vaults, and thus far I’ve had no compelling reason to think about migrating my secrets to another platform. Until now.

Keeper’s presentation at Security Field Day 7 truly has me considering signing up for a trial at the very least.

Check out their presentation over at Tech Field Day.

Rapid Incident Reponse with PathSolutions Security Operations Manager – Security Field Day 3

As I delve further and further into “all things security” along my career path, it has become clear to me that one of the key skills a good Security Professional must have is the ability to filter out noise, and focus on identifying the critical pieces of information that require action, while safely being able to ignore the rest. Modern security tools, whether they are Firewalls, IDS/IPS, Proxies, Web Application Firewalls, Content Filters, etc. all collect, report, and alert on a lot of information. It can be overwhelming, and this is especially true for smaller, flatter IT teams that perhaps don’t have a dedicated Security Operations Center (SOC), or even an actual Security Team. Quite often, the “Security Team” is one person, and that person may also fill the role of Network Administrator, Server Administrator, or any number of other roles that some larger IT teams might have distributed across several individuals.

In these situations, having a tool or process that can consolidate and help with filtering and focusing the important data is key to being able to avoid information paralysis – the idea of having too much information to really be able to act on any of it in a meaningful way. This is SIEM – or Security Information and Event Management. Now, I’ve found SIEM can be interchangably used as a noun when referring to a specific tool that performs this fuction, or as a verb when describing the act of processing the data from multiple sources into actionable information. In either case, the end result is the most critical – the ability to gather data from multiple sources, and render it down to something useful, and actionable.

This week at Security Field Day 3, I was fortunate to participate in a fantastic conversation with PathSolutions CTO Tim Titus, as he presented TotalView Security Operations Manager and its capabilities as a SecOps tool that can greatly improve awareness and response time to security events within your network.

60 Second Decisions

Investigating alerts can be tedious, and can take up a lot of time, only to find out in many cases that the alert was benign, and doesn’t require intervention. TotalView Security Operations Manager is a security orchastration, automation, and response (SOAR) product designed to optimize event response, reduce wasted time on false positives, and provide a faster path to quarantine and remediation.

Immediately upon an indication of suspicious activity, the Security Operations Manager dashboard provides almost instant details for the potentially compromised asset: the switch and port it is connected to, what it is (operating system, manufacturer), who is logged into it, what security groups/access they have, what Indicators of Compromise (IoC) are detected, and what destination(s) this asset is talking to on or outside the network, and whether any of these locations could be a known malicious or C&C (Command and Control) destination. With information presented, the option to quickly quarantine the asset is presented, and is as simple as shutting down the switch port with the click of a button. All of this information is sourced natively, with no installed agents, no need for SPAN ports, or network taps. It is all done thorugh NetFlow, SNMP, and WMI (Windows Management Instrumentation).

In roughly 60 seconds, enough information is presented to enable you to make a swift, informed decision on what action to take, and saves countless minutes our hours of correlating information from disparate tools or infrastructure in order to determine if there is in fact a problem. Should this end user workstation suddenly start talking to a known bad IP in North Korea? Probably not! Shut it down.


Totalview Security Operations Manager doesn’t stop there, and Tim walked us through an in-depth demo of their solution.

Device Vulnerability Reporting

It would be almost too easy to insert a Buzz Lightyear meme captioned with “Vulnerabilities. Vulnerabilities everywhere…” because it’s true. Just a few days ago (as of this writing), Microsoft’s Patch Tuesday saw the release of 111 fixes for various vulnerabilites, the third largest in Microsoft’s history. Keeping up with patches and software updates for any size network can be a daunting task, and more often than not, there is simply not enough time to patch absolutely everything. We must pick and choose what gets patched by evaluating risk, and triaging updates based on highest risk or exposure.


TotalView Security Operations Manager is able to provide constant monitoring of all of your network assets for operating system or device vulnerabilities by referencing the NIST Vulnerability Database (NVD) every 24 hours, identifying those with a known vulnerability, and allowing you to dig deeper into the CVE to assist with risk assesment.

Communications Monitoring and Geographic Risk Profiling

Do you know which of your devices are talking to each other? Do you know where in the world your devices are sending data? These are both questions that can sometimes be difficult to answer without some baseline understanding of all of the traffic across your network. With Communications Policy Monitoring and Alerting, Security Operations Manager is able to trigger an alert when a device starts communicating with another device that it shouldn’t be talking to, based on policies you define.

The Geographic Risk profiling looks at where your devices are communicating globally, presented in an easy to understand map view, quickly showing if and when you may have an asset that is sending data somewhere it shouldn’t. The Chord View within the dashboard breaks out the number of flows by country, which presents a nice quick visual, giving you an idea of the percentage of your data is flowing to appropriate vs. questionable destinations.


New Device Discovery and Interrogation

Not everyone has a full Network Access Control (NAC) system in place. Let’s be honest, they’re not simple to set up, and can often be responsible for locking out legitimate devices from accessing the network at inconvenient times. Without NAC, network operators are often blind to new devices being connected. With Security Operations Manager, in the even that new devices are connected, they are discovered, and interrogated to find out what they are, and what they are communicating with. This gives tremendous flexibility to monitor random items being connected, and making it simple to decide on how they should be treated.


Rapid Deployment

Touting a 30 minute deployment, with only a single 80MB Windows VM required, this seems to good to be true, right? Maybe. There are some dependancies here that, if not already in place, will require some ground work to get all of the right information flowing to the tool. As Tim mentions, there are no requirements for agents to be installed, or taps, but that all of the data is sourced natively via SNMP, NetFlow and WMI. This means, all you need to provide the Security Operations Manager VM is SNMP access to all of your routers, switches, firewalls, gateways, etc. as well as access to the NetFlow data, and WMI credentials for your Windows environment. Setting all of that up, if it’s not already in place, will take some planning, and time. It’s especially important to ensure that SNMP is set up correctly, and securely. Here, the ability of Security Operations Manager to be able to gather 100% of the data from your network relies on the fact that you correctly configured and prepared 100% of your devices for these protocols.

Final Thoughts

Every so often I will come away from a product presentation and really feel like it’s a product that was meant for me, or other folks who find themselves on smaller teams but still managing decent-sized infrastructure. IT teams tend to run slim, and the prevalence of automation, and the need for it have justified some of the lower staffing ratios seen throughout the industry. Less so in large enterprise, but in mid-size or smaller enterprise networks, tools like Security Operations Manager help reduce the noise, and expedite decision making when it comes to monitoring and identifying problematic or compromised devices within the network.

PathSolutions have evolved what began as a tool for network administrators, and added insights for voice/telecom administrators, into a product that now takes all of the data they were already collecting from all of your infrastructure, and boils it down to something quickly parsed and understood by security administrators. Even better if you happen to fill all three of those roles on your infrastructure team.

It’s surpisingly simple, lightweight, and very quick to get up and running. I’m looking forward to diving deeper into Security Operations Manager’s sandbox myself, and invite you to as well.

Check out the full presentation and demo from Security Field Day 3.

Also, feel free to take a look at the PathSolutions Sandbox to try it yourself.

Nerdy Bullets

– All written in C/C++
– Backend storage is SQL Lite
– 13 months data retention (default) – but can be scaled, or descaled based on specific needs
– Data cleanup is done via SQL scripts, and can be customized based on your retention needs
– API integration with some firewall vendors (Palo Alto, as an example) to poll detailed data where SNMP is lacking
– Integrated NMAP to scan devices on the fly
– IP geolocation db updated every 24 hours
– Flow support – NetFlow, sFlow, and (soon) JFlow
– Security intelligence feeds from Firehall