In the Wake of SIGRed, is Good-Enough DDI Still Good Enough?

The collective reaction to the Microsoft DNS vulnerability dubbed “SIGRed” hasn’t seemed to be one of shock while many scrambled to apply the security patch released on July 14th. What does that tell us?

Let’s put this vulnerability into perspective. All software products have problems. BIND 9 is also subject to security vulnerabilities, for which ISC released patches in May. It follows that the reactions I’ve observed from IT teams fall into two categories. Among those who find the patch easy to apply (often, at smaller organizations), it’s business as usual. Vulnerabilities like this are par for the course.

However, among those who anticipate difficulty applying the patch (for the most part, large, complex organizations), the reaction is one of dread. DDI experts understand all too well that given a complex enough network, applying any sort of updates is an imperfect science. Not to mention, a nightmare to coordinate.

Most of those needing to apply the security patch, after all, are relying on the sort of DDI that is a combination of disparate DNS, DHCP, and IP address management (IPAM) tools, versus a best-of-breed platform that encompasses all three. The difference is that best-of-breed natively unifies all three services using single-purpose components (i.e. DNS servers that don’t also run AD domain controllers). This allows for a simpler, more flexible, more securable, validated source of truth.

The question SIGRed ought to prompt for large, complex organizations is whether the choice to rely on the former is still valid.

Running a business is a game of resource allocation. It’s why many organizations have chosen to use the DNS that comes with Windows Server. Stitching together components of DDI like Microsoft DNS, Microsoft DHCP, Active Directory, and IP address spreadsheets appears free, since there’s no additional charge beyond the OS you’ve already licensed.

Small organizations can still get away with using these so-called “free” solutions like Microsoft DNS in conjunction with other products and some elbow grease. If you aren’t very large or complex, it’s straightforward to manage and monitor a DIY DDI. Therefore, it’s ‘good-enough’.

Grown-up network opportunity costs

However, thanks to exploding network complexity, the opportunity costs of ‘good-enough’ DDI are growing for large, complex organizations. What you save in upfront and subscription costs for a best-of-breed solution, you pay for in roadblocks to automation, time-consuming manual processes, avoidable manual errors, barriers to innovation, messy update processes, and service outages. So, why is DDI still an area of corner-cutting?

Difficult-decision hot potato

On paper, upgrading to enterprise-grade DDI seems like an unnecessary expense. There’s no comparable line item for the costs of decentralized control, frequent manual errors, lack of visibility, and bottlenecks to innovation. That’s one reason upgrading from good-enough DDI is so unfavorable among CFOs. The initial investment required is often a significant capital expenditure hit, and not everybody’s comfortable with that in the short term. It’s easier to pass the buck to the next CFO.

Also, migrating off of a solution that’s been in place for years, if not decades, is like performing open heart surgery on the surgeon. Most IT leaders are rightly anxious at the prospect of getting it wrong. Many more are finding ways to patch the holes on the sinking ship long enough to reach retirement. The next guy can deal with it, right?

SIGRed makes clear that the time for DDI re-evaluation is now

Cloud adoption has changed, as have security threats and expectations for service and innovation by all sorts of stakeholders. To help organizations adapt, critical services like DDI need to be centrally manageable.

Valuable DDI data should be easy to share across all groups in charge of network health and security. Your DDI should also easily integrate with adjacent systems and solutions.

Large, complex organizations can’t meet these requirements using good-enough solutions like Microsoft DNS, no matter how many resources they pour into it. The fallout from SIGRed, rated a 10 out 10 for severity, should have made that clear, but that’s just one example.

While no budget is infinite and no team’s capacity is endless, the need for purpose-built DDI is becoming ever more pressing. IT, operations, and even finance leaders are due for a re-think of whether good-enough DDI is really good enough.


Dana Iskoldski is the Corporate Communications Manager for BlueCat, and producer of the Network Disrupted podcast.


What’s Hot on Infosecurity Magazine?