Somewhere Over the Spreadsheet

Two years ago I was standing in front of a group of security geeks in Santa Barbara for BSides LA talking about the sophisticated tools that most network engineers use — like “ping” and “traceroute” and even Excel — and about how the broad range of tools available typically didn’t get used in a primordial jungle of our enterprise networks. Recently, Wired concurred, outlining the widespread use of spreadsheets for a broad range of business functions.

new-spreadsheet1It is embarrassingly common for us to find the majority of network management information in spreadsheets. Lists of devices, lists of firewall rules, hierarchies of networks. All laid out in nicely formatted tabs within multiple spreadsheet workbooks, often stored in SharePoint or Google Docs. But, always, devoid of context and the real meaning of the elements.

This isn’t to say that there isn’t a place for spreadsheets, of course, but I would challenge you to think through how you are using them and whether or not they are giving you the information you need to know rather than believe what your network is really doing.

For example, a couple years ago I was visiting a major retailer as they were working through their PCI audit. They presented the auditor with an annotated spreadsheet containing all of the firewall rules within their infrastructure. The auditor, for his part, recognized that evaluating firewall rules out of context masks the reality of the way a network operates, and asked to review the PCI zones using RedSeal. The insights for the organization and the auditor were rapid and clear, and the organization was able to take steps to improve their overall security as a result.

So, although spreadsheets are valuable for building lists of the “stuff” that makes up your environment, they are no substitute for automation that can show you and tell you what you don’t know you don’t know. What do you keep in spreadsheets? What do you wish your spreadsheets could tell you? What’s the strangest experience you’ve had with spreadsheets?

JIE-READY STEP 4: Develop artifacts for IA and ATO

The design and implementation phases of JRSS and JIE will, very likely, receive a significant amount of scrutiny from Information Assurance (IA) to ensure that numerous standards and guidelines are followed. The goal of this scrutiny is to obtain an Authorization to Operate (ATO). There are many different components of the IA process and developing artifacts to support the ATO effort (unfinished sentence?). RedSeal will provide some unique analysis artifacts that without RedSeal would be extremely cumbersome and time-consuming to obtain. At a high level these items include STIG checking for devices, segment access validation, validation of configuration against standard or gold build, and logical zone compliance.

jiestep4RedSeal’s model of the network will allow for faster artifact development and the development of these artifacts BEFORE deployment. The RedSeal platform has the capability to combine any components of the model (hosts, devices, subnets, etc.) into logical groups. These are referred to as zones (sometimes also called segments or enclaves). Because RedSeal understands all the access in the network, the platform is capable of presenting and measuring all access into and out of the zone and between all other zones or the network at large. It is also possible to write business or policy decisions against those access paths and track those decisions for compliance purposes. This RedSeal use case will assist JRSS and JIE with meeting or exceeding the Department of Defense Ports, Protocols, and Services Management (PPSM) guidelines. These guidelines will be applied to the Joint Regional Security Stack (JRSS) and the components that comprise the stack.

Assessing network access by logically zoning or grouping is one piece of the puzzle. RedSeal will also be assessing the components of the JRSS for compliance with other standards of configuration as mentioned earlier, such as STIGs and gold builds. These device level checks are somewhat customizable as well. Certain components of STIGs require modification to meet the environment, and RedSeal allows for that customization within STIG specific checks. It also allows for full customization or creation of device-level checks in the event a new verification check is needed. Within the RedSeal platform, not only is the security of the network analyzed, the security of the component stack providing the security services is analyzed and verified as well.

The Department of Defense has already begun building JRSS and assessing legacy networks. Understanding that legacy infrastructure, ensuring it is effective and efficient, assessing security and meeting compliance during design and migration and beyond, are critical steps. Are you ready for JIE? RedSeal Networks is.

JPMorgan hackers altered, deleted bank records, says report

CNET | Aug 28, 2014

Investigation into attack on JPMorgan Chase may have expanded to seven of the world’s top banks, amid a report that hackers altered records.

“Getting access to bank records is uncommon but not unheard for hackers, who often change computer logs to cover their tracks but can’t always get to more sensitive data,” said RedSeal cybersecurity expert Robert Capps.

JIE-READY STEP 3: Visualize before migration

The phase between design and implementation for JRSS and JIE is critical. During this phase the most important thing is to have full visibility of the entire JIE infrastructure, even before it is migrated. RedSeal provides the bridge mechanism needed during this critical assessment phase.

Visualization can lead to deeper understanding of the current behavior of segmentation and the effectiveness of controlling access to these segments or enclaves, which in turn helps in reducing redundancy and increasing efficacy.

 

jiestep3

Visualization, identification and measurement allows you to identify and measure all the avenues of access, understanding them visually and through technical reports. RedSeal provides identification and measurement that are not restricted to live networks or devices. The model can be created using proposed configurations or design considerations and present what the network and controls will look like before deployment or in between deployment and cut over. This distinct capability will provide the bridge mechanism needed during critical assessment phases between design and implementation for JRSS and JIE.

Another benefit of the RedSeal network model is faster artifact development, as we will discuss in the next post.

Data Breach-stricken UPS Unaware of PoS Malware for months

| Aug 22, 2014

Just as news of one large point of sale (SuperValu) hack begins to recede, another pops up to reclaim the headlines. This time the victim is shipping giant United Parcel Service (UPS), which has confirmed a long-running data breach at 51 of its UPS Stores, across 24 states.

“This shows that sophistication of IT isn’t an inoculation against a breach,” said Steve Hultquist, chief evangelist at RedSeal Networks. “The combination of complexity and continuous change–including both growth and technological advancement–mean that it’s virtually impossible to be aware of all the potential paths of attack.”

Another Day, Another Breach

On Wednesday, August 20th, UPS announced that a breach may have compromised customer data during up to 105,000 transactions between January and August. While UPS is to be commended for coming forward so quickly, this breach underscores the truth that organizations with highly sophisticated and advanced capabilities in information technology aren’t inoculated against breaches. It is easy to think that organizations that are breached must not be focused on their technology or current in their capabilities. This breach shows us how very wrong that thinking is. In fact, just last month, Fortune wrote an article about how challenging UPS’s analysis must be, and how they solve it with technology.

Ultimately, this is a lesson to every organization that the combination of complexity and continuous change–including planned and organic growth of technology deployed and the inexorable advancement of technology–mean that it’s virtually impossible to even be aware of all the potential paths of attack, much less be able to protect against them. Gone are the days of having sufficient understanding of the network in the heads of one or two people, allowing fast and accurate analysis and countermeasures.

Unfortunately, today no human being can possibly know what the network is capable of allowing to happen.

It is critical for all enterprises to deploy not only reactive security analysis such as IDS/IPS, but also to use a cyberattack prevention system to analyze their entire network as it is actually implemented, to expose all potential paths and to provide guidance in plugging inappropriate holes. Otherwise, we will continue to see more and more breaches, with broader and more devastating impact. Enterprises must take action by using cyberattack prevention to avoid being the next casualties.

Big Data Overwhelms Security Teams

eSecurity Planet | Aug 20, 2014

A major contributing factor in many recent data breaches has been the fact that many IT security teams are simply overwhelmed by the volume of data they’re handling.

Mike Lloyd, CTO of RedSeal Networks, said that kind of data provides IT security teams with a serious challenge. “I don’t meet any security teams these days that say, ‘You know, what I lack is data,'” he said. “In fact, we’re drowning in data. The problem is turning that data into facts you can use.”

JIE-READY STEP 2: Defense in depth

Defense in depth is a term and idea that is not new to the information technology world. A classic implementation at the network level of defense in depth is segmentation, or building enclaves. In certain cases, segmentation was taken to an extreme level, resulting in massive decentralization of computing environments. Unfortunately this decentralization does not remove the need for these segments or enclaves to communicate with other information assets. Thus the segments or enclaves are connected to the network from which they may have originally been divested. This does not mean that security controls restricting or monitoring access to these enclaves was removed. What it does mean is that there is a very high likelihood of major redundancy implemented while attempting to secure or control these segments.

jiestep2The RedSeal model can be leveraged to not only identify these redundancies visually, but to also identify the efficacy of these controls by measuring access across and through the entire network. Investigating one segment of the network and the control mechanisms related to the segment is not sufficient. The network must be measured as a whole operating entity or system to effectively identify all possible access and points of control. Through these means, RedSeal will be providing another unique benefit to JRSS and enhancing the preparedness for JIE.

Understanding the current behavior of segmentation and the effectiveness of controlling access to these segments or enclaves will assist with reducing redundancy in the current operational system while increasing efficacy. There may be too many rules in a firewall creating overly-restrictive access and operational bog to the system. There may be too many routers providing similar or identical access to systems, between systems, or across network boundaries. Perhaps there are too many layers of load balancing performing additional address translations and VIP presentations that are not only difficult to manage but not really providing any more security. RedSeal will identify and measure all the avenues of access and represent it visually and via a myriad of reporting techniques in technical depth.

Our next blog will discuss Step 3 – Visualization before Migration.

Supervalu Discloses a Data Breach

New York Times | Aug 15, 2014

“This looks much the same as the attack that impacted Target last year,” said Steve Hultquist, an executive at RedSeal Networks, a security firm. “These breaches continue to demonstrate the sophistication of the attackers and the reward they receive being worth the investment they make in their attacks.”

Tennessee Electric Sues Bank Over Cyber-Heist

InfoSecurity Magazine | Aug 14, 2014

Tennessee Electric Company (TEC Industrial) is suing its bank, TriSummit, after falling victim to a $327,000 cyber-heist. The attackers likely used password-stealing malware, and then logged in to the bank using TEC credentials to siphon the funds.

“This action underscores the increasing focus on responsibility for maintaining end-to-end security for customers,” said Steve Hultquist, chief evangelist at RedSeal Networks, in a comment to Infosecurity.